Malaysia Personal Data Protection Act (PDPA) Your Guide Part Two

Malaysia Personal Data Protection Act (PDPA) Your Guide Part Two

In part One of Malaysia Personal Data Protection Act (PDPA) Your Guide we discussed the structure of the PDPA. Here in part two we explain the operational mechanics of the PDPA.

 

Collection and Processing

 

Under the PDPA, subject to certain exceptions, data users are generally required to obtain a data subject’s consent for the processing (which includes collection and disclosure) of his or her personal data. Where consent is required from a data subject under the age of eighteen, the data user must obtain consent from the parent, guardian or person who has parental responsibility for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and maintained properly by the data user.

Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data disclosures to third parties.

On December 23, 2015, the Commissioner published the Personal Data Protection Standard 2015 (“Standards”), which set out the Commission’s minimum requirements for processing personal data. The Standards include the following:

  • Security Standard For Personal Data Processed Electronically
  • Security Standard For Personal Data Processed Non-Electronically
  • Retention Standard For Personal Data Processed Electronically And Non-Electronically
  • Data Integrity Standard For Personal Data Processed Electronically And Non-Electronically

 

International Transfers

 

Under the PDPA, a data user may not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been specified by the Minister. However, there are exceptions to this restriction, including the following:

  • The data subject has given his or her consent to the transfer.
  • The transfer is necessary for the performance of a contract between the data subject and the data user.
  • The data user has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be processed in a manner that would contravene the PDPA.
  • The transfer is necessary to protect the data subject’s vital interests.

In 2017, the Commissioner published a draft Personal Data Protection (Transfer of Personal Data to Places Outside Malaysia) Order 2017 to obtain public feedback on the proposed jurisdictions to which personal data from Malaysia may be transferred. As of December 26, 2018, the Minister has yet to approve the safe harbor jurisdictions. Once approved, a data user may transfer personal data to these safe harbour jurisdictions without having to rely on the data subject’s consent or other prescribed exceptions under the PDPA.

 

Data Security

 

Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data user must comply, and the data user is required to ensure that its data processors comply with these security standards.

In addition, the Standards provide separate security standards for personal data processed electronically and for personal data processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction.

 

Data Breach Notification

 

There is no requirement under the PDPA for data users to notify authorities regarding data breaches in Malaysia. However, news reports dated October 5, 2018 suggest that Malaysia’s laws could be updated, as early as the middle of 2019, to include data breach notification requirements modelled after those under the European Union’s General Data Protection Regulation (GDPR), including requiring providing notice to government authorities.

 

Enforcement

 

Under the PDPA, the Commissioner is empowered to implement and enforce the personal data protection laws and to monitor and supervise compliance with the provisions of the PDPA. Under the Personal Data Protection Regulations 2013, the Commissioner has the power to inspect the systems used in personal data processing and the data user is required, at all reasonable times, to make the systems available for inspection by the Commissioner or any inspection officer. The Commissioner or the inspection officers may require the production of the following during inspection:

  • The record of the consent from a data subject maintained in respect of the processing of that data subject’s personal data by the data user
  • The record of required written notices issued by the data user to the data subject
  • The list of personal data disclosures to third parties
  • The security policy developed and implemented by the data user
  • The record of compliance with data retention requirements
  • The record of compliance with data integrity requirements, and
  • Such other related information which the Commissioner or any inspection officer deems necessary

Violations of the PDPA and certain provisions of the Personal Data Protection Regulations 2013 are punishable with criminal liability. The prescribed penalties include fines, imprisonment or both. Directors, CEOs, managers or other similar officers will have joint and several liability for non-compliance by the body corporate, subject to a due diligence defence.

However, there is no express right under the PDPA allowing aggrieved data subjects to pursue a civil claim against data users for breaches of the PDPA.

 

Electronic marketing

 

The PDPA applies to electronic marketing activities that involve the processing of personal data for the purposes of commercial transactions. There are no specific provisions in the PDPA that deal with electronic marketing. However, the PDPA provides that a data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable in the circumstances to cease or not to begin processing his or her personal data for direct marketing purposes. ‘Direct marketing’ means the communication by whatever means of any advertising or marketing material that is directed to individuals.

 

Online Privacy 

There are no provisions in the PDPA that specifically address the issue of online privacy (including cookies and location data). However, any electronic processing of personal data in Malaysia will be subject to the PDPA and the Commissioner may issue further guidance on this issue in the future.

Malaysia Personal Data Protection Act (PDPA) Your Guide Part Two

Malaysia Personal Data Protection Act ( PDPA) Your Guide Part One

 

The Law

 

Malaysia’s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013.

 

Definitions

 

Definition of personal data

 

‘Personal data’ means any information in respect of commercial transactions that is:

  • Being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose
  • Recorded with the intention that it should wholly or partly be processed by means of such equipment, or
  • Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, and, in each case

…that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user.

Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010.

 

Definition of sensitive personal data

 

‘Sensitive personal data’ means any personal data consisting of information as to the physical or mental health or condition of a data subject, his or her political opinions, his or her religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him or her of any offence or any other personal data as the Minister of Communications and Multimedia (Minister) may determine by published order. Other than the categories of sensitive personal data listed above, the Minister has not published any other types of personal data to be sensitive personal data as of December 26, 2018.

 

Authority

 

Pursuant to the PDPA, a Personal Data Protection Commissioner (Commissioner) has been appointed to implement the PDPA’s provisions. The Commissioner will be advised by a Personal Data Protection Advisory Committee who will be appointed by the Minister, and will consist of one Chairman, three members from the public sector, and at least seven, but no more than eleven other members. The appointment of the Personal Data Protection Advisory Committee will not exceed a term of three years; however, members can be appointed for two successive terms.

