Jul 3, 2017 - In The News: â Singapore ... mobile application and web portals, were replaced with the ... procedures r
WELCOME MESSAGE
July 2017 In this issue Welcome Message
1
In The News: – Singapore
1
– Malaysia
10
– Philippines
11
– China
12
– Australia
13
– New Zealand
13
– Russia
15
– European Union
16
– United Kingdom
19
– United States
23
The Drew & Napier Telecommunications, Media and Technology Practice Group is pleased to present the latest issue of our Data Protection Quarterly Update. In this Quarterly Update, we will provide a snapshot of important data protection law developments in Singapore as well as in jurisdictions around the world. At the outset, we will study the reasons behind the six most recent enforcement decisions issued by the Personal Data Protection Commission (PDPC), the statutory authority that administers and enforces the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), which involved the PDPC taking action against several entities for breaching their obligations under the PDPA. Thereafter, in light of how courts, governments, and regulators around the world continue to deal with rapid technological advancements and its implications on personal data, we will proceed to analyse the emergence of new regulatory instruments and frameworks in several jurisdictions including Australia and Philippines. These developments are undeniably helpful in providing guidance for regulators and businesses in managing their data protection obligations. We hope that this new publication will be useful for you, as you navigate the increasingly complex regulatory landscape in data protection law. We welcome your feedback and questions on any of the data protection news and articles featured in this Quarterly Update, as well as any suggestions that you may have on topics to be covered in future publications. For more details on the Drew & Napier Telecommunications, Media and Technology Practice Group, please visit: http://www.drewnapier.com/Our-Expertise/ Telecommunications,-Media-Technology.
IN THE NEWS SINGAPORE This newsletter is intended to provide general information and may not be reproduced or transmitted in any form or by any means without the prior written approval of Drew & Napier LLC. It is not intended to be a comprehensive study of the subjects covered, nor is it intended to provide legal advice. Specific advice should be sought about your specific circumstances. Drew & Napier has made all reasonable efforts to ensure the information is accurate as of 3 July 2017.
The PDPC Decisions
issues
Enforcement
Between April and June 2017, the PDPC issued enforcement decisions against six organisations, for breaching their data protection obligations
under the PDPA. These organisations are as follows: (a) Tech Mahindra (Singapore) Pte Ltd (Tech Mahindra) (the decision was issued on 6 April 2017); (b) National University of Singapore (NUS) (the decision was issued on 26 April 2017); (c) Asia-Pacific Star Private Limited (APS) (the decision was issued on 31 May 2017); (d) Furnituremart.sg (Furnituremart) (the decision was issued on 31 May 2017); (e) Hazel Florist & Gifts Pte Ltd (Hazel Florist) (the decision was issued on 20 June 2017); and (f)
DataPost Pte Ltd (DataPost) (the decision was issued on 20 June 2017).
On 12 June 2017, the PDPC also issued a consolidated no-breach decision in respect of complaints made against certain Management Corporation Strata Title and managing agents of condominiums (collectively, Property Managers) for alleged breaches of the Property Managers’ data protection obligations under the PDPA. Tech Mahindra Background On 29 February 2016, Singapore Telecommunications Limited (Singtel) was notified that certain personal particulars of their customers that were displayed in their online user account interface, as accessed through the Singtel mobile application and web portals, were replaced with the personal particulars of an individual Singtel customer (Customer). Singtel’s internal investigations had disclosed that Tech Mahindra, the Information Technology (IT) vendor for its single log-in service (ONEPASS), had omitted a clause in the database script (Clause) that was operative in limiting user updates to a particular customer. This resulted in the disclosure of the Customer’s personal particulars to Singtel’s customers in general, which included sensitive details such as his NRIC number.
The PDPC’s Decision Upon the conclusion of the PDPC’s investigations, Tech Mahindra was found to have breached its obligation under section 24 of the PDPA, as it had failed to implement reasonable security measures to protect the personal data in its possession or under its control, for the reasons as follows. (a) Failure to adhere to Singtel’s express instructions In an email dated 2 April 2015, Singtel had specifically instructed Tech Mahindra to update the Customer’s profile on the ONEPASS database, in particular, informed Tech Mahindra that the Clause was to be a primary key and could not be omitted. Notwithstanding Singtel’s instructions, Tech Mahindra had omitted the Clause in its update to the database script, resulting in the disclosure of the Customer’s personal data. (b) Failure to observe standard operating procedures relating to sandbox development testing Singtel and Tech Mahindra had a standard operating procedure (SOP) where changes to the database script would be first tested in a sandbox environment before they are executed in an actual production environment. This would ensure that any bugs or errors would be detected early in a test-bedding environment, and to avoid any significant impact to Singtel’s operations. However, Tech Mahindra failed to adhere to the stipulated SOP and had directly executed the database script ‘live’. (c) Failure to comply with internal SOPs relating to the review and verification of database updates In addition, Tech Mahindra failed to comply with its internal policies pertaining to any modification or update of the database script. Prior to the execution of any update, Tech Mahindra had an internal policy that the update would be reviewed by a more senior member of the support team. The employee was also expected to verify that the update was correct post-execution of the database script. However, these internal SOPs and policies were not complied with.
2
The PDPC’s Actions In assessing the breach and the directions to be imposed on Tech Mahindra, the PDPC took the following factors into consideration: (a) The personal data disclosed in the data breach incident, particularly the Customer’s NRIC number, is of a sensitive nature. (b) There was also an unauthorised modification of the personal data of 2.78 million ONEPASS users. (c) The data breach incident could have been avoided if Tech Mahindra had followed Singtel and Tech Mahindra’s SOPs. (d) From the 2.78 million ONEPASS users whose accounts had been modified, only 2,518 users had viewed the Customer’s NRIC number, as access to the Singtel applications and portals were promptly disabled. (e) Tech Mahindra and Singtel had jointly notified the PDPC of the data breach incident, and was cooperative in the course of the investigation. (f)
Singtel and Tech Mahindra took prompt remedial and preventive actions.
Based on the above factors, the PDPC imposed a S$10,000 fine on Tech Mahindra, which is to be paid within 30 days from the date of the PDPC’s direction. NUS Background The PDPC had received a complaint from a student of NUS that a URL link that was being circulated for the NUS orientation camp had disclosed, without the relevant parties’ consent or authorisation, the personal data of approximately 143 student volunteers from a residential college of NUS. The URL link provided access to an online Excel spreadsheet (Spreadsheet), which contained personal data of the student volunteers, including their full names, mobile numbers, matriculation numbers (i.e., NUS-issued student identification numbers), shirt sizes, dietary preferences, dates of birth, dormitory room numbers, and email addresses.
