Global Forum Tokyo EVENT REPORT

Transcription

1 Baker & McKenzie Global Forum 2014 Personal Data Protection: Global personal data risk and management - Trends and perspectives from Asia, Europe, and the US EVENT REPORT Global Forum 2014 MARCH 2014 TOKYO

2 Management of Information is an increasingly important and challenging issue for organizations in a global environment. The opportunities and circumstances for the collection of information, particularly personal information are ever increasing. Today s technology has made it easier for companies to collect, copy, and transfer personal data around the world. At the same time, with the introduction of a wide range of privacy and security laws in a number of jurisdictions, regulations have expanded to virtually all key business jurisdictions, imposing complex and often inconsistent privacy, data retention and data protection standards on multinational companies. Legal and business risks associated with non-compliance have grown significantly, from adverse public relations consequences when breaches occur, to the financial and human resource costs of addressing privacy-related complaints. Baker & McKenzie s 2014 Global Client Forum on Personal Data Protection brought together a panel of senior advisors from the Baker & McKenzie global network, who presented on best practices in data management and how to respond to crisis. The seminar also focused on global and regional data privacy protection, information management and how global organisations globally are being affected by increasing regulation and enforcement through the proliferation of new laws such as the Singapore Personal Data Protection. Key trends in relation to data privacy were discussed: Data and information is becoming borderless, e.g. cloud service. The use of personal information is expanding, e.g. use of big data for marketing. Data privacy laws and regulations are becoming stricter around the world e.g. Harmonization of the Data Protection Regimes in the EU Increased development with legal frameworks for Asia Pacific countries. Level of sanctions for the violation of data protection laws that will be increased substantially in the EU. Rapid developments in IT that have inevitably brought about an increase in risks to data privacy. 1

3 Our panel of leading lawyers discussed the following updates: European Union: Europe is about to change its legal framework on privacy and has been working on this for the past 2 years. In 2012, the Commission proposed a major reform of the EU legal framework on the protection of personal data. The proposed regulation should replace the old directive from 1995 in Europe. The aim was to have the legislation agreed before May 2014, when the assembly (breaks up) and new European Parliament elections are held. However, it is likely that this legislation will be voted in to the European Parliament following the elections. The new proposals will strengthen individual rights and tackle the challenges of globalization and new technologies. The European Commission plans to unify data protection laws within the European Union (EU) with a single law. The end goal is to promote the development of the digital economy to establish confidence which will enable the flow of personal data through strengthening rights and control of data subjects, establishing a more coherent, harmonized legal framework throughout the EU with transition away from mandatory prior notification. Although the Regulation still needs to be finalized, businesses should begin to consider how to prepare for the impact of these changes. Companies are therefore advised to re-visit their compliance programs. 2

4 United States: The US does not have data protection laws and authorities as in the European sense where data protection is regulated. The US also has no transfer specific limitations on international transfers as opposed to the EU who have a restrictive regime for international transfers of personal data. The US does have a real enforcement culture lead by the Federal Trade Commission, State Attorneys general and privacy class action lawsuits. Legislation which currently allows for greater regulation of data are - HITECH for the healthcare sector, Fair Credit Reporting Act for the financial sector and the Children s Online Privacy Protection Act, CAN-SPAM and Restore Online Shopper Confidence Act. Asia Pacific: The Asia-Pacific region has seen the most rapid development in privacy laws in recent times. Companies that operate in the region and collect, store, and use personal information can expect increasing compliance challenges in the face of new and evolving data protection regimes. There is currently an increase in development of legal frameworks for Asia Pacific countries. Thailand: Draft law sent to Parliament in 2012 Malaysia: PDPA 2010 (with effect from 15 November 2013) Taiwan: PDPA 2010 in effect from 1 October 2012 Philippines: Data Privacy Act (August 2012), Cybercrime Prevention Act (September 2012) Singapore: PDPA passed 15 October Sunrise period was until 2/1/2014 and 2/7/20 Hong Kong: Personal data (privacy) Amendment Ordinance (amendments in full effect on 1/4/2013) China: China does not have a unified data protection law. Provisions regulating internet information services New regimes to have cross border transfer restrictions: Singapore, Korea, Taiwan, Philippines, and Malaysia the question is not if you will have a data breach but when? Christoph Rittweger, Munich 3

