It’s Time to Take Data Privacy Seriously in Singapore

It’s Time to Take Data Privacy Seriously in Singapore

In the past decade, there has been an explosion of new data privacy laws in Asia. However, at the same time, there has been a lack of enforcement of those laws. While certain countries like Malaysia have not actively been enforcing their privacy laws, recently, a number of countries like Singapore have substantially increased enforcement of their data privacy laws.

Even though the city-state of Singapore is only 720 square kilometers in size, it plays an integral role in the world economy. Singapore, along with Hong Kong, has often been called the “business nexus of the East.” In fact, a recent study conducted by Tower Watson states that Singapore is home to roughly 41 percent of the Asia Pacific headquarters for Fortune 500 companies (compared to 34 percent for Hong Kong and 16 percent for Mainland China).[1]

In 2012, Singapore passed the Personal Data Protection Act (PDPA), which established a general data protection law in Singapore. Among other things, the PDPA governs the collection, use, disclosure, and protection of individuals’ personal data by organizations. The main enforcement agency in charge of enforcing the PDPA is the Personal Data Protection Commission (PDPC). The PDPA provides the PDPC powers to: (1) investigate organizations’ data protection practices, (2) obligate organizations to cease activities which are in violation of PDPA, (3) obligate organizations to destroy personal data collected in contravention of PDPA, (4) obligate organizations to comply with any other orders by PDPC, and (5) obligate organizations to pay a fine which may not exceed US$ 1 million.[2]

PDPA guidance on enforcement actions

On April 21, 2016, the PDPC revised the Advisory Guidelines on the Enforcement of the Personal Data Protection Act (Enforcement Guidelines).[3] While the Enforcement Guidelines are not legally binding, they provide guidance on how the PDPC decides which organizations to target for an investigation and what fines it will seek.

The Enforcement Guidelines state that the PDPC may commence an investigation into any organization that the PDPC considers that an investigation is warranted based on the information that it obtained (whether from a complaint or otherwise).[4] Among other things, the PDPC looks at the following factors to decide whether to investigate and/or whether financial penalties may be assessed: whether the organization may have failed to comply with the PDPA, whether the organization has systematically failed to comply with the PDPA, or the potential harm and severity of the misconduct.[5]

Enforcement actions

In the past, the PDPC published enforcement actions related to “do-not-call” rules, which are a set of regulations loosely similar to the US Do-Not-Call rules. However, only recently has Singapore actively enforced and provided guidance on how the PDPC will approach enforcement of other parts of the PDPA.

First shots fired

On April 21, 2016, Singapore’s PDPC published its first set of 11 enforcement actions.[6] The organizations involved in the 11 enforcement actions range from small businesses to multinationals such as China’s Xiaomi subsidiary. Of the 11 enforcement actions, four organizations were fined for violations of the PDPA and six other organizations were issued warnings.[7] From the first set of 11 enforcement actions, a majority, eight out of 11 enforcement actions were based on a breach of Section 24 of the PDPA for failing to implement proper and adequate protective measures, which resulted in the unauthorized disclosure of personal data.[8] Section 24 of the PDPA provides that an organization shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. [9]

The largest assessed fine by the PDPC was to K-Box Entertainment Group Pte Ltd for S$50,000.[10] In 2014, it was published that over 300,000 K-Box members’ information had been leaked and uploaded online.[11] The breach impacted the following types of data: names, contact numbers, and residential addresses.[12] K-Box was found by the PDPC to have failed to put into place adequate security measures to protect personal data in its possession.[13] Among other things, K-Box allegedly failed to enforce a password policy, provide reasonable controls over unused accounts, utilize new version of software, or conduct security audits.[14]

The PDPC also assessed a fine to Finantech Holding, K-Box’s IT service provider. Finantech was in charge of developing, hosting, and managing K-Box’s Content Management System (CMS).[15] As a data intermediary, Finantech allegedly did not implement adequate data security measures for the CMS, such as by patching security vulnerabilities or using a complex password for an administrative account.[16]

