©

2012

Mor

rison

& F

oers

ter

LLP

| A

ll R

ight

s R

eser

ved

| mof

o.co

m

Data Protection Masterclass VI:Global Privacy

May 24, 2012Ann Bevitt

Karin RetzerMiriam Wugmeister

2This is MoFo. 2

Data Protection Laws in Europe 30 Member States of the

European Economic Area

Azerbaijan

Belarus

Bosnia & Herzegovina

Channel Islands

Croatia

Isle of Man

Russia

Serbia

Switzerland

Ukraine

3This is MoFo. 3

And elsewhere …

North America Canada Mexico United States

Central & South America Argentina Brazil (Pending) Chile Colombia Costa Rica Ecuador (Pending) Paraguay (Limited) Peru Uruguay

Middle East Israel UAE (DIFC) Qatar (Financial

Center only)

Africa Angola Morocco South Africa (Pending) Tunisia

Asia-Pacific Rim Australia China (Limited) Hong Kong India Japan Macao Malaysia New Zealand Philippines (Pending) Singapore (Pending) South Korea Taiwan Thailand (Pending) Vietnam (Limited)

4This is MoFo. 4

Common Elements in Privacy Laws

Notice Choice Access Security Audit and Enforcement Agreements with Third Parties Cross-border transfers

5This is MoFo. 5

Australia

Omnibus law regulates the collection, use, and disclosure of personal data by the private sector

An organization may transfer personal data to a recipient in a foreign country only if it is subject to a “substantially similar” privacy regime. Organizations must determine for themselves what constitutes “substantially similar”

• Administrative penalties and private right of action possible

• No limits on damages

6This is MoFo. 6

Australia (cont’d)

Law amendments under review by Parliament Amendments would create a unified set of Privacy Principles to cover both the private and public sectors

Second stage of amendments to clarify or remove certain exemptions such as the employee records exemption, require breach notification, establish a private right of action, and harmonize national, state and provincial privacy laws

7This is MoFo. 7

China

No constitutional right to privacy Criminal law amended in 2009 to make sale or other

unauthorized disclosure of certain personal data a criminal offense

Tort liability law, effective July 1, 2010, recognizes independent right of privacy; private rights of action for civil damages possible

Anti-spam regulations issued in March 2006 Privacy legislation possible – either a separate statutory

protection for the right to privacy or statutory extension of the right to personal dignity under the Constitution

8This is MoFo. 8

China (cont’d)

Internet Regulations issued in December 2011, governing the collection, storage and use of personal information by Internet companies

Internet Information Service Providers must provide notice and obtain users’ prior consent when collecting personal information or providing it to others

Limitations on use and general security requirements Breach of the requirements subject to sanctions that include

rectification orders, warnings and penalties ranging from RMB10,000 to RMB30,000

9This is MoFo. 9

Hong Kong

Omnibus law — Personal Data (Privacy) Ordinance Notice, use and disclosure regulated

No database registration required

Cross-border transfer restriction is not operative and no implementation date has been set

Statutory penalties and private rights of action possible

Anti-Spam Law enacted in 2007

Voluntary Security and Data Breach Guidelines issued

The Personal Data (Privacy) Amendment Bill introduced into Hong Kong’s Legislative Council in July 2011; expectation that will be enacted before the end of 2012

New rules in areas such as direct marketing, data security, data breach notification, and data transfers possible

10This is MoFo. 10

Japan

Omnibus law — Law Concerning the Protection of Personal Information (“PIPL”)

Framework legislation, implemented by Ministry Regulations (34 guidelines issued by 12 ministries)

No cross-border limitation — based on accountability

Opt-in consent for transfer of personal information to third parties

“Third parties” include subsidiaries, affiliates, group companies, franchisees, foreign companies, and joint marketing partners

Criminal sanctions and administrative penalties for violations

11This is MoFo. 11

Japan (cont’d)

Implied consent not necessary if

Transfer is to a “Delegatee” (service provider)

Transfer compliant with specific notice and opt-out requirements and when used for direct marketing purposes

Transfer is pursuant to M&A transaction or

Other exceptions — if transfer is pursuant to a law or ordinance; if necessary to protect life, person or property and consent is difficult to obtain; if necessary to improve public safety or protect children and consent is difficult to obtain; or if cooperation is required bygovernment agencies

12This is MoFo. 12

Korea

Consent

“Separate” consent is required for each stage of handling of personal data:

collection and use

transfer to a third party

(handling of) particular identification data

(handling of) sensitive data

Lots of details required — i.e. list up the names of all third-party recipients

Trans-border transfer:

(1) consent from the data subject is required, and/or(2) transfer contract in line with Korean law

13This is MoFo. 13

Korea (cont’d)

Notice (separate from the notification for informed consent):

Items of personal data to be handled

Purposes of use of personal data

Retention and use periods

Information on transfer of personal data to a third party, outsourcing and destruction of personal data

Rights of data subjects

Protective measures for data security

14This is MoFo. 14

Korea (cont’d)

Security – technical, administrative and physical

Supervisory authority (MOPAS) has specified details:

establishment and implementation of internal management plan

keeping access records,

prevention of falsification of such records, access control,

password control,

installation and operation of an access control system anti-virus programs,

encryption of devices,

15This is MoFo. 15

Korea (cont’d)

Data Breach Notification/Report

Notification to affected data subjects, to specify

Items of personal data breached

Date/time of data breach

Measures to take to minimize possible damages

Available remedies

Report to the authority: upon a leak involving 10,000 or more data subjects

16This is MoFo. 16

Korea (cont’d)

Liability/Penalties

Violation: may entail criminal punishment (e.g., imprisonment of up to 5 years and USD 50K), administrative sanctions, civil liability.