While access to the Spreadsheet was limited to the student leaders of the orientation camp, the access permissions were subsequently changed to an open access setting, such that any user who had the URL link could access the personal data of the student volunteers contained within the Spreadsheet. Consequently, the student volunteers’ personal data was accessible by any member of the public. The PDPC’s Decision Upon the conclusion of its investigations, the PDPC found that NUS had breached its obligation under section 24 of the PDPA as it had failed to implement reasonable security measures to protect the personal data in its possession or under its control. Lack of training provided to student leaders The PDPC found that NUS did not have any formalised data protection training in place to train and equip its students with the required mind-set, knowledge, skills and tools to protect personal data. After a survey of statements issued by its foreign counterparts, the PDPC noted that data protection training was generally regarded to be a type of administrative or organisational security measure that had a direct impact on the proper implementation of the organisation’s data protection policies and practices. In the present case, the PDPC found that NUS ought to have conducted training sessions for the elected student organisers. Given that the freshman orientation camp was conducted on a yearly basis, it was reasonably foreseeable that the organisers of the camp, and such other student leaders, would be handling the personal data of students, including the incoming batch of students and student volunteers, in the course of organising and conducting the freshman orientation camp. NUS also had ample opportunities to plan and conduct the training sessions, which may be tailored to cater for the possible data handling scenarios that the student leaders would face. However, on the facts, the PDPC found that NUS had not provided any effective data protection training to the student organisers of the orientation camp. While classroom training had been conducted previously, there was only one session for a select group of students and was subsequently discontinued. Separately, even 3
though an e-training programme was made available through the online student portal called Integrated Virtual Learning Environment, this was found to be similarly ineffective, as the e-training programme was not provided on a compulsory basis to the student organisers and as a matter of fact, none of the student leaders had subscribed to the e-training programme prior to the said orientation camp. In its representations, NUS cited the issue of organisation-wide data protection policies and guidelines as a form of adequate protection for the personal data in its possession and under its control. These guidelines had provided general data protection guidance for student activity planners, and reminded them of their data protection duties when collecting personal data in the process of conducting student activities. However, these were found to be inadequate as a security arrangement. The PDPC reasoned that even if the student leaders were apprised of these policies and guidelines, the guidelines were couched on a high-level basis such that the guidance therein did not naturally translate into actionable practices for student organisers to implement on the ground. The PDPC noted that proper guidance is not easily substitutable or replaceable by general guidelines that an organisation may set. The PDPC’s Actions In assessing the breach and the directions to be imposed on NUS, the PDPC took into account the following factors: (a) A significant number of individuals (approximately 143 students) were affected by the data breach incident. (b) The potential adverse consequences from a misuse of the student matriculation number by other persons. However, it was noted that the student matriculation number is only used for the duration of the student’s undergraduate or postgraduate course and not for an extended period of time. (c) NUS was cooperative with the PDPC and forthcoming in its responses during the PDPC’s investigation. The PDPC also considered and acceded to the representation made by NUS in respect of the PDPC’s preliminary directions, as the
representations did not detract from the key principles, functions and purposes of the PDPC’s grounds of decision and directions. The PDPC’s final directions to NUS were that: (a) NUS were to, within 120 days, from the date of the PDPC’s directions: (i) Design training that would address personal data protection in the context of the collection and processing of personal data for student events and of the resulting interaction. (ii) Make arrangements for such training to be mandatory for any student leader. (iii) Make other arrangements as would be reasonably required to meet the objectives set out in (i) and (ii) above. (b) NUS shall submit to the PDPC a written update on the arrangements for the training provided, no later than 14 days after the above actions have been carried out.. APS Background On 27 July 2016, the PDPC received a complaint that the passenger name list for a Tiger Airways Singapore Pte Ltd (Tigerair) flight (Flight Manifest) had been improperly disposed off in a rubbish bin in the gate hold room at Changi Airport. The Flight Manifest contained a passenger’s personal data such as the passenger’s name, booking reference number, amongst other personal data. The disclosed personal data may also be used as login credentials to access the passenger’s “Manage My Booking” webpage on Tigerair’s website, whereupon additional personal data about the passenger could be retrieved, including the passenger’s passport number, home address, phone number, email address and the last four digits of the credit card used to pay for the flight ticket. In the PDPC’s findings of fact, it was disclosed that an employee of APS, which was the subcontractor for the provision of ground handling services for Tigerair, had ran out of paper while printing a copy of the Flight Manifest. Without taking further precautionary measures, the employee had disposed the partially printed Flight 4
Manifest in the rubbish bin in the gate hold room, and reprinted the Flight Manifest in full. The PDPC’s Decision At the outset, the PDPC found that APS was acting as a data intermediary of Tigerair when it processed personal data, on behalf of Tigerair, in relation to the ground handling services that it was sub-contracted to perform. The PDPC also found that APS had breached its obligation under section 24 of the PDPA as it had failed to implement reasonable security measures to protect the personal data in its possession or under its control, for the reasons set out below: (a) Failure to contextualise general group level policies to ground operations Although APS was a subsidiary in a corporate group and was required to comply with the parent organisation’s set of data protection policies, which contain guidelines on security measures for the protection of personal data, this was inadequate as a security measure under section 24 of the PDPA. In particular, APS failed to implement further procedures or policies to translate the group-level policies into customised practices that were required on the ground to protect personal data. These practices should have addressed specific scenarios of inappropriate handling or disposal of Flight Manifests, particularly where the personal data leaked would be of a sensitive nature, such as the retrievable details from the “Manage My Bookings” portal. (b) Failure to provide ongoing training on APS’ data protection obligations, policies and procedures In addition, APS should have provided training on a customised and ongoing basis for its employees who routinely handle passengers’ personal data. This was particularly important given that APS processes the personal data of a large number of individuals on a regular basis in the course of its duties. Ongoing refresher training would have fostered, and maintained, an organisation-wide awareness of data protection concerns, and would have ensured that the organisation’s data protection obligations were consistently acted upon by its employees. In its findings, the PDPC found that the APS’s employees had only received a general data
protection briefing, which was conducted during the employee induction programme designed for new employees. This was not found to be an adequate security arrangement to reasonably protect the personal data in APS’s control or possession, pursuant to section 24 of the PDPA. The PDPC’s Actions In assessing the breach and the directions to be imposed on APS, the PDPC took into account the following factors: (a) The said gate hold room was accessible only by passengers and airport staff. (b) The bin where the Flight Manifest was disposed could reasonably be expected to be emptied regularly as part of routine maintenance. (c) The Flight Manifest held data that served as login credentials to passengers’ personal data on the Tigerair’s “Manage My Bookings” portal. However, the PDPC notes that such information was only accessible for a limited time period, until the last travelling date on the passengers’ itinerary. (d) There were no complaints of any unauthorised access to the “Manage My Bookings” page of any passenger. Based on the above factors, the PDPC directed APS to: (a) Conduct a review of its procedure for proper disposal of personal data in its possession and/or control. (b) Introduce data protection policies that are contextualised and pertinent to the services provided by APS and functions performed by its staff. (c) Create an ongoing training programme for the implementation of APS’s data protection policies by its staff. Furnituremart Background Furnituremart is in the business of trading furniture, bedding, and other domestic products. As represented by Furnituremart, signed copies of 5
invoices were returned to its office upon delivery of goods and would, on a daily basis, be destroyed by its staff. However, in the present incident, a Furnituremart employee had erroneously placed a returned copy of invoice into the printer feed tray, whereupon another customer’s invoice was printed. The said invoice was then issued to its intended recipient. As a result, personal data of the customer was disclosed, the customer’s surname, home and delivery address, telephone number and email address.