Continued enforcement of data privacy laws

Since April 21, 2016, Singapore has increased its rate of enforcement actions. The PDPC released details of 11 more enforcement actions.[17] Of the 11 new enforcement actions, seven companies received fines ranging from S$500 to S$25,000, and four companies received warnings.[18] Similar to the first set of enforcement actions released on April 21, the majority (eight out of 11) relate to a breach of Section 24 of the PDPA for allegedly failing to implement proper and adequate protection measures.
Among the most recent enforcement actions, the PDPC fined Toh-Shi Printing (Toh-Shi) on two separate occasions for failing to implement proper and adequate protection measures.[19] In both instances, Toh-Shi was a service provider in charge of printing and sending paper notices on behalf of consumers.[20] In both cases, Toh-Shi accidently sent sensitive financial information to the wrong customers.[21] The PDPC fined Toh-Shi for allegedly failing to provide adequate quality control and employee training.[22] The Toh-Shi cases suggest that enforcement of Section 24 of the PDPA is not limited to just IT security related measures, but includes non-technical measures of quality control and employee training.

Perhaps the most interesting aspect of the Toh-Shi enforcement actions is that the two different companies that hired Toh-Shi as a service provider were not fined or found in violation of Section 24 of the PDPA.[23] This contrasts with the K-Box enforcement action. Even though Finantech managed part of K-Box’s IT operations, K-Box was still fined for a breach of the PDPA.[24]

The K-Box enforcement action differs from the Toh-Shi enforcement action in two distinct ways. First, while Finantech was responsible for handling some of K-Box’s  IT operations, it did not manage all of K-Box’s IT operations.[25] K-Box still maintained some IT related responsibilities and the failures of those responsibilities contributed to the breach of over 300,000 customer records.[26] Under the Toh-Shi enforcement actions, Toh-Shi’s customer outsourced all parts of the printing operation, from the initial printing to the mailing of financial records.[27] This suggests that there may be less privacy risk with respect to enforcement actions if organizations use service providers to complete all aspects of a process.  Second, Unlike K-Box, which did not have any data protection provisions in its contract with Finantech, Toh-Shi’s customers contractually required Toh-Shi to put in to place adequate security policies, procedures and controls.[28] In other words, the PDPC’s actions suggest that the PDPC believes imposing contractual requirements on a vendor may discharge a company’s obligations to take “reasonable and appropriate” steps to secure information.

The Toh-Shi enforcement actions also show how a systematic and continuous disregard to adequate security measures may increase the magnitude of a company’s fines.[29] The systematic and continuous disregard for security measures likely resulted in an increase in Toh-Shi’s second fine, from S$5,000 to S$25,000.

While the size of the fines levied by the PDPC for non-compliance of the PDPA has been relatively modest as compared to million dollar fines issued by EU countries or the United States, the real cost of an investigation by the PDPC comes in the form of highly negative publicity and the expenditure of legal fees and human capital related to defend an investigation by the PDPC.

Future considerations

As Singapore’s PDPC gains more experience and refines its interpretation of the PDPA, we expect to see more enforcement actions in Singapore. According to Singapore’s government directory, there are 18 individuals who work in the Personal Data Protection Commission.[30] Of those 18 employees, roughly a third of the employees have been employed at the PDPC for less than 18 months.[31] Unfortunately, a detailed breakdown of headcount is not available from the Singapore government, but we speculate that as these new employees become more experienced and fully integrated with the PDPC, more enforcement actions will likely occur.

We understand that the PDPC is actively working with entities in Singapore by putting together data protection and security related training and educational sessions. However, the current list of enforcement actions shows that Singapore is also serious about its enforcement of the PDPA. Of the 22 enforcement actions, a sizeable majority of the companies are companies that may be deemed to be either a small or mid-size company. We speculate that this may be due to the fact that the PDPC is still a relatively new government organization and that it may want to pick relatively easy targets that either have egregious security practices or do not have the resources to challenge the PDPC in court. The PDPC may also be following an old Chinese idiom of (杀鸡儆猴) or kill the weak to scare the strong). Picking relatively small companies with egregious security practices to fine may be a method for the PDPC to show the general public that they are serious about enforcement of the PDPA and allows the PDPC to set an example of a few small companies in order to scare larger companies who may not be taking data protection seriously. As the PDPC becomes more experienced, we expect that larger organizations may be targeted and higher fines may be assessed.