The Commissioner’s decisions can be appealed through the Personal Data Protection Appeal Tribunal. The following are examples of such  appeals

  • Decisions relating to the registration of data users under Part II Division 2 of the PDPA
  • The refusal of the Commissioner to register a code of practice under Section 23(5) of the PDPA
  • The service of an enforcement notice under Section 108 of the PDPA
  • The refusal of the Commissioner to vary or cancel an enforcement notice under Section 109 of the PDPA, or
  • The refusal of the Commissioner to conduct or continue an investigation that is based on a complaint under Part VIII of the PDPA.

If a data user is not satisfied with a decision of the Personal Data Protection Advisory Committee, the data user may proceed to file a judicial review of the decision in the Malaysian High Courts.

 

Which Organisations are Required to Register

 

Currently, the PDPA requires the following classes of data users to register under the PDPA:

 

  1. Communications
    • A licensee under the Communications and Multimedia Act 1998
    • A licensee under the Postal Services Act 2012
  2. Banking and financial institution
    • A licensed bank and licensed investment bank under the Financial Services Act 2013
    • A licensed Islamic bank and licensed international Islamic bank under the Islamic Financial Services Act 2013
    • A development financial institution under the Development Financial Institution Act 2002
  3. Insurance
    • A licensed insurer under the Financial Services Act 2013
    • A licensed takaful operator under the Islamic Financial Services Act 2013
    • A licensed international takaful operator under the Islamic Financial Services Act 2013
  4. Health
    • A licensee under the Private Healthcare Facilities and Services Act 1998
    • A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private Healthcare Facilities and Services Act 1998
    • A body corporate registered under the Registration of Pharmacists Act 1951
  5. Tourism and hospitality
    • A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed travel agent or licensed tourist guide under the Tourism Industry Act 1992
    • A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry Act 1992
  6. Transportation
    • Certain named transportation services providers
  7. Education
    • A private higher educational institution registered under the Private Higher Educational Institutions Act 1996
    • A private school or private educational institution registered under the Education Act 1996
  8. Direct selling
    • A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993
  9. Services
    • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961 carrying on business as follows:
      • legal
      • audit
      • accountancy
      • engineering
      •  architecture
    • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies Act 1961
    • A company registered under the Companies Act 1965 or a person who entered into partnership under the Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment Agencies Act 1981
  10. Real estate
    • A licensed housing developer under the Housing Development (Control and Licensing) Act 1966
    • A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah
    • A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak
  11. Utilities
    • Certain named utilities services providers
  12. Pawnbroker
    • A licensee under the Pawnbrokers Act 1972
  13. Moneylender
    • A licensee under the Moneylenders Act 1951

Certificates of registration are valid for at least one year, after which data users must renew registrations and may not continue to process personal data.

Data users are also required to display their certificate of registration at a conspicuous place at their principal place of business, and a copy of the certificate at each branch, where applicable.

The Commissioner may designate a body as a data user forum for a class of data users. Data user forums can prepare codes of practice to govern compliance with the PDPA, which can be registered with the Commissioner. Once registered, all data users must comply with the provisions of the code, and non-compliance violates the PDPA. As of December 26, 2018, the Commissioner has published several codes of practice, including for the banking and financial sector, the aviation sector, the utilities sector and the insurance and takaful industry in Malaysia.

 

Do I Need to Appoint a Data Protection Officer

 

Currently, Malaysian law does not require that data users appoint a data protection officer.

 

Tune in for Part Two to follow 

Data Privacy  in Asia Philippines DPA

Data Privacy in Asia Philippines DPA

 

While the GDPR may be the most extensive and revolutionary privacy law the world has seen thus far, the EU is not the only one implementing stricter data privacy requirements. More and more countries around the globe are also enacting regulations to protect the personal information of their citizens. Today, we want to look specifically at the Philippines and its Data Privacy Act of 2012 (DPA).

 

The purpose of the Act is “to protect the fundamental human right to privacy of communication while ensuring the free flow of information to promote innovation and growth.” In conjunction with the passing of this Act, the Philippine government also established the National Privacy Commission (NPC) to monitor and enforce the law. In September of 2016, the NPC released the final rules and regulations for DPA implementation, mandating companies to register as a personal data processing system by September 9, 2017.

 

Who does the DPA apply to?

 

The DPA applies to both individuals and legal entities (or both data controllers and data processors, as defined by the GDPR). Like the GDPR, organisations outside of Philippines who process the personal data of Philippines citizens or residents must also comply with the DPA. The DPA covers businesses within the Republic of the Philippines and organisations with offices in the Philippines. But unlike the GDPR, it also includes those who use equipment located in the Philippines.

 

What does the DPA consider to be personal information?

 

This Act protects individuals from the unauthorised processing of their personal information (i.e., data that is not publicly available and personally identifiable information (PII)). The DPA defines sensitive personal information as any data concerning:

  • An individual’s race, ethnic origin, marital status, age, colour, and religious, philosophical or political affiliations;
  • An individual’s health, education, genetic or sexual life, or any proceeding for any offence committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  • Information issued by government agencies particular to an individual, which includes social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
  • Information specifically established by an executive order or an act of Congress to be kept classified.

 

What are the lawful bases for processing under the DPA?

 

The Act requires organisations to have a specific and legitimate purpose for the processing of every category of data, just like the GDPR.  Consent is another vital part of the legal collection of data, and customers must be fully aware of how and why their data will be used when asked for consent. However, consent is not always required for processing; some of these scenarios include the enforcement of a contract, the protection of vital interests, and the response to a national emergency.