Separately, Furnituremart had relied on the misconceived assumption that proper execution of the job functions delegated to its staff per se was sufficient as a data protection measure. As such, the management had failed to craft data protection policies and measures that were adapted to its business, and failed to disseminate such policies and measures to its staff. Moreover, the management should have actively supervised and monitored its employees to ensure that the data protection procedures were correctly implemented.
The PDPC’s Decisions
The PDPC’s Actions
For the reasons as set out below, the PDPC found that Furnituremart had breached its obligation under section 24 of the PDPA as it had failed to implement reasonable security measures to protect the personal data in its possession or under its control.
In assessing the breach and the directions to be imposed on Furnituremart, the PDPC took into account the following mitigating factors:
(a) Furnituremart failed to effectively put any data protection policy in place
(b) The personal data disclosed was not sensitive.
First, Furnituremart had only formalised its data protection policy during the month of the data breach and did not have an existing written policy in place. In addition, there was a possibility that the data protection policy was only conceived after the data breach incident had occurred. Aside from the fact that the policy was issued during the same period of time of the data breach incident, the PDPC had noted that the data protection policy had only consisted of six bullet points, with half of the six bullet points relating to the data breach incident.
(c) There was no evidence that any loss or damage was caused by the unauthorised disclosure.
Second, Furnituremart did not adduce any evidence to show that it had implemented the data protection policy prior to the data breach. Such evidence would include internal communications of the policy to its staff, internal briefings to raise staff awareness and staff training events. Although Furnituremart claimed that it had an effective supervisory check in place to implement its data protection policy, it was no more than a bare assertion that was unsubstantiated by the findings of fact. Third, Furnituremart did not provide any data protection training to its employees. (b) Lack of management oversight and supervision
(a) The unauthorised disclosure was made to a single person only.
The PDPC made the following directions to Furnituremart: (a) To review its policy for the protection of personal data in relation to its order fulfilment process. (b) To develop procedures to ensure effective implementation of its data protection policy. (c) To conduct training to ensure that its staff are aware of, and will comply with, the requirements of the PDPA when handling personal data. Hazel Florist Background On 5 September 2016, the PDPC was informed that Hazel Florist had delivered a gift hamper to the complainant, which contained order forms used as fillers at the bottom of the hamper. These order form fillers contained the personal data of 24 other individuals, including their names, delivery addresses, and telephone numbers.
6
The PDPC’s Decision Upon the conclusion of the PDPC’s investigations, it was found that Hazel Florist was in breach of section 24 of the PDPA, as it had failed to implement reasonable security measures to protect the personal data in its possession or under its control, for the reasons set out below: (a) Failure to implement any measures to ensure that only designated filler material was used
Furthermore, the PDPC noted that Hazel Florist’s data protection policy only restated the organisation’s data protection obligations in general terms, and did not provide specific practical guidelines on the proper handling of personal data. In addition, Hazel Florist had expected the employees to read the data protection policy, and did not explain nor ensure that its employees understood what was required of them under the data protection policy. The PDPC’s Actions
In its representations, Hazel Florist explained that its employees had received clear instructions to use designated filler material for its gift hamper packing process. However, the PDPC took the view that such instructions were not in itself a reasonable security arrangement. Instead, accompanying measures were required, pursuant to section 24 of the PDPA, to reasonably ensure that Hazel Florist’s instructions to its employees were carried out. (b) Failure to provide data protection training to the employee The PDPC noted that, in certain circumstances, data protection training may serve as a security arrangement, when it provides an employee with an awareness of the organisation’s data protection obligations and when it gives specific guidance on the proper handling of personal data relevant to the employee’s day-to-day tasks. In the present case, the PDPC found that the said employee was not adequately trained in data protection, as she was only trained in the physical packing of the gift hamper, and not on data protection measures itself. Thus, the PDPC held that such on-the-jobtraining did not constitute as a security arrangement for the purposes of section 24 of the PDPA. (c) Failure to provide proper supervision to the employee The PDPC also held that Hazel Florist had failed to address the employee’s lack of receptiveness to the training and guidance provided by her colleagues. With the said employee effectively working unsupervised, Hazel Florist was unable to ensure that the said employee followed its instructions to use the designated filler material. (d) Failure to provide specific practical guidance on proper handling of personal data
In assessing the breach and the direction to be imposed on Hazel Florist, the PDPC took into account the following factors: (a) The personal data was disclosed to only one person. (b) Save for the disclosure of one individual’s NRIC, the breach involved personal data of limited sensitivity. (c) Hazel Florist had taken remedial actions to help prevent the disclosure of personal data in the future. (d) Hazel Florist had been fully cooperative in the investigation. In view of the factors above, the PDPC issued a warning to Hazel Florist for the breach of its obligations under section 24 of the PDPA, and did not impose further directions or a financial penalty. DataPost Background DataPost had printed and mailed out financial statements relating to the Overseas-Chinese Banking Corporation Ltd’s (OCBC) Supplementary Retirement Scheme (SRS) to OCBC’s customers. Each SRS statement contained the name, address, cash balance, and types, quantity, and valuation of asset holdings of the customer. The PDPC was informed by OCBC that, on or about 17 June 2016, a customer of OCBC discovered that she had received two additional statements belonging to two other OCBC customers in addition to her own SRS statement. At DataPost, the SRS statements are printed and inserted into the customers’ respective mailer envelopes by an enveloping machine. Due to an 7
operational peculiarity of the machine, the first three statements printed would always be placed in the same envelope. To remedy the operational peculiarity, the machine was set to send the first envelope into the reject bin for an operator to manually sort the individual statements within the first envelope into separate envelopes. On 4 May 2016, the operator mistakenly assumed that the first three statements belonged to the same individual, and moved the envelope from the reject bin to the main bin. The operator also completed the quality control form in a manner showing envelopes in the reject and main bins tallied with the expected total from the run. The PDPC’s Decision For the reasons stated below, DataPost was found to have breached section 24 of the PDPA, as it had not put in adequate security arrangements to protect the personal data in its possession or under its control.
meant that the second and third level checkers would not have been aware of the fact that the operator had incorrectly moved an envelope from the reject bin to the main bin, as the numbers in the quality control form appeared to tally with the expected total from the run. Thus, the second and third level checkers were relying on the numbers provided by the operator in the quality control form in order to ascertain whether an error or failure had occurred, and could not independently verify that the numbers provided by the operator were actually correct. The PDPC’s Actions In assessing the breach and the directions to be imposed on DataPost, the PDPC took into account the following aggravating and mitigating factors: (a) The personal data disclosed contained sensitive financial information of the customers and was a significant aggravating factor in warranting a financial penalty as a matter of general deterrence.