Lastly, since data breaches are now high profile events often creating rapid and widespread media attention, we expect Singapore to focus heavily on Section 24 of the PDPA on implementing proper and adequate protective measures of personal data. 16 of the 22 enforcement actions involved a failure for entities to maintain proper and adequate protective measures of personal data.[32]

Considerations for entities operating in Singapore

Recent enforcement actions have showed a propensity for the PDPC to focus heavily on implementing proper and adequate protective measures for personal data. The PDPC recently released the Advisory Guidelines on Key Concepts In the Personal Data Protection Act (Guidelines).[33] Similar to the “I know it when I see it” standard for obscenity in the United States, the Guidelines do not provide a binary list of what an organization must do in order to be compliant under Section 24 of the PDPC. Instead, the Guidelines state that there is no one size fits all solution for data security, rather, security obligations depend on the nature of the information, the form of the information, and the possible impact of the unauthorized disclosure of the information.[34] Among other things, we recommend companies consider the following measures:

  1. Conduct a privacy and security assessment of policies and procedures. Conducting a data privacy and security assessment allows an organization to review current policies to determine whether (a) the policies and procedures need to be updated and (b) the company actually follows the stated policies and procedures. It is also important to remember that going through the motions of a security assessment is not enough. For example, the PDPC issued a warning to Metro Pte Ltd for not addressing SQL injection vulnerabilities that were discovered in earlier IT security audits.[35] To effectively lower risk, an organization needs to address issues found through security assessments and audits. In order to have an unbiased and truthful opinion of an organization’s security measures, an organization should consider using a third party vendor.

Organizations should consider at a minimum, implementing/acquiring the following policies and procedures:

  • Incident response plan.
  • Mobile IT policy.
  • Record retention policy
  • Password management policy.
  • User access and management policy.
  • IT vendor management process.
  1. Conduct an internal data inventory. Knowing the type of data collected and held allows an organization to review the sensitivity of the data and determine whether current security measures are appropriate and reasonable.

Organizations should consider the following when conducting a data inventory:

  • The types of data collected.
  • Where the data is physically housed (g., the building or location).
  • Where the data is logically housed (g., the electronic location within a server).
  • Whether encryption is applied to the data in transit (e., when it is moving). If it is, what encryption standard is being used?[36]
  • Whether encryption is applied to the data at rest (e., when it is being stored). If it is, what encryption standard is being used?[37]
  • The custodian of the data (e., who is responsible for it).
  • Who has access within the organization to the data.
  • Who has access outside of the organization to the data.
  • Whether the data crosses national boundaries.
  • The retention schedule (if any) applied to the data.[38]
  1. Review IT service provider contracts for adequate data protection provisions. The Toh-Shi enforcement actions suggest that one way an organization can protect itself against a possible enforcement action is to include adequate data protection measures in service provider contracts.

Consider adding the following provisions:

  • Limitations to the use of personal data.
  • Breach notification requirements.
  • Representations, warranties and covenants relating to data privacy and security.
  • Indemnification obligations.
  • Compliance with applicable data protection laws.
  • Data transfer limitations.
  • Audit or monitoring rights.
  • List of certain IT technical safeguards (i.e., encryption standard, access control).
  • Data maintenance/deletion obligations.
  1. Request IT service provider complete a security questionnaire. Taking a proactive approach of requesting a service provider complete a security questionnaire may avoid an organization the headache of selecting a service provider that does not have adequate security procedures and hence, lowers the risk of a potential data breach.

When drafting a security questionnaire, consider the following:

  • Designated employee responsible for overseeing security program.
  • Procedures for appropriately destroying documents with sensitive information.
  • Encryption standards for mobile devices.
  • Encryption standards for transmitting sensitive information.
  • Employee training.
  • Data breach incident response.
  • Vendor management process.
  • Process for provisioning user access.
  • Process for de-provisioning user access.
  • Disciplinary measures for security violations.
  1. Conduct data security/privacy training for employees. Conducting data security/privacy training for employees may prevent potential security incidents. This preventive measure allows employees to detect issues earlier and may prevent more serious security incidents in the future.

For good reason, Singapore is one of the most popular places for multinational companies to establish their APAC company headquarters. With a strong rule of law, Singapore takes enforcement of its laws serious and the PDPA is no exception. The increase in the number of PDPC enforcement actions shows the country’s intention of enforcing the PDPA. While the size of the fines levied by the PDPC for non-compliance of the PDPA has been relatively modest, it does not take into account the time and reputational costs associated with a PDPC investigation. Entities that operate in Singapore would be wise to conform their compliance to the PDPA and to pay attention to the PDPA’s actions and public statements.

