Data Protection & Cyber Security Law Update 1 st October 2015

Data Protection & Cyber Security Law Update 1 st October 2015 Robert Bond, Partner Janine Regan, Associate Viktoria Protokova, Data Protection Executive charlesrussellspeechlys.com

Brief introduction to Charles Russell Speechlys Leading law firm based in London with regional offices within the UK and international offices in Bahrain, Qatar, Geneva, Zurich, Luxembourg and Paris with a strong focus on the Technology, Media and Telecoms ( TMT ) Financial, Retail & Leisure and Life Science sectors. Recognised for our Data experience and advisory services in the latest legal directories Chambers UK and Legal 500 amongst others. Our clients range from large listed businesses, to small start-ups, governments, not-for-profit organisations and private individuals. We have specialised in data privacy and information security for 36 years. Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches What I liked was the fact that the team was very willing for us to see itself as an extension of our existing in-house team. I like the way it integrated members sat alongside and guided us. That was what impressed. 2

Robert Bond Partner Robert Bond has over 36 years' experience in advising national and international clients on all of their commercial IP, technology and data protection requirements. He also provides international notarial services and compliance advice. He is a legal expert and author in the fields of e-commerce, computer games, media and publishing, data protection, information security and cyber risks. He is named in the National Law Journal's list of 50 Governance Risk & Compliance Trailblazers, listed in the top 10 in the Who s Who of Information Technology Lawyers 2014 and also in "Best Lawyers in UK 2015. "He continues to impress year on year. His spark of imagination and ability to grasp the technology is amazing." Tel: +44 (0)20 7427 6660 robert.bond@crsblaw.com Chambers UK, 2014 3

Janine Regan Solicitor Janine has extensive experience advising on and managing global data protection compliance for multinationals in sectors such as financial services, pharmaceutical, technology, marketing and advertising, media and construction. She frequently advises on: notifications/approvals with relevant data protection authorities, drafting and negotiating data protection provisions in outsourcing and data sharing agreements, whistle blower hotlines, trans border data flows, privacy impact assessments, data breaches and subject access requests. She also provides tailored data protection training for clients. Recently, Janine has provided privacy advice on new technologies such as telemetry, wearable devices and big data. Tel: +44 (0)20 7427 6798 Janine.regan@crsblaw.com 05 October 2015 4

Viktoria Protokova Data Protection Executive Photo Placeholder Tel: +44 (0)20 7427 4513 viktoria.protokova@crsblaw.com Viktoria has experience in advising on and delivering data privacy and information security compliant solutions for clients in a variety of sectors. She frequently advises on registrations with the local data protection authorities, contractual data controller, processor obligations, data breach notifications and data protection and information security requirements for systems, processes and procedures. Before joining Charles Russell Speechlys, Viktoria was part of the core team that implemented the Global Privacy practises in one of the world s largest multinationals in the consumer goods sector. Viktoria speaks five languages (English, Russian, Spanish, Polish and Lithuanian) and is also certified Privacy Professional for Europe (CIPP/E) and US (CIPP/US). 05 October 2015 5

TOPICS Is Safe Harbor a safe bet any more? Beware asset sales with personal data - no consent may mean no sale Global review of child focused websites Wyndham case confirms data security is a default not an option EDPS Opinion 4/2015 "Towards a new digital ethics Changes to Japanese Data Protection Law Update to South Korean Law 6

1. Is Safe Harbor a safe bet anymore?

Is Safe Harbor a safe bet anymore? Advocate General s Opinion in Case C-362/14: Maximillian Schrems v Data Protection Commissioner Background Data Protection Directive 95/46/EC (the Directive) provides that personal data may only be transferred outside of the European Economic Area if that third country provides an adequate level of protection The Directive also provides that the Commission may find that a third country ensures an adequate level of protection If the Commission adopts a decision to that effect, the transfers of personal data will be lawful Commission Decision 2000/520/EC of 26 July 2000 effected the Safe Harbor scheme 05 October 2015 8

Is Safe Harbor a safe bet anymore? Advocate General s Opinion in Case C-362/14: Maximillian Schrems v Data Protection Commissioner Background Complaint Facebook Ireland EU subscribers personal data Facebook US (Safe Harbor) 05 October 2015 9

Is Safe Harbor a safe bet anymore? Advocate General s Opinion in Case C-362/14: Maximillian Schrems v Data Protection Commissioner What has happened? 05 October 2015 10

Is Safe Harbor a safe bet anymore? Advocate General s Opinion in Case C-362/14: Maximillian Schrems v Data Protection Commissioner Given such a finding of infringements of the fundamental rights of citizens of the Union the Commission ought to have suspended the application of the decision, even though it is currently conducting negotiations with the United States in order to put an end to the shortcomings found The Advocate General indeed observes, that, if the Commission decided to enter into negotiations with the United States, that is because it considered beforehand that the level of protection ensured by that third country, under the safe harbor scheme, was no longer adequate and that the decision adopted in 2000 was no longer adapted to the reality of the situation 05 October 2015 11