(a) Significant operational risk The PDPC was of the opinion that the processes created a significant risk of the first envelope containing the statements of more than one individual. The design and operation of the enveloping machine ensured that the risk arose with each print cycle. In the PDPC’s view, such risks could be avoided, for example, by having the first sheet printed blank by default. This would lower the chance of an unauthorised disclosure of customers’ personal information as the first envelope would contain blank pages instead of the actual statements of real customers. (b) Inadequate quality control checks The PDPC found that DataPost’s system of quality control measures was inadequate and easily bypassed. This was because the operator could return the first envelope filled by the machine to the main bin rather than the reject bin, which would have otherwise been inspected by second and third level checkers. Thus, the operator was able to bypass both the second or third level checks.
(b) The scale of the breach was small as only personal data belonging to two individuals was disclosed to a single recipient. (c) There was no evidence to suggest that the data breach caused actual loss or damage to any person. Based on the above factors, the PDPC imposed a S$3,000 fine on DataPost, and additionally directed that DataPost: (a) Conduct a review of its internal working procedure relating to data printing and enveloping operations, in particular, tightening the application of quality control checks. (b) Improve the training of all operators and quality checkers involved in its printing and enveloping operations. (c) Review its personal data protection policy to determine if it needs to be updated to suit its current operations. Property Managers
(c) Independent verification of accuracy Background The PDPC also noted that there was no independent verification of the accuracy of the quality control form filled in by the operator. This
Between 29 June 2016 and 27 July 2016, the PDPC received complaints from several residents 8
of three condominiums, namely, Prive, The Mornington and Seletaris, against their condominiums’ respective Property Managers. The complaints involved the posting of certain documents, such as voter lists and draft minutes of a council meeting, on the notice boards that were located within the compound of the condominiums. Amongst the information disclosed in the voter lists and minutes of meeting was personal information of the residents, including their names, unit numbers and voting shares. The PDPC’s Decision Upon conclusion of its investigation, the PDPC found that the Property Managers were not in breach of their data protection obligations under the PDPA. Consent and Notification Obligations First, the Property Managers had not breached their PDPA obligations to: (a) Obtain an individual’s consent before collecting, using or disclosing his personal data for a purpose, under sections 13 to 15, and 17 of the PDPA (Consent Obligation). (b) Notify the individual of the purpose(s) for which it intends to collect, use or disclose his/her personal data on or before such collection, use or disclosure, under section 20 of the PDPA (Notification Obligation). At the outset, the PDPC found that the Property Managers had not notified their respective residents of the purpose of the disclosure of the voter lists or minutes of meeting, nor did the Property Managers obtain the residents’ consent to disclose their personal data for this purpose. However, the PDPC found that the Property Managers were not in breach of their Consent and Notification Obligation, as they could rely on certain exceptions to these obligations, as set out below. (a) Exemption 1: Disclosure was required or authorised under other written law Under section 13(b) of the PDPA, an organisation is exempted from the Consent and Notification Obligations if the disclosure of personal data is required or authorised under the PDPA or any other written law.
Under the Building Maintenance and Strata Management Act (BMSMA), the Property Managers were statutorily required to display the list of eligible voters and a copy of the minutes of the council meeting on the notice board of their condominiums. Although the BMSMA does not specify the information to be disclosed in the display of the minutes of the board, the PDPC found that it is implicit in the definition and understanding of ‘minutes of meetings’ that it can contain the personal data of individuals. In addition, the display of the attendees’ unit number was reasonable because it serves to establish the basis for the proprietor’s attendance. Hence, the disclosures of the residents’ names in the voter lists, as well as the names and unit numbers in the display of the minutes of the council meetings, fell within an exception to the Consent and Notification Obligations under the PDPA. (b) Exemption 2: Personal data was publicly available In addition, the PDPA also provides that personal data that is generally available to the public constitutes an exception to the Consent and Notification Obligations under the PDPA. Under the Advisory Guidelines on Key Concepts in the PDPA, personal data is considered to be publicly available for the purposes of the PDPA if “any member of the public could obtain or access the data with few or no restrictions.” On the facts, the PDPC found that personal data involved (i.e., the names, unit numbers and voting shares of the residents) were generally available to the public, as the information could be found in the condominium’s strata roll and on the Singapore Land Authority Registry, both of which were accessible by the public with few or no restrictions. For example, a person may access the strata roll by making an application to the Property Manager and paying the prescribed fee. Even though the BMSMA provides that the strata roll may only be accessed by specified categories of persons, these included “prospective” mortgagees or purchasers as well as such persons authorised by residents or mortgagees. Hence, the practical reality was that some of the specified categories were difficult to enforce.
9
Retention Obligation Second, the PDPC found that the Property Managers had not breached their obligation to cease to retain the personal data as soon as the personal data is no longer reasonably required for the purposes for which it was collected, and for legal or business purposes, pursuant to section 25 of the PDPA (Retention Obligation). In particular, the PDPC considered whether the display of the voting lists on the notice board for two months amounted to an unreasonable period that breached the Property Manager’s Retention Obligation. In the PDPC’s view, where the reasonableness of a course of action is in issue, the PDPC would only intervene if the action is so clearly unreasonable to warrant sanctions under the PDPA. In the present case, whilst the PDPC refrained from dictating what is an unreasonable period of time for the retention of personal data, it concluded that a period of two months is not unreasonably long that it ought to have attracted a sanction under the PDPA. Therefore, in view of the foregoing reasons, the PDPC found that the Property Managers had not breached their obligations under the PDPA.
MALAYSIA Malaysia publishes a public consultation paper on the transfer of personal data to places outside Malaysia and commences the enforcement of the Malaysia Personal Data Protection Act On 4 April 2017, Malaysia’s Personal Data Protection Department issued a public consultation paper on the draft Personal Data Protection (Transfer Of Personal Data To Places Outside Malaysia) Order 2017 (Draft Order), which specifies the ‘whitelist’ places for the transfer of personal data outside of Malaysia. Under the Malaysia’s Personal Data Protection Act 2010 (Malaysia PDPA), an organisation has to satisfy certain conditions set out under section 129(3) of the Malaysia PDPA prior to any crossborder transfer of personal data, unless the personal data is transferred to jurisdictions that have been approved and published in the Official Gazette by the Minister responsible for personal data.
To date, no jurisdiction has been specified in the Official Gazette. Accordingly, any cross-border transfer of personal data outside of Malaysia must rely on one of the exceptions under the PDPA, which include the following: (a) Where the data subject has consented to the transfer. (b) Where the transfer is necessary for the performance of a contract between the data subject and the data user. (c) Where the transfer is necessary to protect the vital interests of the data subject. (d) Where the data user has taken all reasonable precautions and exercised all due diligence to ensure that the personal data will not be processed in the recipient country in any manner that would have been a contravention of the Malaysia PDPA. The Draft Order sets out a provisional list of ‘whitelist’ jurisdictions in which, as and when required, additional places would be added to the list. At present, the draft list of ‘whitelist jurisdictions’ includes the European Economic Area, the United Kingdom (UK) and other jurisdictions that have been recognised by the European Commission (EC) as adequate for personal data cross-border transfers, such as Andorra, Argentina, the Faroe Islands, Guernsey, New Zealand and Uruguay. Within the region, Singapore, Hong Kong, China and Japan have also been included in the list. Separately, on 3 May 2017, a local private college operator was charged under the Malaysia PDPA for the processing of personal data of an exemployee without a requisite certificate of registration that is issued by the Malaysia Personal Data Protection Commission, in contravention of section 16(1) of the Malaysia PDPA. This marks the first prosecution under the Malaysia PDPA, and the commencement of the enforcement phase of the Malaysia PDPA.