 

[1] PriceWaterhouseCooper, The Preferred Asian HQ Location, (January 28, 2015), available at http://www.pwc.com/sg/en/singapore-budget-2015/budget-2015-01.html.

[2]    Personal Data Protection Act of 2012, Section 28-30, https://www.pdpc.gov.sg/legislation-and-guidelines/legislation   http://statutes.agc.gov.sg/aol/search/display/view.w3p;ident=566a39d6-31e9-44fa-8bb7-2d5bf3c8389a;page=0;query=DocId%3Aea8b8b45-51b8-48cf-83bf-81d01478e50b%20Depth%3A0%20Status%3Ainforce;rec=0#pr28-he-.

[3] Personal Data Protection Commission, Advisory Guidelines on Enforcement of the Data Protection Provisions, (April 21, 2016), https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines-on-enforcement/advisory-guidelines-on-enforcement-of-dp-provisions-(210416).pdf?sfvrsn=2.

[4] Id. at Section 2.

[5] Id. at Sections 15.3 and 25.

[6]  Government of Singapore, PDPC Takes Action Against 11 Organizations for Breaching Data Protection Obligations, April 21, 2016, https://www.pdpc.gov.sg/docs/default-source/media/media-release-for-dp-enforcement-action-(25-apr-2016)(clean).pdf?sfvrsn=0

[7] Id.

[8] Id.

[9] Section 24 of the PDPA.

[10]  Decision of the Personal Data Protection Commission, K Box Entertainment Group PTE. LTD., Finantech Holdings PTE. LTD., [2016] SGPDPC 1, Section 44 (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—k-box-entertainment-(210416).pdf?sfvrsn=4.

[11] Id. at Section 2.

[12] Id. at Section 3.

[13] Id. at Section 30.

[14] Id. at Sections 26 to 29.

[15] Id. at Section at 5.

[16] Id. at Section 39.

[17] See Personal Data Protection Commission list of Data Protection Enforcement Cases at https://www.pdpc.gov.sg/commissions-decisions  (last accessed November 18, 2016); as of November 18, 2016.

[18]  Id.

[19] See Decision of the Personal Data Protection Commission, Aviva Ltd. and Toh-Shi Printing Singapore Pte. Ltd., [2016] SGPDPC 15, (September 21, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision-aviva-ltd-and-toh-shi-printing-singapore-(210916).pdf?sfvrsn=0; Decision of the Personal Data Protection Commission, Central Depository (PTE) Limited and Toh-Shi Printing Singapore Pte. Ltd., [2016] SGPDPC 11, (July 21, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—toh-shi-(210716).pdf?sfvrsn=4.

[20] [2016] SGPDPC 15 at Section 4; [2016] SGPDPC 11 at Section 3.

[21] [2016] SGPDPC 15 at Section 8; [2016] SGPDPC 11 at Section 7.

[22] [2016] SGPDPC 15 at Section 34.

[23] [2016] SGPDPC 15 at Section 28; [2016] SGPDPC 11 at Section 18.

[24] [2016] SGPDPC 1, at Section 39.

[25] See generally, [2016] SGPDPC 1.

[26] Id. at Sections 9 to12.

[27] [2016] SGPDPC 15 at Section 4; [2016] SGPDPC 11 at Section 3.

[28] See [2016] SGPDPC 1 at Section 12; see also SGPDPC 15 at Section 27 and [2016] SGPDPC 11 at Section 17.

[29] [2016] SGPDPC 15 at Section 38.

[30]  See Singapore Government Directory for a list of Personal Data Protection Commission employees, https://www.gov.sg/sgdi/ministries/mci/statutory-boards/imda/departments/pdpc (last accessed November 18, 2016).

[31] Of the 18 individuals listed on the Singapore Government Directory, we found 13 of the individuals on LinkedIn. The information was based on a review of their LinkedIn profiles on November 18, 2016.

[32] See Personal Data Protection Commission list of Data Protection Enforcement Cases at https://www.pdpc.gov.sg/commissions-decisions  (last accessed November 18, 2016).

