Data and Cyber Laws Up-date 9 July 2015

Transcription

1 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com

2 Topics Updates on the key aspects of, and commentary on, the proposed GDPR Potential action against Google in France regarding delistings France's new controversial surveillance law ICO raid on company for breaching PECR ICO review of children's apps and websites Update on Russian internet privacy bill Update to Canada's PIPEDA Amendments to Dutch DPA - breach notification South Korean privacy commissioner requiring companies to undertake privacy assessments 09 July

3 1. Updates on the key aspects of, and commentary on, the proposed GDPR

4 The Regulation Timeframe and Scope Where are we? January 2012 European Commission October 2012 European Parliament June 2015 European Council 09 July

5 The Regulation Timeframe and Scope What next? 24 June 2015 Trialogue Agreement likely (although maybe not officially signed off) by the end of 2015 Entry into force Early 2018 Article 91 Entry into force and application 1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. 2. It shall apply from [two years from the date referred to in paragraph 1]. 09 July

6 Proposed General Data Protection Regulation What are the key aspects of the Council s draft? The Regulation not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects The Regulation will make it easier for data controllers to rely on legitimate business interests as a lawful ground to process personal data where there is a relevant and appropriate connection between the data controller and the data subject Data processing agreements between data controllers and data processors will be required to contain extensive mandatory data protection clauses; for example controllers right to audit its processors and obligations on processors to assist with subject access requests and personal data breaches Member states may provide for additional special conditions for the processing of personal data for specific sectors and for the processing of special categories of data Codes of Conduct and Certifications will be developed to assist data controllers and processors demonstrate their compliance with the Regulation and also as a means to legitimise international data transfers 09 July

7 Proposed General Data Protection Regulation What are the key aspects of the Council s draft? Codes of Conduct and Certifications will be developed to assist data controllers and processors demonstrate their compliance with the Regulation and also as a means to legitimise international data transfers Multinationals will benefit from a one stop shop, where the data protection authority in the member state where the controller or processor has their main establishment will be the lead authority in relation to data processing undertaken by that controller or processor Organisations may, or where required by applicable member state law, appoint a Data Protection Officer Data controllers and processors will be required to maintain a record of all of their data processing activities which must be made available for inspection Serious data breaches must be notified to the DPA, in most cases within 72 hours. Data breaches may also need to be notified to the affected individuals who may have the right to claim compensation The application for Binding Corporate Rules as a means to transfer personal data intragroup will be simplified Fines of up to 2% of annual worldwide turnover of the preceding annual year or EUR 1million may be imposed for non-compliance. DPAs will also have the power to carry out data protection audits 09 July

8 EU General Data Protection Regulation Trilogue negotiations The European Council The European Commission The European Parliament 09 July

9 2. Potential action against Google in France regarding de-listings

10 Potential action against Google in France regarding de-listings French Regulator puts Google on notice Right to be forgotten CJEU ruling of May 2014 Effective de-listings Powers of the CNIL 09 July

11 3. France's new controversial surveillance law

12 France's new controversial surveillance law New surveillance law adopted in France Context Main provisions of the law Important controversy Opinion of the CNIL 09 July

13 4. ICO raid on company for breaching PECR

14 ICO raid on company for breach of PECR Nuisance calls 24 June 2015 Receipt of 7,000 complaints ICO raid on south Manchester call centre and related office believed to contain automatic dialler Suspected of making 100,000 calls a day Mis-sold pensions, pension reviews, PPI, debt management, delayed flight compensation 09 July

15 ICO raid on company for breach of PECR Privacy and Electronic Communications Regulations Privacy regulations in relation to electronic communications Specific rules on: Marketing calls, s, texts and faxes; Cookies (and similar technologies); Keeping communications services secure; Customer privacy as regards traffic and location data, itemised billing, line identification and directory listings 09 July