10
PHILIPPINES
(a) Registration with the DPA.
Philippines’s National Privacy Commission releases supplementary materials to Data Privacy Act
(b) Appointing a Data Protection Officer (DPO). (c) Conducting a privacy impact assessment. (d) Creating a Privacy Manual.
The National Privacy Commission (NPC) recently released new material and services on its website (Services) which are intended to supplement the Data Privacy Act (DPA).
(e) Implementing privacy and data protection measures. (f)
Exercising breach reporting procedures.
The Services comprise three sections: (a) “I Want to Know More”; (b) “I Want to Comply”; and (c) “I Want to Complain”. “I Want to Know More” This section provides guidance on the DPA framework, including general information about the rights of data subjects, the DPA and its implementing rules and regulations , as well as Memorandum Circulars and Advisories issued by the NPC.
Each of the above subsections provides organisations with detailed guidance on adopting the various measures. For instance, under “Appointing a DPO”, organisations may find guidance on such matters as selecting an appropriate individual to be appointed as the DPO, the duties and responsibilities of a DPO, as well as subcontracting the functions of the DPO. “I Want to Complain” This section sets out information on who may complain about data privacy violations or personal data breaches under the DPA, the complaint process, and related matters.
At present, there are four Memorandum Circulars, in relation to each of the following:
Generally, individuals are able to make formal complaints by:
(a) Security of Personal Data in Government Agencies;
(a) Filing a complaint-affidavit, together with copies of supporting evidence and affidavits of any witnesses, at any NPC office; or
(b) Data Sharing Agreements Involving Government Agencies; (c) Personal Data Breach Management; and (d) Rules of Procedure, and one Advisory on the Designation of Data Protection Officers. The section also features a “Beginner’s Guide to Personal Data Privacy”, which sets out tips for individuals to safeguard their data privacy online, as well as various other interactive resources such as videos and presentations.
(b) Electronic filing, attaching the relevant documents in an email sent to
[email protected], or submitting a portable electronic data storage device to any NPC office. Under this section, individuals are also able to submit an “assisted” complaint, via a guided online form, or submit queries regarding data privacy via the “AskPriva” service.
Philippines’ Privacy Commission issues compliance order to COMELEC for 2nd major data breach
“I Want to Comply” This section addresses the various measures that organisations should take to comply with the DPA, including:
On 13 February 2017, the NPC issued a Compliance Order to the Commission on Elections (COMELEC) to take serious measures to address its data processing vulnerabilities following the 11
theft of a computer from the Office of the Election Officer (OEO) in Wao, Lanao Del Sur, one month earlier. The theft was the second major data breach suffered by COMELEC in less than a year; the first was a website data breach. The stolen OEO computer contained data from the Voter Registration System (VRS) and Voter Search applications, and the National List of Registered Voters (NLRV), as well as biometric records of registered voters in Wao, Lanao Del Sur.
Shortly after the public consultation closed, the CAC on 19 May 2017 released a revised version of the Draft Measures (Amended Draft Measures). The public consultation had attracted a considerable amount of industry feedback, with many resisting the measures proposed in the Draft Measures. To some extent, the Amended Draft Measures are less stringent than the original Draft Measures. Notable amendments include the following: (a) Delayed implementation date
An initial probe into the breach also uncovered the practice of COMELEC field offices across the Philippines in maintaining their own soft copies of the NLRV. The NLRV contains the personal data of some 55 million voters in the country. The Compliance Order directed the COMELEC to erase all copies of NLRV stored in the computers of each of its field offices in the country, if the COMELEC is unable to secure the NLRV database using appropriate organisational, physical and technical measures. The NPC also directed the COMELEC to notify all affected data subjects within two weeks, either individually (for those with records in the VRS in Wao Lanao Del Sur), or through publication in two newspapers of general circulation (for those with records in the NLRV).
CHINA China’s Cyberspace Administration releases amended draft Measures on Security Assessment of Crossborder Data Transfer of Personal Information and Important Data On 11 April 2017, the Cyberspace Administration of China (CAC) released the draft Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (Draft Measures), for public comments. The public consultation ended on 11 May 2017. The Draft Measures are intended to facilitate the implementation of the recently enacted Cybersecurity Law, which took effect on 1 June 2017. For commentary on the Cybersecurity Law, please see our Data Protection Quarterly Update published in January 2017.
While the Amended Draft Measures is stated to take effect at the same time as the Cybersecurity Law, i.e., on 1 June 2017, its implementation/enforcement will take place from 31 December 2018. Network operators covered under the Amended Draft Measures will therefore have a further grace period to comply with the requirements thereunder. (b) Consent requirements Under the Amended Draft Measures, the requirement for network operators to obtain consent from data subjects to cross-border transfers of their personal data has been relaxed in certain circumstances. For instance, an exemption has been introduced in relation to cross-border transfers of personal data which are necessary to respond to an emergency threatening the life or property of citizens. Under the Amended Draft Measures, consent may also be implied where cross-border transfers of personal data are initiated by the data subject such as by making international calls and online transactions, or sending emails and instant messages to recipients overseas. (c) Security self-assessments The Amended Draft Measures retains the general requirement for network operators to carry out security self-assessments in respect of crossborder data transfers. However, the obligation to do so annually, as well as to report the outcome of the self-assessments to the relevant authority (as previously provided under the Draft Measures) have been removed.
12
(d) Government security assessments The Amended Draft Measures reduces the number of circumstances in which cross-border data transfers would be subject to a governmentadministered security assessment. In particular, government security assessments would now not be required where personal data: (i) transferred overseas exceeds 1000GB; or (ii) is transferred overseas by an operator of CII. The Amended Draft Measure continues to subject cross-border data transfers to government security assessment where: (a) the transfer involves personal data of 500,000 individuals or more; (b) the data relates to such matters as nuclear facilities, biochemistry, national defence, public health, large scale engineering activities, marine environments, and sensitive geographical information. However, the Amended Draft Measures does not provide for the process by which a governmentadministered security assessment would be conducted, and has further removed the requirement previously under the Draft Measures for such government security assessment to be completed within 60 days. (e) Definition of personal data While the definition of personal data remains nonexhaustive, the Amended Draft Measures now expressly clarifies that location and behavioural data are personal data for the purposes of the Amended Draft Measures.