[33] Personal Data Protection Commission, Advisory Guidelines on Key Concepts in the Personal Data Protection Act (July 15, 2016), https://www.pdpc.gov.sg/docs/default-source/advisory-guidelines/advisory-guidelines-on-key-concepts-in-the-pdpa-(15july16).pdf?sfvrsn=2.

[34] Id at Section 17.

[35] Decision of the Personal Data Protection Commission, Metro Pte Ltd., [2016] SGPDPC 7, (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—metro-(210416).pdf?sfvrsn=2.

[36] In a recent enforcement action, the PDPC cautioned against the sole use of the common MD5 hash standard to encrypt passwords; see Decision of the Personal Data Protection Commission, Fei Fah Medical Manufacturing Pte Ltd., [2016] SGPDPC 3, (April 20, 2016), https://www.pdpc.gov.sg/docs/default-source/enforcement-data-protection-cases/grounds-of-decision—fei-fah-medical-manufacturing-(210416).pdf?sfvrsn=2.

[37] Id.

[38] Zetoony, David, Data Privacy and Security: A Practical Guide for In-House Counsel, Pg. 2-3, May 2016.

Practical Data Security Takeaways from Australia’s Recent Privacy Determination

Practical Data Security Takeaways from Australia’s Recent Privacy Determination

The Privacy Act of 1988 (Privacy Act), which includes the 13 Australian Privacy Principles (APPs), is Australia’s federal law regulating the collection, use, and disclosure of personal information. Recently, the Office of the Australian Information Commissioner (OAIC) has stepped up its enforcement of the Privacy Act. This article reviews OAIC’s recent privacy determinations and discusses practical data security related takeaways that can help companies ensure compliance. …

acc

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification in the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …

data breachhhh

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

Data Protection Officers A Comparison of US Law, EU Law, and Soon-to-be-EU Law

 

 

Collecting Information From Children In The EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Collecting Information From Children in the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes.

 

collecting

Privacy Certifications and Trustbrands In the EU: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Privacy Certifications and Trustbrands In the EU: A Comparison of US Law, EU Law, and Soon-to-be EU Law

In the United States, privacy certifications, or “trustbrands,” are seals licensed by organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. Certifications or trustbrands, however, are voluntary in nature, and, for the most part are not offered by government agencies and companies are not required to obtain them. …

Privacy certifications

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

EU Binding Corporate Rules For Transferring Data: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States companies are permitted to transfer personal information – including sensitive personal information – as needed between their offices, locations, and corporate affiliates. For example, there are no restrictions that prevent a company from sending personal information collected within the US to a company data center located outside of the US. In the European Union, the EU Data Protection Directive 95/46/EC (the “Directive”) creates a legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. …

eu-binding

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Data Protection Officers: A Comparison of US Law, EU Law, and Soon-to-be-EU Law

Although organizations in the United States have dealt with privacy issues for years, only in the past decade have they begun to view the complexities of privacy as requiring formal organizational structure and, in some cases, one, or more, dedicated employees. While in some organizations “data privacy” and “data security” falls within the ambit of the legal department, other organizations have created offices that are focused solely on privacy issues. There is little commonality in how these offices are staffed, funded, or organized. For example, while some organizations have “Chief Privacy Officers” or “Chief Information Technology Officers” that report directly to senior management, other organizations have privacy officers that report through a General Counsel or to a Chief Compliance Officer. …

data-protection-officers

 

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

Data Breach Notification In the EU: A Comparison of US and Soon-To-Be EU Law

In the United States Congress has repeatedly attempted, but failed, to agree on federal data breach notification legislation. As a result, there is no single federal statute that imposes a breach notification obligation on most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach. The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states. …data-breach-eu-us-comp

Guidelines for Collecting Information From Children: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

Guidelines for Collecting Information From Children: A Comparison of US Law, EU Law, and Soon-To-Be EU Law

In the United States there are relatively few restrictions on collecting information from children off-line. Efforts to collect information from children over the internet, however, are regulated by the Children’s Online Privacy Protection Act (“COPPA”). Among other things, COPPA requires that a website obtain parental consent prior to collecting information from children under the age of 13, that a website post a specific form of privacy policy that complies with the statute, that a company safeguard the information that is received from a child, and that a company give parents certain rights, like the ability to review and delete their child’s information. COPPA also prohibits companies from requiring that children provide personal information in order to participate in activities, such as on-line games or sweepstakes. …

 

guidelines-for-collecting

Should Hotels, Restaurants, Bars, and Shopping Centers Stop Offering Open WiFi Connections?