Is Safe Harbor a safe bet anymore? Advocate General s Opinion in Case C-362/14: Maximillian Schrems v Data Protection Commissioner What next and what does this mean? The judges are deliberating and a judgement will be given on 6 October DPAs may enforce Safe Harbor differently Companies may need to re-think their internal and external mechanisms for data transfers Binding Corporate Rules = more appealing? 05 October 2015 12

2. Beware asset sales

Beware Asset Sale! Germany 30 July 2015 Bavarian DPA announced it had fined both seller and purchaser for unlawfully transferring customer data as part of an asset deal The DPA said that the transfer of data during an asset deal without customer consent cannot be justified on the grounds of prevailing company interests; and That a transfer of data is only valid if customer consent has been obtained or if a corresponding opt-out has been provided 05 October 2015 14

3. Global review of child focused website

Global review of child focused website Questions raised The Global Privacy Enforcement Network (GPEN) 67% of sites/apps examined collected children s personal information Only 31% of sites/apps had effective controls in place to limit the collection of personal information from children. Half of sites/apps shared personal information with third parties 22% of sites/apps provided an opportunity for children to give their phone number and 23% of sites/apps allowed them to provide photos or video 58% of sites/apps offered children the opportunity to be redirected to a different website Only 24% of sites/apps encouraged parental involvement 71% of sites/apps did not offer an accessible means for deleting account information. 05 October 2015 16

Global review of child focused website Questions raised These are concerning results. The attitude shown by a number of these websites and apps suggested little regard for how anyone s personal information should be handled, let alone that of children. Internationally we saw some websites and apps gathering more information than we felt they needed, and sharing that data with third parties. The most common concern domestically was a lack of information being provided about how their information would be used. We saw generic privacy policies that simply weren t specific enough, and some without any information at all, which isn t good enough. We ll now be writing out to the sites and apps that caused us concern, making clear the changes we expect them to make. We wouldn t rule out enforcement action in this area if required. 05 October 2015 17

4. Wyndham case

Wyndham case confirms data security is a default not an option After a series of hacks in 2008 and 2009, FTC investigated Wyndham Worldwide and held it liable to consumers affected by their failure to implement reasonable protections Wyndham brought proceedings against the FTC claiming that they had no authority to enforce against Wyndham In the Third Circuit decision on 24 th August 2015, the federal court reaffirmed the power of FTC to enforce against Wyndham claiming that Wyndham had committed unfair or deceptive acts or practices by failing to implement adequate cybersecurity Wyndham s privacy policy stated that it had suitable security in place. reaffirms the FTC s authority to hold companies accountable for failing to safeguard consumer data. Edith Ramirez, FTC Chair 05 October 2015 19

5. EDPS Opinion 4/2015

EDPS Opinion 4/2015 "Towards a new digital ethics EDPS calls for Ethics and Dignity in the processing of personal data Opinion deals with Big Data, IoT and Connected Autonomous Vehicles and Drones Opinion references Art.1, EU Charter of Fundamental Rights Human dignity is inviolable. It must be respected and protected EDPS is setting up an Ethics Advisory Group NB UN Privacy Advisory Group is discussing same topic in The Hague on 24/25 October 2015 before the International Privacy Commissioners Conference in Amsterdam 05 October 2015 21

6. Changes to Japanese Data Protection Law

AMENDMENTS TO JAPANESE DATA PROTECTION LAWS Bill to amend the Act on the Protection of Personal Information The amendments of the act is the part of Japan s strategy to make Japan the world's leading IT society, which is a vital part of Japan's industry revitalisation plan. Amendment New Data Protection Authority Data Transfers Extraterritorial application of the law Expanding definition of personal data Requirement Establishes Personal Information Protection Committee from 1 January 2016. Transfers abroad possible only if: i) consent is obtained; ii) adequate country and/or iii) transferee applied required measures.. APPI could apply to companies established outside Japan. Face recognition data, driver's license numbers, and passport numbers are included in personal data definition. 05 October 2015 23

AMENDMENTS TO JAPANESE DATA PROTECTION LAWS Bill to amend the Act on the Protection of Personal Information Amendment Distinguishing "sensitive information Data anonymisation Requirement Race, belief, social status, disease, history, criminal records, facts related to suffering from crime. Consent is not needed to transfer data if PI is anonymised. Guidelines on data annonymisation will be issued by DPA. Other provisions Small size business are now subject to the legal obligations. Provisions are expected to come into force in 2017. 05 October 2015 24

7. Update to South Korean Data Protection Law

AMENDMENTS TO SOUTH KOREAN DATA PROTECTION LAW INFORMATION PROTECTION ACT (PIPA) Perhaps the strictest data protection law in the world Very active data protection authority Additional amendments came into force on 7 July 2015 Introduces punitive and statutory damages Consumers may claim up to 1700 damages 05 October 2015 26

AMENDMENTS TO SOUTH KOREAN DATA PROTECTION LAW INFORMATION PROTECTION ACT (PIPA) Companies are banned from collecting resident registration numbers (RRNs) Guidelines for the collection and use of the mobile apps PIPA also provides incentives for companies to invest in fighting cyber attacks by reducing corporate tax RRN 05 October 2015 27

charlesrussellspeechlys.com