AUSTRALIA Australia’s Information Commissioner publishes new data protection guidance On 8 May 2017, the Office of the Australian Information Commissioner (OAIC) published a new guidance document, “What is personal information?” (OAIC Guidance), to assist businesses and agencies in applying the definition of “personal information” under the Privacy Act 1988. The OAIC Guidance is intended as a more detailed resource on the matter, following the recommendation of the Federal Court of Australia
in its decision in Privacy Commissioner v Telstra Corporation Limited. The OAIC Guidance recognises that in most cases, whether information is “personal information” within the meaning of the Privacy Act would be straightforward. Where there is uncertainty, however, the OAIC guidance recommends that entities err on the side of caution by treating the information as personal information. The OAIC Guidance sets out a checklist of factors that entities may take into account in determining whether information is “personal information” for the purposes of the Privacy Act, and provides illustrative examples, including hypothetical case studies, to aid entities. For instance, the OAIC Guidance addresses common issues that could arise in determining whether information constitutes “personal information”, such as information having more than one subject matter or relating to more than one person, and the format of the information. The OAIC Guidance also sets out certain types of information which would not be regarded as personal information for the purposes of the Privacy Act, such as business information and deidentified information. For more information, the OAIC Guidance is accessible here.
NEW ZEALAND New Zealand’s Privacy Commissioner recommends changes to Privacy Act On 3 February 2017, following a review of the operability of the Privacy Act (Act), the New Zealand Privacy Commissioner proposed six recommendations to the Government for the reform of the Act. The Privacy Commissioner is required, pursuant to section 26 of the Act, to conduct periodic reviews of the operation of the Act, and to consider whether amendments are necessary or desirable to ensure that the Act is fit for purpose in the current and future environment. The Privacy Commissioner’s findings are then reported to the Minister of Justice.
13
In its latest report, the Privacy Commissioner made recommendations, in relation to the following: (a) right to data portability; (b) controls on re-identification; (c) new power to require demonstrations of agency compliance;
Additional power to require demonstrations of compliance Under this recommendation, the Privacy Commissioner would be empowered to require an agency to demonstrate ongoing compliance with the Act, by: (i)
Establishing a privacy management programme or plan that is adequate for their purposes;
(d) new civil penalty; (e) adjustments to criminal offences; and (f)
(ii) Requiring a report to the Privacy Commissioner on steps taken to achieve compliance; and/or
proceeding with public register reform.
Right to data portability
(iii) Publicly reporting on its position with regard to its privacy management programme.
Broadly, the right to data portability will allow individuals to request that an agency transfer their personal information, in an electronic format that remains usable with another agency. Consumers, in particular, would be able to rely on such right to request the transfer their personal information when switching providers, such as in relation to banking, telecommunications and internet services.
New civil penalty
The proposed right to personal information (or data) portability would support and strengthen the fundamental right of access to information, and enhance consumer choice. If adopted, the new consumer right would mirror the right provided under the European Union (EU) General Data Protection Regulation (GDPR), which would come into force in 2018.
The recommendation is intended to address a gap in the regulatory sanctions presently available – non-compensatory civil sanctions are not currently provided for under the Act.
Controls on re-identification The Privacy Commissioner recommended that the Act include protections against the risk that individuals may be unexpectedly identified from data that has purportedly been de-identified (or anonymised).
The report also recommended that the Privacy Commissioner be empowered under the Act to apply to the High Court for a civil penalty to be imposed in cases of serious breaches. The proposed maximum penalty would be NZ$100,000 for individuals, or NZ$1 million in the case of a body corporate.
Adjustments to criminal offences The Privacy Commissioner recommended that defences currently available in respect of criminal offences for obstructing the Privacy Commissioner or a failure to comply with lawful requirement of the Privacy Commissioner (under sections 127(a) and (b) of the Act) be narrowed. Three reform options were identified: (i)
The Privacy Commissioner suggested that the protections could be introduced most effectively and flexibly by way of a new privacy principle, amongst several options considered. The new privacy principle would limit the re-identification of previously de-identified or anonymised personal information, except in limited circumstances.
Replacing the “reasonable excuse” defence, which the Privacy Commissioner considered has prevented the satisfactory operation of the offences, with the defence of “lawful justification or excuse”;
(ii) Recasting these offences as strict liability – the Privacy Commissioner’s preferred option; or
14
(iii) Providing the option for the Privacy Commissioner to seek a pecuniary penalty order in relation to these offences as an alternative to prosecution.
(a) Processing personal data otherwise than in accordance with data protection laws, and/or processing which is incompatible with the purposes for which the personal data was collected.
Public register reform The Privacy Commissioner took the view that the public register privacy principles (PRPPs) (and related provisions) in part 7 of the Act should be repealed, and replaced by provisions for: (i)
The suppression of personal information in public registers in appropriate circumstances, where there is a safety risk, by way of application to the Privacy Commissioner.
(b) Processing personal data without the prior written consent of a data subject as required under data protection laws, and/or failure to provide certain prescribed information in obtaining consent. (c) Failure to comply with the requirement to provide a data subject with information relating to the processing of the individual’s personal data.
(ii) Complaints to the Privacy Commissioner in relation to breaches of access conditions as provided in each public register enactment.
(d) Failure to comply with the requirement to publish or make publicly available otherwise the organisation’s privacy policy.
Broadly, public registers are registers or databases of information to which the public has some specific statutory right of access. Public registers are regulated by a number of legislation, both specific to each register, and those of general applicability (e.g., the PRPPs under the Act).
(e) Failure to comply with a data subject’s request to update, block, or delete personal data, if such data is incomplete, outdated, incorrect, unlawfully obtained, or no longer necessary for the purposes of processing the data.
The Privacy Commissioner recommends the repeal of the PRPPs, on the basis that the minimum safeguards they provide for have become unnecessary in the current digital environment, and more relevant safeguards are now provided for in laws regulating the specific public registers.
(f)
RUSSIA Russia increases fines for violations of data protection laws On 7 February 2017, the Russian President signed into law bill (Law) to amend the Russian Code on Administrative Offences (Code). With effect from 1 July 2017, the Law will enhance the administrative penalties for data protection violations under the Code, which currently provides for low maximum fines. In addition to increasing the fines for violations of data protection laws, the new Law will also distinguish various breaches of data protection laws by organisations (and their officers):
Where the organisation carries out nonautomated processing of personal data, the failure by such organisation to ensure the security of, or to prevent unauthorised access to, any material media containing the personal data, resulting in: (i) unauthorised or accidental access; (ii) destruction, modification, blocking, copying, disclosure; or (iii) any other unauthorised acts, in respect of the personal data.
Russia blocks LinkedIn Since November last year, Russia has blocked LinkedIn in the country, for violation of data localisation requirement under local data protection laws. Pursuant to Federal Law No. 242, which introduced amendments to several Russian laws, including key data protection legislation, the requirement for data localisation was extended to all companies operating online which process the personal data of Russian citizens, in addition to internet companies providing services in Russia. Companies which breach the data localisation requirement would be subject to a financial 15
penalty. In addition, the Roskomnadzor, which enforces data protection laws in the country, has the power to petition the Russian Courts to block websites for non-compliance with the data localisation requirement.
The following paragraphs set out briefly, a nonexhaustive summary of the Guidelines.
Since the amendments to the data protection laws came into force on 1 September 2015, the Roskomnadzor has carried out ad hoc compliance inspections on companies.