Should Hotels, Restaurants, Bars, and Shopping Centers Stop Offering Open WiFi Connections?

The answer in Germany is “yes.” To understand why, you have to understand the principle of “co-liability” or Störerhaftung. Under the principle of co-liability, operators of an open WiFi network can be held liable for the legal infringements of the users of their networks. This means that if someone uses your company’s free WiFi network to illegally download music, your company could be sent a warning (or could be subject to liability) for permitting the use.

The European Court of Justice recently addressed this issue in a case that dealt with the applicability of the E-Privacy Directive on private operators of internet connections. The case was presented to the European Court of Justice by the Regional Court of Munich, and involved a warning letter that had been sent by Sony Music Group to the operator of a business that offered free WiFi in its sales areas. According to Sony, a guest had allegedly used the free WiFi connection to illegally download music. …

 

krampitz

A Side-By-Side Comparison of “Privacy Shield” and the Controller-Processor Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data processors (e.g., service providers) that were based in the US complied with the Directive by entering the pre-approved controller-processor model clause or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-processor model clauses; the use of those clauses became far and away the most popular way to comply with the Directive.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-byside comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons started with a Privacy Shield/Safe Harbor comparison published here.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Processor Model Clauses.

comparison2

A Side-by-Side Comparison of “Privacy Shield” and the “Safe Harbor”

More than 5,000 companies had taken advantage of the now defunct U.S.-EU Safe Harbor Framework. Those companies are now considering whether to join the newly approved “Privacy Shield,” and are trying to understand the difference between the old and new framework. As they do, these companies are faced with many questions: How does the Privacy Shield differ from Safe Harbor? Can you rely on the Model Clauses? Or would it make more sense to join the Privacy Shield? If so, what do you need to do to join?

To supplement our earlier publication, we have prepared a side-by-side comparison of the invalidated Safe Harbor and the new Privacy Shield. Over the next week, we will be publishing similar comparisons between Privacy Shield and other adequacy methods including the model controller-controller clauses and the model controller-processor clauses. If you would like to receive those comparisons, please register at www.bryancavedatamatters.com.

Click here to view the side-by-side comparison of the Safe Harbor and the Privacy Shield.

sidebyside

Privacy Shield Finalized – How Everyone Can Take Advantage of the New European Data Transfer Framework

Background

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU Member State.  The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed.  Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection.  As a result, if a company intended to transfer personal data from the EU to the U.S., it traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

priovacyshielf

How to Prepare for the General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (the “GDPR”) was adopted by the EU Parliament last April 14, 2016. The GDPR will replace the EU Data Protection Directive (95/46/EC), which was implemented more than 20 years ago. After a two year transition period to integrate the new obligations, the GDPR will be directly applicable in all EU Member States in June 2018.

The GDPR’s aim is to unify data protection law within the European Union and increase data subjects’ rights (I). This involves strengthened obligations for companies in terms of compliance (II), as well as extended powers of Data Protection Authorities (“DPA”) (III)….

gdpr2

 

 

Privacy Shield Released – How Employers Can Take Advantage of the New European Data Transfer Framework (2016)

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company or employer intended to transfer personal data from the EU into the U.S., they traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

rishield

What You Need to Know About the New General Data Protection Regulation (GDPR) (2016)

The EU Parliament Committee on Civil Liberties, Justice, and Home Affairs (“LIBE”) finally released the text of the long anticipated new data protection law. While the law has not formally been enacted, its adoption at this point is considered pro forma. Once adopted, its provisions will go into effect in spring of 2018. The hope, and expectation, is that the GDPR will cause the EU to have a much more harmonized approach to data protection.