 

What individual rights are given to Philippines’ citizens and residents?

 

The law provides data subjects rights concerning their personal information, such as notice, access, accuracy, and transparency. These include the Right to Dispute, the Right to Erasure, and the Right to Data Portability, which sound very similar to some individual rights found in the GDPR (check out our white paper to see how they align).

  • The Right to Dispute. This right provides data subjects with the ability to contest inaccurate data with the data controller and to request for the information to be corrected.
  • The Right to Erasure or Blocking. According to the regulation, data subjects can “suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller.” To exercise this right, the data subject must have substantial proof that the data is incomplete, outdated, or false, or was unlawfully obtained. This right also states that data subjects will be compensated for any resulting damages.
  • The Right to Data Portability. Data subjects have the right to request their personal information from the data controller as long as the data was processed electronically.

 

What are the penalties for non-compliance with the DPA?

 

The DPA includes various penalties for individuals and organisations that are found non-compliant, many of which include imprisonment. Data controllers are held accountable for the following: processing unauthorised data, negligent access, illegal disposal, concealment of breaches or intentional breaches, and the unauthorised or malicious disclosure of data.

The repercussions of these violations (or a combination of them) can range from an imprisonment sentence of three to six years as well as a monetary fine of $20,000-$100,000 (one million Filipino pesos to five million Filipino pesos). The maximum fine is imposed when data breaches involve the information of 100 or more individuals.

 

How can Philippine businesses comply with the GDPR?

 

Organizations that already comply with the Data Privacy Act (DPA) will find it easier to abide by the GDPR due to the similarity in statutes between the two. The data protection officers of Philippine companies complying with the DPA already have the tools they need to perform GDPR compliant roles efficiently.

 

The GDPR, much like the DPA, puts a high value on requiring the consent of users regarding the gathering of their information. The following guidelines have been set under the GDPR for the acquisition of user data:

 

  • Give concise, transparent, intelligible, and easily accessible forms when asking users to agree to privacy terms and conditions or data collection and processing
  • Must disclose the purpose or legal grounds for data processing, the categories of personal data collected, possible recipients of the data, and how long the data will be restored
  • Have an age-verification process to identify users under the age of 16 and then obtaining the consent of their parents before processing the minor’s personal information

 

An easy way for organisations to meet the terms of these guidelines is by having cookie banners, consent management, and internal privacy tools on their respective websites and/or web forms.

The GDPR also has provisions stating that users can opt out of automated processing which includes profiling. Similar to the DPA, companies are required by the GDPR to have someone review data handling procedures.

 

Moreover, under the GDPR when there is a data breach or knowledge of a data breach, the organization is required to report this within 72 hours to the appropriate agencies.

 

What are the consequences for failing to comply with the GDPR?

 

Companies that fail to comply with the GDPR’s guidelines could be fined between €10 million (US$11.74 million) and €20 million (US$23.48 million) The severity of the fines will depend on the seriousness of the breach, if a breach was committed, as well as on how seriously the company has been complying with the GDPR.

 

What should our next steps be to align with the DPA?

 

Organizations conducting businesses in the Philippines or who process that data of Philippines citizens and residents should take the following steps to meet DPA requirements:

 

  • Conduct a Data Privacy Impact Assessment (DPIA), a full review of your organisation’s data, collection procedures, processing activities, and data centres.
  • Appoint a Data Protection Officer (DPO), the person responsible for ensuring data processing remains in accordance with the regulation.
  • Register with the NPC. The following documentation is necessary for the registration of private entities: a certificate of the appointment of a DPO and a certified copy of any of the following documents: certificate of registration or license to operate.
  • Create a Privacy Management Program Manual to inform all departments and employees of the requirements of the DPA and the directives of the NPC.
  • Implement privacy and data protection measures and ensure that breach notification procedures are routinely tested.

 

As more and more countries adopt stronger privacy regulations, compliance with them is becoming a basic requirement for U.S. companies doing business around the world. However, after a quick look at the requirements of the DPA, you may have noticed some similarities between the DPA and the EU’s GDPR. While compliance with these regulations is certainly not an easy feat, their alignment in certain areas makes compliance with both regulations simpler.

Relentless Privacy and Compliance  Cover all Data privacy regulations in the Asia Region and in particular GDPR for Philippines outsourced service providers processing EU Data Subjects data

 

FIND OUT MORE

 

The Malaysian Personal Data Protection Act  “the act”

The Malaysian Personal Data Protection Act “the act”

The Malaysian Personal Data Protection Act 2010 (“the Act”) was written into law  on 15 November 2013. “The Act” mandates that businesses in Malaysia assume additional responsibilities and requirements when it comes to the processing of personal data of their employees, suppliers, and customers. This article provides an overview of  the key issues to note under the Act.

The Malaysian Personal Data Protection Act 2010 (“the Act”) applies to any person who processes and has control over or authorizes the processing of any “personal data” in respect of commercial transactions known as the  (“data user”). The Act also applies to persons not established in Malaysia (for example: international organisations), if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia.

 

Certain classes of data users (eg: licensed insurers; legal, auditing, accounting, engineering and architecture firms; housing developers; medical and dental clinics) are required to register themselves with the Department of Personal Data Protection.

 

HOW IS  PERSONAL DATA DETERMINED UNDER THE ACT ?

 

Predominantly, “personal data” covered by the Act is information that relates to a data subject who is identifiable from that information being processed or collected. This broad definition will cover data types  such as names, contact details, national registration identity card numbers, and passport numbers. Personal data also includes any sensitive personal data such as the physical or mental health information of the data subject, his/ her  political opinions and religious beliefs, and criminal convictions among others. 