Companies subject to hacking — are sanctioned — criminal / administrative / civil liabilities.

17This is MoFo. 17

Malaysia

Personal Data Protection Bill 2009 given Royal Assent and published in June 2010; however, date of entry into force still to be determined

Personal Data Protection Commission expected to be set up in 2012; implementing regulations need to be issued

Notice, use and disclosure regulated Classes of data users that must register their databases to be determined

Cross-border transfer restrictions

Fines and imprisonment possible

Directors equally liable for offenses committed by the organization

Once Act becomes effective, organizations have three months to come into compliance

18This is MoFo. 18

New Zealand

Privacy Act 1993 applies to private and public sectors Notice, use and disclosure regulated

No database registration required

Government currently conducting full scale law review

Enacted the Privacy (Cross-border Information) Amendment Act in 2010, empowering the Privacy Commissioner to prohibit the onward transfer of personal information received from overseas

In April 2011, EU’s Article 29 Working Party adopted an adequacy opinion

19This is MoFo. 19

Philippines

Constitutional right to privacy EU-style draft legislation has been approved by both the House

and the Senate Senate version of the bill (SB 2965) will need to be reconciled

by bicameral conference committee with HB 4115 and then sent to President Benigno Aquino to consider and sign

Draft legislation would create a national Privacy Commission to enforce regulations, receive complaints, institute investigations, issue injunctions and recommend penalties to department of Justice

20This is MoFo. 20

Singapore

No data protection law is in place Voluntary Model Data Protection Code sets out 11 data protection principles

for adoption by the private sector Processing of employment data and data for personal, journalistic

and scientific research use are exempt from the Code Continued reliance on self-regulatory regime will depend on whether

companies adopt the voluntary guidelines

Ministry of Information, Communications and the Arts issued detailed proposals for a draft Personal Data Protection Bill; public comment period ended April 30, 2012

Government plans to introduce the bill in Parliament by the third quarter of 2012

Anti-Spam Law enacted in 2007

21This is MoFo. 21

Taiwan

Computer Processed Personal Data Protection Act Covers limited private entities — financial, securities,

insurance, mass media, and telecommunications companies

Database registration and opt-in consent required

• Amendment approved by Parliament in April 2010 eliminated the registration requirement and will extend coverage to all sectors, public and private, once fully implemented

Criminal, civil, and administrative penalties for violations; private right of action

However, new government took office in February 2012 and delayed implementation

22This is MoFo. 22

Taiwan (cont’d)

Concern about the draft implementing regulations issued in October 2011

• Government to consult with businesses and the financial sector and research cross border-related issues

• Any revisions to the underlying law would be sent to Parliament for approval

Unclear if Cabinet would be able to finalize a proposal and get it to lawmakers before the end of the legislative session in late June 2012

23This is MoFo. 23

Argentina

Very similar to Spain

The scope of the law is relatively narrow — Applies to databases that are shared

Requires notice and opt-in consent to process personal information or to share information with affiliated companies

Prohibits transborder transfers to countries without “adequate”

data protection

Protective contracts or consent of individual is required if no adequacy finding

• Argentina has not issued any adequacy findings, so organizations must rely on protective contracts or the consent of individual

Criminal sanctions, administrative penalties, and private right of action possible

24This is MoFo. 24

Brazil

Draft privacy legislation pending in Congress Public consultation on a draft bill started in April 2011; Ministry of Justice will

now revise and present draft bill to Congress Current bill requires: express consent to process all personal information;

express consent to disclose personal information to third parties with no exceptions; express consent, or another exception, to transfer personal information to inadequate countries; provision of unfettered rights of access to personal information

Sensitive information, such as health information, is protected under the Constitution; consumer data is protected under the Consumer Defense Code

For consumer data, there are notice, access, and correction obligations as well as consent requirement in order to transfer data

25This is MoFo. 25

Chile

First country in Latin America to enact data privacy law

Notice and consent required

Written consent required to disclose sensitive information

No database registration

Access and correction rights

Must keep personal information secret and confidential

No cross border restrictions but confidentiality agreements must be in place to transfer nonpublic personal information to third parties

New legislation introduced in 2008 but no action has been taken by the legislature

26This is MoFo. 26

Colombia

Habeas data law enacted in 2008 gives individuals the constitutional right to know, update, and correct information about them contained in databases