Here is what companies doing business in the EU need to know about the new General Data Protection Regulation (GDPR or Regulation)….

gdpr

How to Obtain EU Binding Corporate Rules (BCR) Approval (2016)

The following provides background concerning the approved Binding Corporate Rules (“BCR”) procedure. BCRs are in-kind privacy rules and standards that allow multinational groups of companies to transfer personal data within their group of companies, including to corporate affiliates outside of the EU. In order to obtain approval at a BCR, a company’s privacy policy has to demonstrate that it ensures an adequate level of data protection and respective safeguards under EU law. BCR are an internal tool only and do not allow for any data transfers outside of a corporate group…bcr

Privacy Shield: Safe Harbor 2.0? (2016)

As negotiators for the US Department of Commerce (“DOC”), Federal Trade Commission (“FTC”), and the European Commission move toward an agreement intended to allow continued US-EU data transfers, a closer look at the history of “Safe Harbor” and the proposed “Privacy Shield” framework leaves some questions unanswered.

Safe Harbor Invalidation
Under EU Data Protection Directive 95/46/EC (the “Directive”), personal data controlled in the EU may be transferred to countries outside the EU only when an “adequate level of protection” is guaranteed. From 2000 to 2015, thousands of companies achieved this adequacy status through the US-EU “Safe Harbor” framework, an annual certification process approved by the European Commission and made available to US companies subject to the jurisdiction of the FTC or Department of Transportation…..privacyshield

How to Use the EU Model Clauses (2016)

The EU Commission has created model contracts for data transfers (the “Model Contracts”) and determined that organizations which use the Model Contracts offer sufficient safeguards for cross-border data transfer as required by the Directive.

The EU Commission has issued three Model Contracts: Two for transfers from data controllers to data controllers established outside the EU, and one for a transfer to a data processor outside the EU1. Once a company decides to use the model clauses functionally, three steps must be followed in order to put those clauses into place and have them help in the transfer of information out of the EU. The following provides a high level overview of how to implement a Model Contract…

eumodel

Rules on Monitoring an Employee’s Private Internet Use at Work: A New ECHR Decision

In a decision rendered on January 12, 2016, the European Court of Human Rights (“ECHR”) held that the dismissal of an employee for having used his professional email account for personal purposes during working hours did not violate Article 8 of the European Convention on Human Rights1.

The applicant, a Romanian national, was employed by a private company from 2004 to 2007 as an engineer in charge of sales. At the employer’s request, he created a Yahoo Messenger account to respond to client enquiries. In July 2007, the employee was informed by his employer that his Yahoo Messenger account had been monitored for a week and the records showed that he had used the device for personal purpose, whereas the company internal regulations expressly prohibited the use of company device (e.g., computers, telephones) for personal purposes….delonbouquet

Understanding EU-US Safe Harbor Framework and Its Validity (2016)

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. … safeharborpic

Webinar: Life After the Safe Harbor Under the “Privacy Shield”

March 3, 2016 at 12 p.m. EST

Companies of all types were caught off guard when the EU-U.S. Safe Harbor data transfer framework was invalidated in October 2015. In the months following the invalidation, many companies anxiously awaited a replacement for the original Safe Harbor framework. That replacement has now been announced in the form of the newly-negotiated “Privacy Shield” framework. Join Jana Fuchs and Jason Haislmaier as they discuss the details of the Privacy Shield framework, provide an update on the current status and timeline for the formal adoption of the Privacy Shield, and provide strategies for compliance in EU-U.S. cross border data transfers both now and following adoption of the Privacy Shield. Click here for more information or to register.

We are presenting this audio web cast through Celesq® Attorneys Ed Center in partnership with West LegalEdcenter.

Asia and Data Protection: At A Glance (2015)

Europe has had data protection laws in place for over a decade.  In Asia, many countries have historically relied on constitutional law or sector based rules to protect personal data and, until recently, only  a few countries had any form of consolidated data protection legislation… Data Protection Asia_At A Glance

Safe Harbor No More: What this means for Asian Companies

Last month in the Schrems case (Case C-362/14), the Court of Justice of the European Union (CJEU) ruled the Safe Harbor Framework invalid.   While Asian companies may not consider that they need to be concerned with the decision of the CJEU due to its reference to the export of personal data to the US, there may be wider ramifications arising from this decision which may have an impact on the methods used by companies in the EU to export data to Asian countries, as well as on the export of data by Asian companies to the US. . . AsiaandSafeHarbor

Advisory Board Calls for EU-US Safe Harbour Grace Period

The Article 29 Working Party — an independent data protection advisory board for the EU composed of representatives from the Member State’s — urgently called on the Member States to open discussions with US authorities in order to find legal and technical solutions that would replace the now-defunct EU-US Safe Harbour framework… Safe Harbor October 21 2015