 

WHAT IS REQUIRED BY THE ACT?

 

Under the Act, data users are required to adhere to  the 7 Personal Data Protection Principles. 

 

  1. General: Personal data can only be processed with the data subject’s consent.
  2. Notice and Choice: Data subjects must be informed by written notice of, among  other things, the type of data being collected and the purpose, its sources, the right to request access and correction, and the  choices and means by which the data subject can limit the processing of their personal data.
  3. Disclosure: Personal data may not be disclosed without the data subject’s consent for any purpose other than that which the data was disclosed at the time of collection, or to any person other than that notified to the data user.
  4. Security: Data users must take practical steps to protect the personal data from any loss, misuse, modification or unauthorized access or disclosure, alteration or destruction.
  5. Retention: Personal data shall not be kept longer than is necessary for the fulfillment of its purpose.
  6. Data Integrity: Data users must take reasonable steps to ensure that personal data is accurate, complete, not misleading and kept up to date.
  7. Access: Data subjects must be given access to their personal data and be able to correct any personal data that is inaccurate, incomplete, misleading or not up to date.

 

Maximum fines for various offences under the Act range from RM100,000 to RM500,000 per offence. On conviction, offenders may also be liable to imprisonment.

 

What steps can a business take to help achieve compliance 

 

If your organization is a data user under the Act, you should start considering the following actions:

 

  1. Conduct an audit to identify: 

(a) the types of personal data being collected and processed; 

b) the purposes personal data is being collected; 

(c) third parties to whom personal data is being disclosed; 

(d) how data subjects are being notified of the data processing

 

  1. Have a privacy  framework in place to ensure compliance with the Act. Appropriate policies and procedures regarding the collection, processing, retention and disclosure of personal data must be implemented. Where possible, appoint a team to manage issues relating to personal data and compliance with the Act.

 

  1. Be mindful that even if you have an existing global privacy policy in place, it may need to be reviewed and customized to match the Malaysian requirements. (For example, the Act requires personal data notices to be issued in both English and Malay).

 

  1. Key personnel must be trained on the application  of the Act. Compliance with the Act is not possible if employees do not understand the purpose of the Act or what they are required to do.

 

  1. Board level commitment . Given the severe consequences for non-compliance, it is imperative that senior management sets the tone and “buy in” the importance of complying with the Act.

 

  1. Have a system in place to continuously monitor compliance with your personal data policies and procedures, so that any gaps can be identified and addressed quickly.

 

While the additional obligations and responsibilities under the Act may appear troublesome to some, the Act is the right step towards bringing Malaysia’s personal data protection laws in line with the rest of the world as well as boosting investor confidence.

Learn More

 

 

What is the APEC Privacy Framework and Who has signed up to it?

What is the APEC Privacy Framework and Who has signed up to it?

What is the APEC Privacy Framework and the Cross-Border Privacy Rules? And Who has signed up to it 

 

 

The APEC Privacy Framework is a set of principles and implementation requirements that were created in order to be an enabler to effective privacy protections that avoid barriers to information flows which are so vital in the global data exchanges , and ensure ongoing  trade and economic growth in the Asia Pacific Economic Cooperation region of 27 countries. The APEC Privacy Framework set in motion the process of creating the APEC Cross-Border Privacy Rules system.

 

The CBPR ( Cross-Border Privacy Rules system.) system has now been formally joined by the United States, Canada, Japan and Mexico, with more nations soon to follow. The CBPR program is comparable  to the EU-U.S. Privacy Shield in that they both provide a means for self-assessment, compliance review, recognition/acceptance and dispute resolution/enforcement. Both systems require the designation by each country of a data protection authority (the U.S. enforcement authority is the Federal Trade Commission).

 

Unlike the GDPR, which is a directly pertinent  regulation, the CBPR system does not replace or alter   a members country’s domestic laws and regulations. Where there are no evidence of  applicable domestic privacy protection requirements in a country, the CBPR system is intended to provide a minimum level of data protection.

 

The privacy enforcement authorities of a country that takes part in the system should have the ability to take enforcement actions under applicable domestic laws and regulations that have the effect of protecting personal information consistent with the CBPR program requirements. 

 

As trade and cross border data agreements  exponentially grow global organisations cannot simply rely on being compliant on local privacy laws, Privacy compliance must now be thought of as a global umbrella or compliance with many regional and country laws nestling beneath the umbrella.

 

Relentless Global Privacy Services  helps clients meet the tough world of privacy regulations

 

 

Lets take a deep dive into the framework and how it compares to the GDPR

 

 

 

APEC Privacy Framework (or CBPRs)

GDPR

PurposeTo develop effective privacy protections that avoid barriers to information flows, and ensure continued trade, and economic growth in the APEC region.To enable to free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Material scopeApplies to persons or organizations in the public and private sectors who control the collection, holding, processing, use, transfer or disclosure of personal information.Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Territorial scopeApplies to the same extent that the laws of each member country apply.Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
Personal informationPersonal information means any information about an identified or identifiable individual. (same)Personal data means any information relating to an identified or identifiable natural person.
Data controllerPersonal information controller means a person or organization who controls the collection, holding, processing or use of personal information.Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processorsAPEC Privacy Framework and CBPRs do not apply to processors, only controllers.Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Publicly available informationThe APEC Privacy Framework has limited application to publicly available information. Notice and choice requirements, in particular, often are superfluous where the information is already publicly available, and the personal information controller does not collect the information directly from the individual concerned.The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Permitted member country variations (derogations)Economies implementing the framework at a domestic level may adopt suitable exceptions to scope that suit their particular domestic circumstances. 