5 Data breach notification and response plans Companies face the question whether they have an obligation to notify the appropriate data protection authority and/or the affected individuals. Data security breach notification is rapidly becoming a significant compliance risk for global enterprises. A data security breach can disrupt business operations, damage brand reputation and customer relationships, and attract government investigations and class action lawsuits. Data protection regulations continue to develop across the globe Privacy regulation continues to be a fast-paced evolutionary process around the world. It is critical that businesses that operate throughout across borders develop their compliance positions to avoid regulatory investigations, fines, and other sanctions in various jurisdictions. The session focused on global and regional data privacy protection and information management and how organizations globally are being affected by increasing regulation and enforcement through the proliferation of new laws such as the Singapore Personal Data Protection Act (PDPA), EU s General Data Protection Regulation (GDPR) among many others. Furthermore, there was a discussion on the rising impact of global developments to companies such as BYOD, Social Media, Big Data, crisis management and data protection in M&A transactions. Key takeaways from the seminar The flows of data are becoming increasingly borderless, and the laws and regulations to protect data in many jurisdictions are also rapidly evolving, including many new laws in Southeast Asia. However, there is still far from a harmonized approach, which makes it still necessary to look at data protection issues on a country by country basis. There is a lot of anticipation around the new data protection regulations in the EU, and it is worth preparing in advance of their implementation. Data protection laws in the US vary from state to state, with California often having the strictest laws. In corporate transactions, identifying personal data and ensuring that it is transferred compliantly needs to be considered early on in the due diligence process, and is important for both buyers and sellers. Having detailed data protection policies and procedures in place is now essential for companies handling personal data. Having well-considered response plans in place for handling breaches should assist companies to take effective and timely measures to minimize damage and risks, and ensure compliance with data protection laws. 4

6 Forum details The Baker & McKenzie Global Forum 2014 Personal Data Protection: Global personal data risk and management - Trends and perspectives from Asia, Europe, and the US Date Monday, February 17, 2014 Time 2:00pm - 5:30pm Location ANA InterContinental Host Baker & McKenzie (Gaikokuho Joint Enterprise) Baker & McKenzie Speakers Hong Kong Anna Gamvros Singapore Ken Chia Yoshiaki Muto Tel.: anna.gamvros@bakermckenzie.com Tel.: ken.chia@bakermckenzie.com Tel.: yoshiaki.muto@bakermckenzie.com Kensaku Takase Daisuke Tatsuno Akifusa Takada Tel.: kensaku.takase@bakermckenzie.com Tel.: daisuke.tatsuno@bakermckenzie.com Tel.: akifusa.takada@bakermckenzie.com Palo Alto Lothar Determann Paris Yann Padova Senior Counsel Tel.: lothar.determann@bakermckenzie.com Tel.: yann.padova@bakermckenzie.com 5

7 Baker & McKenzie has been global since inception. Being global is part of our DNA. Our difference is the way we think, work and behave we combine an instinctively global perspective with a genuinely multicultural approach, enabled by collaborative relationships and yielding practical, innovative advice. Serving our clients with more than 4,100 lawyers in over 40 countries, we have a deep understanding of the culture of business the world over and are able to bring the talent and experience needed to navigate complexity across practices and borders with ease. Baker & McKenzie (Gaikokuho Joint Enterprise) Ark Hills Sengokuyama Mori Tower 28F Roppongi, Minato-ku , Japan marketing.tokyo@bakermckenzie.com 2014 Baker & McKenzie. All rights reserved. Baker & McKenzie International is a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a partner means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an office means an office of any such law firm. This may qualify as Attorney Advertising requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.