An Arsenal of Data Protection and Cybersecurity rules from the European Union

Transcription

1 SEPTEMBER An Arsenal of Data Protection and rules from the European Union The EU has recently implemented three key regulations relating to data protection / cybersecurity comprising: (a) the EU General Data Protection Regulations (the GDPR ); (b) the EU-US Privacy Shield; and (c) the Directive on Security of Network and Information Systems ( NIS Directive ) The GDPR is the new EU data protection framework covering the processing of personal data by organisations within and outside the EU. The EU-US Privacy Shield is a framework facilitating data flow between the EU and the US and requires relevant US organisations to adhere to a number of protective principles so as to be able to come under the umbrella of the EU-US Privacy Shield. The NIS Directive is a directive that seeks to boost cybersecurity within the EU and affects operators of essential services, digital service providers and Member States by prescribing certain obligations to be complied with. This Update takes a look at some of the key features of these regulations. The GDPR What is the GDPR? New EU data protection framework The GDPR is the new data protection framework which will replace the existing Data Protection Directive 95/46/EC ( Existing Directive ). As it takes the form of a set of regulations, the GDPR will be directly applicable in all Member States without the need for implementing national legislation. The GDPR is intended to do the following: (a) enhance data protection rights for individuals; (b) improve business opportunities by facilitating free flow of personal data in a digital single market; and (c) provide a comprehensive and coherent data protection framework in the EU

2 SEPTEMBER When does the GDPR come into force? Effective date of the GDPR GDPR applicable to organisations within and outside of EU The GDPR comes into force on 25 May Who is affected by the GDPR? The GDPR is applicable to: (a) all organisations which are established within the EU and carry out processing of personal data, whether the organisation is a controller or a processor and regardless of whether the processing takes place within the EU or not; and (b) all organisations outside the EU whether the organisation is a controller or a processor which offers goods or services to EU citizens and processes the personal data of data subjects who are in the EU. Meaning of offers goods or services to EU citizens For the purpose of paragraph (b) above, an organisation offers goods or services to EU citizens if it is apparent that the controller or processor envisages offering goods or services to data subjects in one or more Member States in the EU. Mere accessibility of the organisation s website or an address within the EU is not necessarily determinative of this. The intention of the organisation to offer goods or services in the EU may be evidenced by use of language or currency in one or more Member States with the possibility of ordering goods or services in that Member State. This means that potentially even a company which is established outside the EU and targeting customers within the EU will be subject to the requirements of the GDPR. What kind of information does the GDPR cover? Definition of personal data (a) The GDPR applies to personal data, defined as any information relating to an identified or identifiable natural person ( data subject ). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3 SEPTEMBER (b) As regards the processing of special categories of personal data : (1) as with the Existing Directive, the processing of certain categories of personal data (set out below) is prohibited unless the processing falls within one of the existing carve-outs provided for in the GDPR (e.g. explicit consent has been obtained for the processing); and (2) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation is prohibited. What kind of activities are covered under the GDPR? Processing of personal data (a) The GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. (b) Processing under the GDPR means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (c) A filing system is any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. What are the key areas of concern for organisations under the GDPR? Expanded territorial reach Expanded territorial reach The GDPR will apply to data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (regardless of whether payment is required) to, or monitoring the behaviour (within the EU) of, EU data subjects.

4 SEPTEMBER Accountability of Data Controllers Accountability of data controllers to demonstrate compliance with the GDPR (a) The GDPR places accountability obligations on data controllers to demonstrate compliance with the GDPR. (b) This includes requiring them to: (i) maintain certain documentation including records of processing activities under their responsibility, (ii) conduct a data protection impact assessments for more risky processing (e.g. when a new technology is used to conduct processing) and (iii) implement data protection by design and by default (e.g. data minimisation), taking into account factors such as the costs of implementation and the nature, scope, context and purposes of the processing. Data Protection Officers Requirement to designate data protection officers (DPOs) as part of a data controller s accountability programme (a) In certain circumstances data controllers and processors must designate a DPO as part of their accountability programme, including where: (1) the processing is carried out by a public authority; (2) the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale; or (3) the core activities consist of processing on a large scale of special categories of data. (b) As to what constitutes core activities, the GDPR states that the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. (c) The DPOs will need sufficient expert knowledge where the amount of knowledge required will depend on the processing activities for which the officer will be responsible. The DPOs should be in a position to perform their duties and tasks in an independent manner.