The framework is not intended to impede governmental activities authorized by law when taken to protect national security, public safety, national sovereignty or other public policy.

Member States have discretion in a number of subject areas including: Supervisory Authority; Sanctions; Demonstrating Compliance; Data Protection Officers; Archiving and Research; Third Country Transfers; Sensitive personal data and exceptions; Criminal Convictions; Rights and Remedies; Processing of Children’s Personal Data by Online Services; Freedom of Expression in the Media; Processing of Data; Restrictions; Rules surrounding Churches and Religious Associations.

Exceptions to general GDPR applicability also exist for national security, public safety, and police powers.

Preventing harm principleRecognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information.Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

Notice

Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information. All reasonably practicable steps shall be taken to ensure that such notice is provided either before or at the time of collection of personal information. Otherwise, such notice should be provided as soon after as is practicable.

It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information.

Where personal information is not obtained directly from the individual, but from a third party, it may not be practicable to give notice at or before the time of collection of the information.

If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.

Collection limitationThe collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned.Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Use limitationPersonal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes except: a) with the consent of the individual whose personal information is collected; b) when necessary to provide a service or product requested by the individual; or, c) by the authority of law and other legal instruments, proclamations and pronouncements of legal effectPersonal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Choice and consentWhere appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information.Permits the use of health-related personal data with explicit consent from the subject, unless reliance on consent is prohibited by EU or member state law. “Explicit consent” must meet a higher standard than consent for the processing of other forms of personal data — an individual must be clearly informed of the use of their data and take an affirmative action to demonstrate their consent.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data integrityPersonal information should be accurate, complete and kept up-to-date to the extent necessary for the purposes of use.Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Security safeguardsPersonal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment.Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Access and correctionIndividuals should be able to obtain from the personal information controller confirmation of whether or not the personal information controller holds personal information about them, and have access to information held about them, challenge the accuracy of information relating to them, have the information rectified, completed, amended or deleted. All of the above rights subject to a balancing of of the burden or expense of compliance, legal or security reasons, the protection of commercial information, the protection of the privacy rights of persons other than the affected individual.The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and to access to the personal data and information about the processing including: what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
AccountabilityA personal information controller should be accountable for complying with measures that give effect to the Principles stated above.The controller shall be responsible for, and be able to demonstrate compliance with, the principles of the processing of personal data under the GDPR.
Transfer of personal data to another person or countryWhen personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data.

Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by a binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.

Breach definitionThere is no specified definition of breach under the APEC Privacy Framework or CBPRs.Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Breach notificationThe APEC Privacy Framework does not directly address breach, but the principles support notification.

The Cross-Border Privacy Rules (CBPR) to which APEC economies must bind themselves to join, require that member countries impose rules requiring that data controllers contractually protect data by requiring notification to themselves by data processors, agents, contractors or other service providers.

The CBPRs do not require that member countries impose mandatory notification of breach to privacy enforcement authorities or data subjects.

The GDPR requires assessment of data incidents and prompt notification of breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.
Breach mitigation(see above)

The APEC Privacy Framework requires that appropriate safeguards.

The CBPRs require the applicant country to describe how it enforces a requirement to have technical (authentication and access control, encryption, firewalls and intrusion detection, audit logging, monitoring, etc.) and administrative (training, policies, enforcement, etc.)

Safeguards.

Notification to data subjects is not required if:

the controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or 

the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or

it would involve disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

Comparing South Korea Personal Information Protection Act to GDPR

Comparing South Korea Personal Information Protection Act to GDPR

Comparing South Korea Personal Information Protection Act to GDPR

 

South Korea’s substantial Personal Information Protection Act ( PIPA) was enacted on Sept. 30, 2011.  PIPA is known for being one of the world’s strictest privacy administrations. 

PIPA has many similarities to the GDPR, it protects privacy rights from the viewpoint of the data subject and it is wide ranging, applying to most organizations, even government entities. 

It is not only applicable and robust, but its penalties — which include criminal and regulatory fines and even imprisonment — are vigorously  enforced.

 

On June 30 of last year, South Korea became the fifth member to join the APEC Cross Border Privacy Rules, joining the U.S., Japan, Canada and Mexico.

As trade and cross border data agreements  exponentially grow global organisations cannot simply rely on being compliant on local privacy laws, Privacy compliance must now be thought of as a global umbrella or compliance with many regional and country laws nestling beneath the umbrella.

Relentless Global Privacy Services  helps clients meet the tough world of privacy regulations

Find out more about our comprehensive South Korea Data Privacy Service

Find Out More

 

The below table compares aspects of the GDPR directly with South Korea’s PIPA.

 

 