Controversy regarding the scope of 2008 Law about whether it applies only to financial data or more broadly regulates the collection, use, storage and transfer of financial, credit, services and commercial data

Comprehensive new data privacy law approved by Congress in late 2010; Constitutional Court upheld majority of the law’s provisions

The law, which must be signed by the President before it enters into force, requires an individual’s specific consent to collect, use, store, and/or transfer personal data

Timetable for enactment unknown

27This is MoFo. 27

Mexico

Data privacy law approved by Congress in April 2010 and entered into force July 5, 2010

Regulations Issued in September 2011

Notices must be provided at the time of collection

Access and Correction Rights

A data privacy person or office must be designated to process requests from individuals who wish to exercise their rights under the law

Consent Implied (opt-out) sufficient in most instances Written express consent to process financial or asset data and sensitive

personal information

28This is MoFo. 28

Mexico (cont’d)

Individuals must be notified immediately in the event of a security breach that significantly affects their "equity or legal rights"

Organizations must have contracts in place with third parties that require the third parties to treat the data in accordance with the privacy notice provided to the individual and assume the same obligations as the organization that is transferring the data

Data Transfers Domestic or international transfers of data without consent to affiliated entities that

operate under the same internal processes and policies Other exceptions such as contractual necessity

No Registration

Possible penalties include large fines and jail time

29This is MoFo. 29

Peru

Omnibus data privacy law enacted July 5, 2011 Regulates the collection, use and disclosure of personal

information by private sector organizations Establishes a Data Protection Authority that will report to the

Ministry of Justice Requirements include:

Express consent needed in many instances to collect, use and disclose personal information

Database registration

Data may not be transferred to third countries that do not provide an adequate level of protection

Grants DPA the power to impose sanctions on organizations that violate the law

30This is MoFo. 30

Peru (cont’d)

Only Title II provisions establishing the data protection principles and creating the DPA and the multi-sectoral commission responsible for developing the implementing regulations now in effect

Other provisions to become effective 30 days after the implementing regulations are published

Timetable for issuance of regulations unknown

31This is MoFo. 31

Uruguay

EU style data protection law enacted in August 2008 (Implementing Decree in August 2009)

Prior notice and opt-in consent are required to process personal data unless an exception applies

Access must be provided and individuals may request rectification, updating, inclusion, or deletion of personal data

Database registration required

Obligation to report security violations that significantly affect the interests of the individuals concerned; however, unclear to whom notice must be given

Cross-border transfers of personal data to countries not deemed “adequate” are prohibited without opt-in consent, unless an exception applies

Administrative penalties and a private right of action

32This is MoFo. 32

Forest/Trees

Focus on core substantive obligations Notice Choice Security Service Providers

Look for commonalities

Stay involved – changes weekly

33This is MoFo. 33

Evaluate Risky Areas

Collection of information over the Internet and email Access to sensitive files by employees and independent

contractors Access to credit card information Transmission, storage, and disposal of computerized data,

including data contained on disks and hard drives Data to be transmitted to any third party Storage and disposal of paper records Data center moves/consolidations Transfer and use by service provider/outsourcing

34This is MoFo. 34

How Must Information Be Protected?

Technical Firewalls, anti-virus, and anti-spyware protections Periodic changing of (non-default) IDs and passwords Access controls (important when someone leaves the company) Encryption Limit access to that which is necessary to perform duties Basic rules for employees

Do not email sensitive or special PI Do not access more than that which is needed Create and use secure documents Use passwords

35This is MoFo. 35

How Must Information Be Protected? (cont’d)

Physical Lock file cabinets Shred appropriately (do not put PI in the garbage)

Check litigation/document holds before disposing of any documents Control movement of personnel into, through, and out of offices Enforce procedures for card keys and other access controls Monitor employees with access to customer and Human Resources data

36This is MoFo. 36

How Must Information Be Protected? (cont’d)

Administrative Technology use policy

Blogging and social networking, peer to peer file sharing programs, remote access, use of laptops

Security breach notification procedure How is unauthorized access or acquisition reported? Who is on the immediate response team?

Confidentiality policy Does it cover confidential information and Personal Information?

Training Audit

37This is MoFo. 37

Specific Controls

Background checks Non-Disclosure Agreements Video cameras on site Physical segregation of customer data Fire walls/virus controls Servers locked to shelves Separate and locked server room Encryption of laptops Limitations on remote access USB/Memory Sticks Cell phones/iPods in service centers

38This is MoFo. 38

Employee Training and Awareness

All employees with access to PI should be trained in data security policy and procedures and refresher training should be provided as necessary

Important to have follow-up to assess employees’ awareness

Consider Non-Disclosure Agreements (NDAs) with employees

Employees should be advised that violations of data protection policy will result in disciplinary action

Think creatively about training

39This is MoFo. 39

Questions?

Ann Bevitt, Londonabevitt@mofo.com

Karin Retzer, Brusselskretzer@mofo.com

Miriam Wugmeister, New Yorkmwugmeister@mofo.com

Mofoprivacy.com