16 ICO raid on company for breach of PECR Electronic and telephone marketing Section 11(3) DPA 1998: Direct marketing: the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. PECR cover marketing by phone, fax, or any other type of electronic mail Regulation 21 PECR : direct marketing calls Applies only to unsolicited marketing messages Organisations require consent to send people marketing and the rules on calls are stricter 09 July

17 ICO raid on company for breach of PECR Substantial damage or distress ICO s inspection powers and powers to impose fines under section 55A of the DPA With effect from 6 April 2015, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 amended section 55A Removed the need to prove substantial damage or substantial distress to take enforcement action in relation to nuisance calls Potential for fine of up to 500, July

18 5. ICO review of children's apps and websites

19 ICO review of children's apps and websites Review of websites and apps used by children Part of an international project to consider privacy concerns around the type of personal information services collect The same approach will be taken by 28 other privacy enforcement authorities from around the world The ICO will look at 50 websites and apps Focus on what information they collect from children, how that is explained, and what parental permission is sought. Combined report in the autumn The ICO will consider action against any website or app that it finds is in breach of the DPA 09 July

20 6. Update on Russian internet privacy bill

21 Russia Data Privacy Bill Right to be forgotten Right to remove links from search results Untrustworthy, in violation of the law, no longer relevant Law takes effect on January 1, 2016 We did not invent the bicycle here parliamentarian Leonid Levin 09 July

22 Russia Data Privacy Bill Right to be forgotten EU Right to be Forgotten - EU Right to be forgotten - Russia Outdated Irrelevant Public interest information can not be removed Justification is required Link to the exact web page has to be provided 2% of worldwide turnover (new Regulation) Untrustworthy In violation of the law No longer relevant (3 years ) Public interest information can be removed No justification to remove data is required No exact link is required EUR 09 July

23 7. Update to Canada's PIPEDA

24 Update to Canada s PIPEDA Digital Privacy Act Key PIPEDA provisions remain unchanged Security breach notification Real risk of significant harm Bodily harm, damage to reputation or relationships, loss of employment, financial loss, identity theft and etc. Sensitivity of data and likelihood Record keeping of all breaches Fine up to CAN USD 09 July

25 8. Amendments to Dutch DPA - breach notification

26 Amendments to Dutch DPA Breach notification and increased fines Dutch Data Protection Act (Wet bescherming persoonsgegevens) Changes likely to come in to force in January July

27 Amendments to Dutch DPA Breach Notification Notification to the DPA of personal data breaches that have or are likely to have serious adverse consequences Notification to affected individuals where breach likely to have negative impact on privacy unless compromised personal data is encrypted or otherwise unintelligible for the unauthorised party Maintenance of record of breaches notified to DPA Issue of data breach notification addressed in contracts with data processors 09 July

28 Amendments to Dutch DPA Increased fines Current fining powers = limited EUR 810, 000 or 10% of annual net turnover EUR 20,250 for non-eu entities processing personal data in the Netherlands without having appointed a local representative. EUR 810,000 personal liability - directors and managers 09 July

29 9. South Korean privacy commissioner requiring companies to undertake privacy assessments

30 South Korean privacy commissioner requiring companies to undertake privacy assessments 15 June 2015 Announcement by the Korean Communications Commission 165 online businesses required to conduct a privacy self-assessment Covers data protection compliance throughout the data processing life cycle. Checklist questions relate to: data collection, data transfer to third parties, data security and destruction of data The businesses have from 15 June 2015 to 31 July 2015 to complete the Assessment. 09 July

31 section 28 of PIPEDA to provide that every organization that knowingly contravenes the new sections of PIPEDA requiring organizations to record and report breaches of security safeguards or obstructs the Commissioner in the investigation of a complaint or in conducting an audit will now be liable for fines of up to $100,000 for indictable offences, or for fines of up to $10,000 for offences punishable on summary conviction. breaches that affect them won t go into force until sometime in the future charlesrussellspeechlys.com