South Korea’s Personal Information Protection Act

GDPR

Purpose

To provide for the processing of the personal information for the purpose of enhancing the right and interest of citizens, and further realizing the dignity and value of the individuals by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information.To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
Material ScopeApplies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties.Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
Territorial ScopeAlthough the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action.Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
Personal Data“Personal information” means information pertaining to any living person that makes it possible to identify such individual by their name and resident registration number, image, etc. (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information).Personal data means any information relating to an identified or identifiable natural person.
Sensitive Personal DataSensitive personal information pertains to ideology, belief, joining and withdrawing from trade unions or political parties, political opinion, health, sexual life, criminal history dat, and DNA information acquired from genetic examination, as well as other personal information that, if processed, is likely to infringe the privacy of data subjects.Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Data ControllerThe act does not distinguish between controllers and processors. Both a controller and a processor are considered a “Personal information processor.”Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processors“Personal information processor” means a public institution, legal person, organization, individual, etc. that processes directly or indirectly personal information to operate personal information files for official or business purposes. Because the act does not distinguish between controllers and processors, it is important to note that processors in South Korea are subject to many requirements that are reserved for controllers under the GDPR.Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Publicly Available InformationThere is no specific exception to applicability that relates to publicly available information.The processing of publicly available information may be permitted for certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.
Preventing Harm PrincipleThe law provides that state and local governments shall devise policies to prevent harmful consequences of beyond-purpose collection; abuse and misuse of personal information; and enhance the dignity of human beings and individual privacy. Preventing harm is also expressed as a reason for certain personal information to be classified as sensitive.Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Lawfulness, Fairness and TransparencyThe personal information processor shall make the personal information processing purposes explicit and specified and shall collect minimum personal information lawfully and fairly to the extent necessary for such purposes.Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose LimitationAn information processor should use personal information only for the purposes specified to the data subject in any applicable consent.Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data MinimizationA personal information processor should collect only the minimum amount of personal information necessary for the purposes specified to the data subject.Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
AccuracyThe personal information processor shall ensure the personal information is accurate, complete and up-to-date to the extent necessary to attain the personal information processing purposes.Personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay. 

Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Storage LimitationThe personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible.Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this regulation in order to safeguard the rights and freedoms of the data subject.

Notice

The personal information processor shall make public its privacy policy and other personal information processing matters. The privacy policy must disclose: 

· The purpose of personal information procession. 

· The period for processing and retention of the personal information.

· Any provision of the personal information to a third party (if applicable).

· Any consignment of personal information processing (if applicable). 

· The rights and obligations of data subjects and how to exercise the rights. 

· Other matters in relation to personal information processing as stated in the Presidential Decree.

Articles 12, 13, and 14 address the requirement that a data controller provide notice to data subjects of processing that is concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge. 

The notice must contain: 

· Identity and contact details of the controller and where applicable, the controller’s representative) and the data protection officer 

· Purpose of the processing and the legal basis for the processing 

· The legitimate interests of the controller or third party, where applicable 

· Categories of personal data 

· Any recipient or categories of recipients of the personal data 

· Details of transfers to third country and safeguards 

· Retention period or criteria used to determine the retention period 

· The existence of each of data subject’s rights 

· The right to withdraw consent at any time, where relevant 

· The right to lodge a complaint with a supervisory authority 

· The source the personal data originates from and whether it came from publicly accessible sources 

· Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data 

· The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.

Choice and ConsentThe law specifies that when obtaining consent from the data subjections, the personal information processor shall notify the data subjects of the fact by separating the matters requiring consent and helping the data subjects to recognize it explicitly. When obtaining consent for processing, the personal information requiring consent should be segregated from the personal information not requiring consent. 

The personal information processor shall not deny goods and services on the basis that the data subject did not consent to certain processing (such as agreeing to receive solicitations).

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 

If the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

Integrity and ConfidentialityThe act imposes detailed technical and administrative measures for the security of personal information. The personal information processor shall take such technical, managerial and physical measures as internal management plan and preservation of log-on records, etc., necessary to ensure the safety so that personal information may not be lost, stolen, leaked, altered or damaged.Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

AccountabilityThe personal information processor must appoint a privacy officer. 

The Minister of Public Administration and Security has the right to request goods and documents that demonstrate compliance with the law and to enter the premises and inspect if the personal information processor fails to furnish the materials.

The controller must appoint a data protection officer. 

The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses.

Access and CorrectionThe data subject has the right to demand access to and suspend processing of, and to make correction, deletion and destruction of their personal information.The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
Data PortabilityData subjects may demand access to data, with some exceptions. The law does not specify that access must be in the form of an export or other form of portability.The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
Transfer of Personal Data to Another Person or countryA data protection agreement must be in place between the personal information processor in the context of any outsourcing. This requirement applies also to international personal information transfers. 

The personal information processor must also inform data subjects when the personal information processor provides personal information to a third party overseas, and the personal information processor shall not enter into a contract for unlawful cross-border transfer when it obtains consent.

When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data. Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.
Breach DefinitionThe law does not define a breach, but refers to it as an event where personal information has been breached.Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
Breach NotificationThe personal information processor must notify the aggrieved data subjects without delay when it becomes aware that personal information has been breached. 

Breaches that affect more than a certain number of individuals as set forth in a presidential decree must be disclosed to the data protection authority.

The GDPR requires assessment of data incidents and prompt notification of the breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.
Breach MitigationThere’s no specific provision that allows for a harm or risk test or application of mitigation to avoid the requirement to notify of a breach, but the personal information processor is obligated to take countermeasures to minimize damage.Notification to data subjects is not required if: 

· The controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular, those that render the data unintelligible to any person who is not authorized to access it, such as encryption; or 

· The controller has taken subsequent measures that ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialize; or 

· It would involve a disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

 

 

Changes to Hong Kong’s Data Privacy Law: What They May Mean For  Your Business

Changes to Hong Kong’s Data Privacy Law: What They May Mean For Your Business

In the wake of a massive data security breach in 2018, Hong Kong is finally carrying out a much needed overview of it’s PDPO data protection regulation. Relentless Privacy & Compliance outline the upcoming changes and the impact on global businesses.

 

When the European Union first introduced the General Data Protection Regulation (GDPR) back in 2016, many countries, cities and regions around the world were quick to take notice. Seeing how successfully GDPR was implemented two years later, those same areas sprung into action, revising their own data privacy laws to better reflect and cope with the needs of today’s digital, data-driven economy.