5 SEPTEMBER (d) A group of companies may appoint a single DPO, provided that the DPO is easily accessible from each establishment. Data processors Direct responsibilities of processors and controllers responsibilities for processors (a) Data controllers are to only use processors which provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. (b) The processing carried out by a processor should be governed by a contract between the processor and controller setting out the following: (1) the subject matter and duration of the processing; (2) the nature and purpose of the processing; (3) the type of personal data; (4) the categories of data subjects; and (5) the obligations and rights of the controller. (c) In addition, processors are now required to maintain a written record of processing activities carried out on behalf of each controller, implement the appropriate technical and organisational measures to ensure appropriate levels of security are provided to the personal data, and notify the controller on becoming aware of a personal data breach without undue delay. For more information on the terms which the contract between processor and controller should contain, please see Article 28 of the GDPR. Fair processing notices Provision of fair processing notices (a) Data controllers must continue to provide transparent information to data subjects and the provision of such information must be done at the time that the personal data is collected from the data subjects.

6 SEPTEMBER (b) The GDPR requires more extensive information to be provided to the data subjects compared to the Existing Directive, including the following: (1) identity and contact details of the controller (or its representative, for a non-eu established controller); (2) contact details of the DPO; (3) purposes of processing and legal basis for processing; (4) recipients, or categories of recipients; (5) details of data transfers outside the EU, including (i) how the data will be protected (e.g. the recipient is in an adequate country; Binding Corporate Rules (BCRs) are in place etc.) and (ii) how the individual can obtain a copy of the BCRs or other safeguards, or where such safeguards have been made available; (6) the retention period for the data if not possible, then the criteria used to set this; (7) that the individual has a right to access and port data, to rectify, erase and restrict his or her personal data, to object to processing and, if processing is based on consent, to withdraw consent; (8) that the individual can complain to a supervisory authority; (9) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and (10) the existence of automated decision-making (if any) and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

7 SEPTEMBER (c) If the controller later processes personal data for a new purpose not covered in the initial notice, the controller must provide a new notice covering the new processing. (d) Please note that there is an emphasis on the provision of this information in a concise, transparent and easily accessible way, using clear and plain language. Personal data breach notification Data controllers will need to notify personal data breaches to the data protection authorities (a) Data controllers are now required to notify personal data breaches to the relevant data protection authority unless the personal data breach is unlikely to result in a risk to the rights and freedom of natural persons. (b) Reporting of personal data breaches to the data protection authority must be done without undue delay and within 72 hours of the data controller becoming aware of such data breach. The notification to the data protection authority must contain certain information, including the nature of the data breach, the categories of personal data records concerned and the likely consequences of the personal data breach. (c) In cases where the personal data breach is likely to result in a high risk to the rights and freedom of natural persons, the data controller must also notify the affected data subjects without undue delay. (d) The data controller is also required to document the personal data breach, including making note of the facts relating to the personal data breach, its effects and the remedial action taken. (e) A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (f) The failure by data controllers to meet these requirements may result in the organisation being charged an administrative fine of up to 10,000,000 or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

8 SEPTEMBER Tiered penalties for breach of the GDPR Tiered penalties for breaches (a) The GDPR establishes a tiered approach to penalties for breach of the GDPR which enables the data protection authorities to impose fines for some infringements of the GDPR of up to the higher of 4% of annual worldwide turnover and 20,000,000 (e.g. breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). (b) Other types of infringements of the GDPR would attract a fine of up to the higher of 2% of annual worldwide turnover and 10,000,000. (c) The factors to be considered by data protection authorities when imposing such administrative fines on organisations are set out in the GDPR, and include factors such as: (1) the nature, gravity and duration of the infringement taking into account the natural scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (2) the intentional or negligent character of the infringement; and (3) any action taken by the controller or processor to mitigate the damage suffered by data subjects. No notification or approval needed generally Data controllers no longer need to notify or seek approval from data protection authorities in many circumstances (a) Data controllers will generally not need to notify or seek approval from data protection authorities in most instances. (b) The position taken under the GDPR instead is that now, data controllers are required to put in place effective procedures and mechanisms and carry out their own data protection impact assessments to consider the likelihood and severity of the risks involved in the data processing that they will be carrying out.