Article 35(1) of the GDPR provides that a DPIA is required to be conducted when the processing of personal data is “likely to result in a high risk to the rights and freedoms of natural persons”. Article 35(3) of the GDPR provides a non-exhaustive list of circumstances where the processing is likely to be high risk, including systematic evaluation and profiling on which decisions are taken which have legal effect or significantly affect individuals; processing on a large scale of sensitive data; and systematic monitoring of a publicly accessible area on a large scale.
In the case of LinkedIn, the Roskomnadzor had first brought the matter to the first instance court in August 2016, where the Court ruled in favour of the Roskomnadzor. In November 2016, LinkedIn appealed the matter to the Moscow City Court, on the bases that the company had no physical presence in Russia, and did not target Russian users specifically. LinkedIn also sought to argue that as the Roskomnadzor had communicated with the company’s United States (US) office, instead of its Irish office, which processes the data of nonUS citizens, the company had not been given proper notification. However, the Moscow City Court denied the appeal, and upheld the lower court’s order to block access to LinkedIn in Russia for breach of the data localisation requirement under Russian data protection laws.
Interpretation of the circumstances in which a DPIA is mandatory
In addition, the Guidelines provide the following list of 10 potentially high-risk processing activities: (a) evaluation or scoring, including profiling and predicting; (b) automated decision making with legal or similar significant effect; (c) systematic monitoring; (d) use of sensitive data;
EUROPEAN UNION (e) data processed on a large scale;
Article 29 Working Party (WP29) issues draft guidance on Data Protection Impact Assessments (DPIA)
(f)
datasets which have been matched or combined;
(g) data concerning vulnerable data subjects; On 4 April 2017, the WP 29, which consists of a representative from the data protection authority of each EU Member State; a representative of the authorities established for the EU institutions and bodies; and a representative of the E C, adopted the “Guidelines on Data Protection Impact Assessment and determining whether processing is likely to result in a high risk for the purposes of the Regulation 2016/679” (Guidelines). A DPIA is, in the context of processing of personal data, a vehicle to process, assess the necessity and proportionality of such processing and to assist in managing the risks to the rights and freedoms of natural persons resulting from such processing.
(h) innovative use or applying technological or organisational solutions; (i)
data transfers outside the EU; and
(j)
where the processing in itself prevents data subjects from exercising a right or using a service or contract.
As a rule of thumb, the WP29 further suggests that where the processing meets more than two of the criteria, there is likely to be a high risk that a DPIA should be carried out. Generally, a DPIA is not required where the processing:
16
(a) Is not “likely to result in a high risk to the rights and freedoms of natural persons”. (b) Has a legal basis in EU or EU Member State Laws which set out that an initial DPIA does not have to be carried out, where the law regulates the processing operation and where a DPIA has already been carried out as part of the establishment of that legal basis, according to the standards of the GDPR. (c) Where the processing is included on the optional list established by the supervisory authority for which no DPIA is required. An analysis of when and how organisations should carry out a DPIA Generally, a DPIA should be conducted before the processing of personal data and should be started as early as practical in the design of the processing operation even if the DPIA has to be reviewed as part of an on-going process as a project develops. The data controller is ultimately responsible for ensuring that the DPIA is conducted, and if the processing is wholly or partly performed by a data processor, the processor should assist the controller in conducting the DPIA and providing any necessary information. The Guidelines provide that different methodologies may be used to carry out a DPIA provided that the following minimum requirements set out pursuant to article 35(7) of the GDPR are met: (a) A description of the envisaged processing operations and the purpose of the processing. (b) An assessment of the necessity and proportionality of the processing. (c) An assessment of the risks to the rights and freedoms of data subjects. (d) The measures envisaged to address the risks and demonstrate compliance with the GDPR.
processing are taken into account; and the assets on which personal data rely (hardware, software, networks, people, paper or paper transmission channels) are identified. (b) Necessity and proportionality are assessed: amongst other criteria, the lawfulness of processing; limited storage duration; right of access and portability for data subjects; and safeguards surrounding international transfers for data subjects. (c) Risks to the rights and freedoms of data subjects are managed: amongst other criteria, potential impacts to the rights and freedoms of data subjects are identified in case of illegitimate access, undesired modification and disappearance of data. (d) Interested parties are involved: the advice of the Data Protection Officer is sought; and/or the views of data subjects or their representatives are sought.
Mid-Term review of the Digital Single Market Strategy On 10 May 2017, the EC (EC) published, in the form of a Communication, the mid-term review of its Digital Single Market Strategy, which seeks to open up digital opportunities for people and businesses and enhance Europe’s position as a world leader in the digital economy. Notably, the Communication has identified, amongst three areas where further EU action is required, the area to develop the European Data Economy to its full potential. For the data economy to assist European businesses to grow, modernise public services and to empower citizens, data has to continuously be accessible and be able to move freely within the single market. In order to develop the European Data Economy to its full potential, the EC has set out that it aims to:
Nevertheless, the following criteria should be used to assess whether these different methodologies are sufficiently comprehensive to comply with the GDPR:
(a) Prepare a legislative initiative on the EU free flow of data cooperation framework (which considers the principle of free flow of data within the EU and the principle of porting nonpersonal data), to be completed by Autumn 2017.
(a) A systematic description of the processing is provided: amongst other criteria, the nature, scope, context and purposes of the
(b) Prepare an initiative on accessibility and reuse of public and publicly funded data as well as to explore the issue of privately held 17
data which are of public interest, to be completed by Spring 2018. (c) Further analyse whether to define principles to determine liability in cases of damage caused by data-intensive products. (d) Continue to assess the need for action concerning emerging data issues such as data access rights.
EU Member States’ initiatives to comply with the GDPR, which comes into force in May 2018 The EU’s GDPR, which is aimed at enabling citizens in the EU to have better control of their data, and in addition, to allow businesses to make the most of opportunities in the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust, will come into effect on 25 May 2018. The following paragraphs sets out a nonexhaustive list of initiatives undertaken by various EU Member States thus far to prepare for the implementation and enforceability of the GDPR. Ireland On 12 May 2017, the Irish Minister for Justice published the General Scheme of the Data Protection Bill 2017 (Scheme), which is a general policy statement that may be considered by a committee of the Irish Parliament. The Scheme provides, amongst other things, the following: (a) Modernisation of the role of the Irish Data Protection Commissioner to form the Data Protection Commission. (b) Procedural safeguards and due process to regulate the powers of the Data Protection Commissioner. (c) Significant changes to the investigative processes of the Data Protection Commissioner. (d) The implementation of the new Data Protection Directive, which deals with the processing of personal data by competent authorities or other entities that are engaged in the prevention, investigation, detection or prosecution of crime.