 

Before long, we had The Standard from China, the LGPD from Brazil and Japan’s APPI among others.

 

Yet while all this was going on, one region once considered a pioneer in the world of data protection law found itself very much lagging behind. Back in 1996, Hong Kong became one of the first countries in Asia to come up with its own regulations around data privacy. Known as the Personal Data Privacy Ordinance (PDPO), the law was largely considered to be ahead of its time when it first came into force. Yet that was 23 years now. Now, almost a quarter of a century later, the world is a very different place and PDPO, according to many of its much staunch critics, simply fails to reflect that.

 

Revisions to PDPO

 

sure, the law has seen the occasional update.

 

Hong Kong has its own Privacy Commissioner for Personal Data (PCPD), a role currently held by Stephen Wong.  The PCPD has a statutory obligation to review the Hong Kong data privacy law, having last done so in 2012.

 

The result of that review resulted in new restrictions being placed on direct marketers though many people at the time, and especially now years later, have argued that such changes simply weren’t enough to protect the personal data and privacy rights of individuals in modern society. Last year, Wong finally relented and agreed to carry out another review which many hope will result in the changes needed to bring PDPO in line with GDPR and other modern data privacy laws.in

 

Today, global data protection consultants Relentless Privacy Compliance take a break from helping organisations ensure frictionless compliance with global data privacy laws and take a look at what these changes are likely to be.

 

Why is the Hong Kong Data Privacy Law Being Reviewed Now?

 

2018 saw one of Hong Kong’s biggest ever data security breaches as the personal data of some 9.4 million individuals were stolen from airline Cathay Pacific. The privacy breach was the last straw for critics who argued that it served as proof that the current law was no longer fit for purpose. Responding to such criticism, and drawing inspiration from GDPR, Wong admitted that changes were needed and promised to carry out a review.

 

So far, industry insiders are expecting the review to result in changes to the four main areas in which PDPO fails to hold its own against other international data protection laws.

 

These four areas are:

 

1: Data breach notifications

 

Under GDPR, data processors and controllers are required to report data breaches within 72 hours.

Since updating their privacy laws, many other parts of the world also have similar requirements in place yet so far Hong Kong does not.

Going forward, we should expect to see the rules change so that data subjects affected by a breach will need to be notified within a reasonable timeframe from when the breach occurred.

If your business deals with Hong Kong data subjects then you may want to keep an eye on the Relentless Privacy & Compliance blog or follow us on social media, where we’ll be sure to report on the exact rules that Wong and his team come up with.

In the meantime, consider how your data breach strategies for GDPR can be adapted to PDPO.

 

2: Non-Compliance Penalties

 

Incidents such as the Cathay Pacific breach have raised concerns that penalties for non0-compliance are not sufficient enough to motivate organisations into fully protecting the personal data they hold.

At present, if a company fails to protect personal data or falls short of PDPO rules in some other way, then the worst thing that happens is that they receive an enforcement notice ordering them to fix and prevent the issue from happening again.

Only if they fail to act on this notice does the Office of the Privacy Commissioner for Personal Data really hit organisations where it hurts; maximum fines of up to 50,000 HKD (roughly £5,000 GBP) and two years in prison can be issued, though most critics argue that this isn’t enough.

They expect Wong’s team to bring penalties more in line with GDPR, which currently imposes fines of up to 20 million euros or 4% of global turnover depending on which one is higher.

 

3: Data Processors

 

Under GDPR, both data processors and controllers have an obligation to comply with the regulations whereas PDPO only currently applies to controllers. Since a large majority of data breaches occur at the processor level many insiders say that this is neither sufficient nor fair.

The upcoming changes are likely to address this by making processors equally accountable.

 

4: International Data Transfers

 

Section 33 of PDPO actually prohibits international data transfers except under certain circumstances, which are:

  • The recipient country is included in a “white list” issued by the PCPD
  • The data user reasonably believes that the recipient country has laws substantially similar to, or which serve the same purpose as, the PDPO
  • The data subject has consented to the transfer
  • The data controller has reasonable grounds for believing that the transfer is necessary to avoid or mitigate any adverse action against the data subject, and it is not practicable to obtain the data subject’s consent; but if it were practicable, the data subject would provide their consent
  • The data user has taken all reasonable precautions and exercised due diligence to ensure that the personal data will not be used in a manner inconsistent with the provisions of the PDPO

Yet despite being enacted in 1995, Section 33 has never yet come into operation.

The upcoming review by Stephen Wong is likely to address this by first bringing Section 33 in line with GDPR Articles 44 through 49 which deal with data transfers, and then finally putting it into operation for the first time in the long and troubled history of the Personal Data Protection Ordinance.

Need expert advice preparing for changes to Hong Kong’s data privacy law? Looking for a simpler solution to map all of your current international data protection methods?

Talk to Relentless today about how our global privacy service can help your organisation enjoy frictionless compliance in a way that provides long-term added value. Contact us online to arrange your initial consultation or call now on +44 (0) 121 582 0192

 

GDPR and LGPD: The Differences between the EU and Brazil’s Data Protection Laws Your Business Needs to Know

GDPR and LGPD: The Differences between the EU and Brazil’s Data Protection Laws Your Business Needs to Know

As Brazil readies itself for the arrival of its new General Data Protection Act in February 2020, we outline how it differs from GDPR, and what those differences mean for businesses like yours.

It’s a familiar story that’s been told with ever-increasing frequency over the past 18-months: Inspired by the European Union’s success in rolling out the game-changing General Data Protection Regulation (GDPR), one country after another revamps and revises their national privacy laws to better reflect the needs and concerns of today’s data-driven society.