9 SEPTEMBER The conduct of data protection impact assessments Data Protection Impact Assessments (a) Where so-called high risk processing takes place (e.g. monitoring activities, systematic evaluations or the processing of special categories of data), the data controller should undertake and document a detailed data protection impact assessment ( DPIA ). (b) Where a DPIA results in the conclusion that there is indeed a high and unmitigated, risk for the data subjects, controllers must notify the data protection authority and obtain its view on the adequacy of the measures proposed by the controller to reduce the risks of processing. International transfers of personal data International transfers of personal data (a) Transfers of personal data to so-called third countries (i.e., outside of the EEA) will continue to be restricted under the GDPR. (b) Under the GDPR, the transfer of personal data to a third country can take place only where (i) the European Commission has decided that the third country provides an adequate level of protection to the transferred data or (ii) appropriate safeguards have been put in place by the data controller or data processor (e.g., via BCRs, standard data protection clauses or approved codes of conduct). (c) Prior or specific authorisation by a data protection authority is not required for the data controller to transfer the personal data to a third country under circumstances set out in paragraph (b) above. Expanded scope of rights for private individuals Expanded scope of rights The GDPR enshrines a wide range of existing and new rights for individuals in respect of their personal data, including the right to be forgotten, the right to request the porting of one s personal data to a new service provider and the right to object to certain processing activities. Next steps? Next steps in response to the GDPR In view of the ever increasing regulation of data protection and the collection, use and disclosure of personal data within the EU, organisations which regularly interact with EU organisations, or which have a presence within the EU should undertake a thorough

10 SEPTEMBER review of their data protection processes as well as any agreements regulating transfers of personal data out of the EU to third countries. The EU-US Privacy Shield What is the EU-US Privacy Shield? Facilitating data flows between the EU and US (a) From , the EU developed the International Safe Harbour Privacy Principles ( ISHPP ), a doctrine designed according to the Existing Directive, and intended to protect the private data of EU citizens by preventing private organizations within the EU or US from disclosing or losing the personal information of their customers or other individuals associated with them. (b) In 2000, the European Commission declared that those US companies which complied with the ISHPP and registering their certification of these requirements would be able to transfer data from the EU to the US the Safe Harbour Decision. (c) In 2015, the Safe Harbour Decision was challenged by Maximilian Schrems, an Austrian citizen. As a result of this action, the European Court of Justice overturned the Safe Harbour Decision. (d) The EU-US Privacy Shield is meant to replace the Safe Harbour framework and facilitate data flows between the EU and the US. When does the EU-US Privacy Shield come into force? Effective date of the EU-US Privacy Shield (a) The EU-US Privacy Shield was formally adopted by the European Commission on 12 July (b) As of 1 August 2016, companies will be able to sign up to the EU-US Privacy Shield with the US Department of Commerce, who will then verify that the privacy policies of these companies comply with the data protection standards required under the EU-US Privacy Shield. Who is affected by the EU-US Privacy Shield? Applicability of the EU-US Privacy Shield The EU-US Privacy Shield is applicable to US companies receiving personal data from the European Union.