The Privacy Implications of Whistleblowing in the EU

Whistleblowing schemes were introduced in the EU as a result of the Sarbanes-Oxley Act (“SOX”) adopted by the US Congress in 2002 following various corporate financial scandals. SOX requires US companies and their EU-based subsidiaries to establish “procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters [and] the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting of auditing matters.1”  The implementation of whistleblowing schemes will, in most cases, lead to the collection, processing and transfer of personal data (e.g., name of the accused person) which raises data privacy concerns . . .

WhistleblowingintheEU

The (ex) EU-US Safe Harbor At A Glance (2015)

On Tuesday, October 6, 2015, the European Court of Justice decided that the EU/US Safe Harbor regime for data transfers is no longer… safe.  Until now, companies exchanging data between the EU and the US could rely on the Safe Harbor regime, but with the decision that is no longer an option.  In addition companies currently relying on Safe Harbor are scrambling to find alternative compliance strategies . . . ExSafeHarbor

Progress on EU Data Protection Reform At A Glance (2015)

A timeline has been established in the EU to find an agreement between different versions of the draft data privacy regulations.  If followed, the EU’s new regulation should come into force in 2018 . . . EU Regulation Status_At A Glance_1

Russia Data Localization Requirements At A Glance (2015)

Russia Data Localization Requirement at a Glance_1Russian Law No. 242, enacted on July 21, 2014, creates new requirements that data operators must store personal data of Russian citizens on servers located in Russia.  The law, which is effective as of September 1, 2015, has raised numerous questions from the business community.  This information sheet discusses the practical aspects of the law . . .

US/EU Data Transfers: Informational Article (2015)

Dancing the legal limbo around US_EU data transfers-1_1Difficulties often manifest themselves in transferring data from the ‘safe’ EU to the ‘unsafe’ US.  Difficulties also exist with US law enforcement authority requests for access to such data, which is often not permitted under EU law.  The following article, originally published in the Data Protection Law & Policy Journal, discusses these issues . . .

Appointing your company’s DPO in Germany At A Glance (2015)

Appointment_DPO_1

Under German law most companies are required to assign a data protection official (DPO) within one month of beginning business operations.  The assigned DPO must be adequately qualified, and qualifications generally depend on the scope of data procsesed and the industry in which the business operates . . .

EU Binding Corporate Rules At A Glance (2015)

BindingCorporateRules

The EU Directive creates the legal framework for the national data protection laws in each EU member state.   The EU Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed.  The laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company intends to transfer personal information into the United States they must take one of the following steps to achieve the “adequacy” status required by the Directive.  Binding Corporate Rules . . .

 

German Data Protection Law At A Glance (2015)

Compliance_German_Data_Privacy_1

The main criteria in determining whether German law applies is whether a data controlling company is legally established in Germany or a data controlling company is established outisde the EU but uses equipment that is located in Germany for data processing.  This information sheet provides an overview of the requirements of Germany’s data protection law . . .

The EU Model Contracts At A Glance (2015)

Model Contracts_At A Glance  The EU Data Protection Directive creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. The EU Model Contracts . . .

Usage of US/EU Safe Harbor At A Glance (2015)

SafeHarbor2JPG

Companies completing the Safe Harbor process must make several decisions. For example, they must decide whether to have an independent third party verify their compliance with the Safe Harbor framework, whether to retain an arbitration group to adjudicate complaints about their privacy practices, and what data they wish to include within their certi.cation.  The following provides background and benchmarking concerning the types of companies that utilize . . .

 

The US/EU Safe Harbor At A Glance (2015)

Safe Harbor_At A Glance_1

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Few exemptions apply, in particular when explicit consent was given or in direct business cases. The laws of the United States are not considered by the European Union as providing an adequate level of data protection. . .

Australian Data Privacy Principles (2014)

AustraliaPrivacy

On 12 March 2014 significant amendments to the Australian Privacy Act 1988 (Privacy Act) became effective. What has emerged is one overarching set of 13 Australian Privacy Principles (APPs), which will apply to any businesses with an annual turnover of AUS$3 million (US$2.7 million) . . .