We’ve seen it in California with the CCPA, we’ve seen it China with The Standard, and we’ve recently seen it in Japan with the APPI.

Now, it’s Brazil’s turn, as the country gets set for the imminent arrival of its own General Data Protection Law, known in Portuguese by the acronym LGPD. Yet while other countries have been content to simply adopt the basic principles of GDPR as their own, Brazil has ushered in a few notable changes that business dealing with the personal data of Brazilian data subjects should be aware of.

Today, global data privacy specialists Relentless Privacy and Compliance outline exactly what those changes are, how GDPR and LGPD are different, and what your business may need to do to ensure frictionless compliance with the new Brazilian law.

Before we do that, however, let’s take a look at a few LGPD facts that you’ll find it helpful to know:

Brazil’s General Data Protection Law: What is it, and What do You Need to Know?

Back in August 2018, then-President Michel Temer sanctioned a new data protection law for the country

Like similar laws elsewhere in the world, the new law applies to all businesses and organisations who process or control personal data of people within Brazil, regardless as to where those businesses and organisations are based. So, if you’re a business based within the EU but people in Brazil can access goods or services from you via your website, then you need to be LGPD compliant in order to process the data you need to provide those goods or services.

When does LGPD Come into Force?

If this is the first time you’re hearing about the new law, there’s no need to panic just yet. Despite being sanctioned last summer, the law isn’t due to take effect until February 2020, giving you plenty of time to prepared. That is if you even need to prepare at all. With a number of similarities between GDPR and LGPD, duplicating and expanding on your current data protection efforts may not be necessary. In fact, even what few differences there are may make life a little easier for you if you do carry out processing activities with Brazilian personal data. With that in mind, let’s take a look at how GDPR and LGPD compare, and what this comparison means for your business.

How GDPR and LGPD are Similar

The basic fundamentals of the two are the same.As we’ve already discussed, both are applicable to any business or organisation that processes the data of people within their respective areas (Brazil and the EU), regardless as to where that processing is actually carried out. Likewise, regulations regarding international data transfers are in place in Brazil, and anyone affected by this would do well to follow the best practices and procedures that they use for GDPR.

Other key similarities include:

Data Subject Access Requests

As in the EU, data subjects have the right to request access to their data as well as the right to be forgotten.

Data Protection Officers

Article 37 of GDPR states that your organisation will be required to legally appoint a Data Protection Officer (DPO) if:

  • You’re a public authority (except for courts acting in a judicial capacity)
  • Your core activities require “large-scale, regular and systematic monitoring of individuals
  • Your core activities consist of “large-scale processing of special data categories of data or data relating to criminal convictions and offences.

However, even if you don’t fall into one of the above categories, the Article 29 Data Protection Working Party recommends hiring a DPO anyway as a means of best practice.

Brazil’s stance on the matter is very similar, and your compliance consultant at Relentless can help you determine the best DPO solution for you should you need to appoint one.

Data Breaches

Brazil’s position on reporting breaches is similar to GDPR in as much as both state that breaches must be notified, however, this is one area in which the two do differ. We’ll cover those differences below.

How are GDPR and LGPD Different?

One of the major differences between the two with regards to data breaches is that Brazil appears to be much more flexible in terms of how and when breaches must be reported.

Article 33 of GDPR states:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

Brazil is much less specific. LGPD Article 48 states that breach notifications must occur within a reasonable time, to be defined by the national authority.”This becomes all the more vague when you consider that -at time of writing- Brazil doesn’t actually have a designated national authority enforcing LGPD. Attempts to create one were vetoed by Michel Temeron a technicality, though President Temer did insist that agencies similar to the ones proposed would eventually be created. In the interim, breaches can be notified to Ministério Público do Distrito Federal e Territórios (the Public Prosecutor Office of the Federal District) which has a portal for reporting breaches and may carry out civil investigations on them if necessary.

Legal Bases

The most talked about the difference between the two concerns the legal bases for processing data.

Under GDPR, your business has six legal bases which are:

  1. Explicit consent
  2. Contract performance
  3. Public task
  4. Vital interest
  5. Legal obligation
  6. Legitimate interest.

For a definition of these bases, see our guide to baseline GDPR compliance.

Under LGPD, the number of legal bases has been expanded to 10. These include.

  1. Consent
  2. Legal obligation
  3. Implementation of public policies by the public administration (public task)
  4. Research by public study entities
  5. Contractual performance
  6. Exercise of rights in legal proceedings
  7. Life protection (vital interests)
  8. Health protection
  9. Legitimate interest
  10. Protection to credit.

Though you’ll note a number of similarities between the two, you’ll also see that bases such as protection of credit are exclusive to Brazil. This is particularly pertinent as the country prepares to reform its existing laws around credit scores.

Penalties for Violations

Much as with the timeframe for reporting breaches, Brazil also appears to be a little more lenient when it comes to issuing penalties for non-compliance. In the EU, fines can total up to 4% of global revenue up to 20 million Euros. In Brazil, fines can total up to 2% of revenue from Brazil, up to 50 Million Brazilian dollars.

Not that your business should ever find yourself in a situation that requires you to pay such a fine.

At Relentless Privacy & Compliance, we help you achieve frictionless compliance with LGPD, GDPR and other international laws thanks to our comprehensive global data privacy service. This includes a detailed global gap analysis, helping you identify areas where you can streamline your data protection efforts, saving you time and money in the process.

Find out more about our LGPD Service

LGPD Service

To order your gap analysis, contact us online today, or to discuss your privacy concerns, call us now on +44 (0) 121 582 0192.