11 SEPTEMBER How does the EU-US Privacy Shield work? How to enter the EU-US Privacy Shield (a) An organisation must self-certify its adherence to the Principles (as set out in Annex II of the EU-US Privacy Shield adequacy decision) to the US Department of Commerce. (b) Organisations that carry out this self-certification process must comply fully with the Principles. In order to enter the Privacy Shield, the organisation must be: (1) subject to the investigatory and enforcement powers of the Federal Trade Commission, the Department of Transportation or another statutory body that will effectively ensure compliance with the Principles; (2) publicly declare its commitment to comply with the Principles; and (3) fully implement the Principles. (c) The list of organisations that have self-certified and qualify to remain within the EU-US Privacy Shield will be maintained and regularly updated by the US Department of Commerce. Organisations on the list that persistently fail to comply with the Principles will be removed from the list and must return or delete the personal information received under the EU-US Privacy Shield. (d) Organisations must reapply for self-certification on an annual basis. What are the Principles? Requirements of the Principles Among other things, the Principles require organisations to: (a) provide individuals with information on the purposes for which the organisations collect, use and disclose their personal data and their rights and remedies in respect of their personal data; (b) offer individuals with the opportunity to choose whether their personal data is to be disclosed to a third party or used for a purpose that is materially different from the purposes for which it was originally collected or subsequently authorised by the said individuals;

12 SEPTEMBER (c) only transfer personal data onwards where the organisation has entered into an agreement with the third-party organisation regulating such transfer; (d) ensure that adequate protection is provided to the personal data collected by the organisation; and (e) implement robust mechanisms for assuring compliance with the Principles as well as provide for recourse for individuals affected by the organisation s non-compliance with the Principles. Next steps? Next steps in response to the EU- US Privacy shield Organisations which regularly receive personal data from organisations within the EU may want to commence the process of self-certification in order to enter the EU-US Privacy Shield. This will facilitate the flow of personal data from the EU to the US. The NIS Directive What is the NIS Directive? Framework to boost cybersecurity within the EU (a) The NIS Directive is a directive which seeks to establish a framework of measures to boost the level of cybersecurity in the EU and ensure a high common level of network and information security within the EU. (b) The NIS Directive seeks to establish this framework of measures by requiring Member States to increase their preparedness and improve their cooperation with one another and by requiring operators of critical infrastructures (such as energy and transport), and key providers of information society services (such as e-commerce platforms and social networks), as well as public administrations to adopt appropriate steps to manage security risks and report serious incidents to the national competent authorities. When will the NIS Directive come into force? Effective date of the NIS Directive (a) The NIS Directive was adopted by the European Parliament on 6 July (b) The Directive entered into force in August 2016.

13 SEPTEMBER (c) Member States will have 21 months to transpose the NIS Directive into their national laws and 6 more months thereafter to identify operators of essential services. Who is affected by the NIS Directive? Entities affected by the NIS Directive (a) Operators of Essential Services ( OES ) a public or private entity which provides an essential service for the maintenance of critical societal or economic activities, for example banking, energy, transport, financial market infrastructure, health, drinking water and digital infrastructure, where an impact on these systems would produce significant disruptive effects on the ability of the entity to provide those services. (b) Digital Service Providers ( DSP ) examples of which are those who provide the following types of services: online marketplaces, online search engines and cloud services. (c) Member States. What are some of the key obligations of an OES and DSP under the NIS Directive? Key obligations under the NIS Directive (a) Both types of entities will need to ensure the security of their networks and systems to promote a culture of risk management and ensure that serious incidents are reported to the national authorities to be established by Member States. (b) The key obligations of an OES and a DSP can be summarised as risk management, prevention and notification. An overview of the respective obligations of an OES and a DSP are set out below. OES Obligations OES Obligations (a) Risk Management Taking appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations, and ensure that their NIS security is appropriate to the risk posed.

14 SEPTEMBER (b) Prevention Taking appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such services, with a view to ensuring the continuity of those services. (c) Notification (1) Notifying the appropriate authorities of incidents having a significant impact on the continuity of the essential services they provide, having regard to factors such as the number of users affected by the disruption of the service, the duration of the incident and the geographical spread of the area affected by the incident. (2) The national authorities may then provide the notifying operator with relevant information regarding the follow-up of its notification, such as information that could support the effective incident handling. (3) Additionally, national authorities can require the OES to provide (i) the information necessary to assess the security of their network and information systems, including documented security policies and (ii) evidence of the effective implementation of security policies, such as the results of a security audit carried out by the competent authority or a qualified auditor and, in the latter case, to make the results thereof, including the underlying evidence, available to the competent authority. (4) The national authority may issue binding instructions to OES to remedy any deficiencies in their systems which have been identified. DSP Obligations DSP Obligations (a) Risk Management Taking appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering their services within the EU, having considered the following factors: (1) the security of systems and facilities, (2) incident handling, (3) business continuity management, (4) monitoring, auditing and testing and (5) compliance with international standards.

15 SEPTEMBER (b) Prevention Taking measures to prevent and minimise the impact of incidents affecting the security of their network and information systems on their services offered within the EU, with a view to ensuring the continuity of those services. (c) Notification (1) Notifying the national authority without undue delay of any incident having a substantial impact on the provision of their services offered within the EU, including information to enable the national authority to determine any crossborder impact. (2) In determining whether impact will be substantial, the DSP should consider the following factors: a. the number of users affected by the incident, in particular users relying on the service for the provision of their own services; b. the duration of the incident; c. the geographical spread with regard to the area affected by the incident; d. the extent of the disruption of the functioning of the service; and e. the extent of the impact on economic and societal activities. (3) Additionally, national authorities can require the DSP to provide all information necessary to assess the security of their network and information systems, including documented security policies, as well as evidence of the effective implementation of these policies, such as the results of a security audit carried out by the national authority or a qualified auditor. If deficiencies are identified, the national authority will issue binding instructions to remedy these deficiencies. Next steps? Next steps in response to the NIS Directive It will take some time for Member States to promulgate the necessary national legislation to implement the various mechanisms provided for under the NIS Directive.

16 SEPTEMBER However, if it is likely that an organisation would be considered an OES or DSP under the NIS Directive, the organisation should commence a review of the robustness and security of their network and information systems in preparation for the increased rigour of the NIS Directive. If you would like information on this or any other area of law, you may wish to contact the partner at WongPartnership that you normally deal with or contact the following lawyers: Lam Chung Nian Head Intellectual Property, Technology & Media, Telecommunications and Data Protection Practices DID: Click here to see Chung Nian s CV. Jeffrey Lim Partner DID: Click here to see Jeffrey s CV.

17 SEPTEMBER WONGPARTNERSHIP OFFICES SINGAPORE WongPartnership LLP 12 Marina Boulevard Level 28 Marina Bay Financial Centre Tower 3 Singapore Tel: Fax: /5722 CHINA WongPartnership LLP Beijing Representative Office Unit 3111 China World Office 2 1 Jianguomenwai Avenue, Chaoyang District Beijing , PRC Tel: Fax: INDONESIA WongPartnership LLP Shanghai Representative Office Unit 1015 Corporate Avenue Hubin Road Shanghai , PRC Tel: Fax: Makes & Partners Law Firm (an associate firm) Menara Batavia, 7th Floor Jl. KH. Mas Mansyur Kav. 126 Jakarta 10220, Indonesia Tel: Fax: Website: makeslaw.com MALAYSIA Foong & Partners Advocates & Solicitors (an associate firm) 13-1, Menara 1MK, Kompleks 1 Mont Kiara No 1 Jalan Kiara, Mont Kiara Kuala Lumpur, Malaysia Tel: Fax: Website: foongpartners.com MIDDLE EAST Al Aidarous International Legal Practice (an associate firm) Abdullah Al Mulla Building, Mezzanine Suite Hameem Street Al Nahyan Camp Area P.O. Box No Abu Dhabi, UAE Tel: Fax: Website: aidarous.com MYANMAR Al Aidarous International Legal Practice (an associate firm) Zalfa Building, Suite Sh. Rashid Road Garhoud P.O. Box No Dubai, UAE Tel: Fax: WongPartnership Myanmar Ltd. No. 1, Kaba Aye Pagoda Road Business Suite #03-02, Yankin Township Yangon, Myanmar Tel: Fax: contactus@wongpartnership.com wongpartnership.com