Spain On 11 May 2017, the Spanish Data Protection Authority (SDPA) issued a Code of Best Practices in Data Protection for Big Data Projects (BDP Code), which was jointly developed by the SPDA and ISMS Forum Spain, a Spanish association for the promotion of information security in collaboration with companies and professionals. The BDP Code provides an analysis of the current legal framework as well as the implications associated with the use of Big Data, in light of the GDPR. Amongst other things, the BDP Code provides the following: (a) How privacy ought to be taken into consideration from the outset of a big data protection project: principles and procedures to ensure compliance such as privacy by design, accountability, data protection, impact assessment and the use of dissociated data. (b) Practical advice and measures to improve privacy and security in big data projects: amongst other measures, minimise the amount of personal data in big data projects; process personal data at the highest possible level of aggregation and with the least amount of detail; protect personal data and its interrelationships in a way that makes it invisible to users; inform data subjects adequately on how data subjects can exercise their rights and know the processing of their data at all times; implement of a privacy policy that is compatible with legal requirements; and demonstrate compliance with the privacy policy and any applicable legal requirements. Germany On 12 May 2017, the Federal Council adopted a draft bill for a new Federal Data Protection Act in light of the entry into force of the GDPR (Bill). The Bill requires the signature of the President of Germany before becoming law. Once this Bill is signed, Germany will be the first EU Member State to formally adopt legislation to implement the GDPR. Italy On 28 April 2017, the Italian Data Protection Authority issued guidance on the GDPR (Guidance). This Guidance provides more insight in relation to the following six areas:
18
(a) the legal grounds for data processing; (b) information notices; (c) data subjects’ rights; (d) the relationship and responsibilities between data controllers and data processors;
In addition, on 12 April 2017, the Department for Culture, Media & Sport released a consultation paper for organisations to comment on the derogations (i.e., exemptions) within the GDPR. These derogations relate to the following themes: (a) supervisory authority; (b) sanctions;
(e) the adoption of a risk-based approach and accountability; and
(c) demonstrating compliance;
(f)
(d) data protection officers;
cross-border data transfers.
Bavaria
(e) archiving and research;
On 24 May 2017, the Bavarian Data Protection Authority published a questionnaire, which seeks to assist companies in assessing their level of implementation of the GDPR. Amongst other things, the questionnaire examines the following:
(f)
(a) procedures relating to the GDPR and the DPO’s responsibilities;
(i)
rights and remedies;
(j)
processing of children’s personal data by online services;
third country transfers;
(g) sensitive personal data and exceptions; (h) criminal convictions;
(b) data processing activities, inventories and privacy by design;
(k) freedom of expression in the media; (c) issues surrounding external vendors and data processing agreements; (d) transparency, privacy notices and individuals’ rights; (e) accountability, the risk-based approach and security measures; and (f)
data breach notification.
(l)
processing of data;
(m) restrictions; (n) rules surrounding churches and religious associations; and (o) the steps the UK Government should take to minimise the cost or burden to businesses due to the GDPR.
United Kingdom
UNITED KINGDOM On 2 April 2017, the Information Commissioner’s Office (ICO) released a consultation paper for UK organisations to comment on how the new profiling provisions under the GDPR could be interpreted and applied. Profiling provisions under the GDPR is the automated processing of personal data to evaluate personal aspects of an individual, particularly to analyse or predict professional performance, economic situations, personal references, reliability, behaviour, location or movements. In particular, the GDPR regulates profiling and introduces new obligations for data controllers in relation to profile creation and automated decision-making.
UK’s ICO fines lawyer who stored client files on home computer On 10 March 2017, the ICO issued a monetary penalty of £1,000 to a senior barrister who specialises in family law for a breach of the seventh data protection principle set out in Part I of Schedule 1 to the Data Protection Act 1998 (DPA 1998), which provides that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data (Seventh DP Principle). 19
Background On 19 September 2015, the senior barrister’s husband temporarily uploaded 725 unencrypted files to an online directory as a backup during a software upgrade of her desktop computer. Notably, these unencrypted files were visible to an internet search engine. Fifteen of these files were cached and indexed and thus, were easily accessible using a recognisable word. Furthermore, 6 of the 15 documents contained confidential and highly sensitive information relating to lay clients who were involved in proceedings in the Court of Protection and the Family Court. In total, up to 250 people, including vulnerable adults and children, were affected by this incident. ICO’s Findings The ICO found that there was an ongoing contravention of the Seventh DP Principle from January 2013 until 5 January 2016 when remedial action was taken. The ICO was of the view that the contravention was serious, due to the nature of the personal data that was contained in the files, the number of affected individuals and the potential consequences. As to whether this contravention would likely cause substantial distress to the senior barrister’s clients, the ICO was of the view that it was likely, due to the confidential and highly sensitive nature of the information contained in the files. As to whether this contravention was deliberate or foreseeable, the ICO considered that it was a serious oversight on the part of the senior barrister rather than a deliberate intent to ignore or bypass provisions of the DPA 1998. Furthermore, the ICO noted that the senior barrister could have taken reasonable steps to prevent the contravention but did not, in particular, encrypt the files on her home desktop computer, notwithstanding the fact that in January 2013, the Bar Council and the senior barrister’s employer issued guidance to barristers that a shared computer may require the encryption of specific files in order to prevent the unauthorised access to confidential information by shared users.
(b) That remedial action had been taken as of 5 January 2016.
ICO issues record fine of £400,000 for firm behind nearly 100 million nuisance calls On 3 May 2017, the ICO issued a monetary penalty of £400,000 to Keurboom Communications Ltd (Keurboom), which utilised an automated calling system for the purpose of making recorded direct marketing calls, contrary to regulation 19 of the Privacy and Electronic Communications Regulations (PECR) which provides that a person shall neither transmit, not instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling system except in the circumstances where the called line is that of a subscriber who has previously notified the caller that for the time being he/she consents to such communications being sent by, or at the instigation of, the caller on that line. The quantum of the penalty has been the highest fine ever issued by the ICO for nuisance calls. Background Amongst other services, Keurboom provides telephony services including “voice broadcasting” to companies in order to generate leads to maximise potential sales. Between 29 April 2015 and 7 June 2016, the ICO received 1,036 complaints in relation to automated calls that were made over an 18-month period. Some of these complainants received repeat calls (sometimes on the same day) and calls during unsocial hours. Generally, these calls were mainly in relation to road traffic accident claims and payment protection insurance compensation; were misleading as they gave the impression that the calls were urgent; did not identify the sender; and had an option of being connected to a person or suppressing the number but was not always effective. ICO’s Findings
In considering the quantum of the penalty, the ICO took into consideration the following two mitigating factors: (a) The senior barrister’s full-cooperation with the ICO.
The ICO found that between 6 April 2015 and 31 March 2016, 91,497,411 outbound calls were made using lines allocated to Keurboom, without the prior consent of these subscribers.
20
The ICO was of the view that the contravention was serious due to the number of calls, the nature of the calls, the time that the calls were made and the fact that repeat calls were made to subscribers. As to whether this contravention was deliberate or foreseeable, the ICO considered that it was deliberate on the part of Keurboom to send or instigate automated marketing calls on a massive scale to subcribers. The ICO further found that Keurboom had also contravened regulation 24 of the PECR as Keurboom did not identify the person who was sending the automated marketing calls and provide the address of the person to a telephone number on which he/she can be reached free of charge. In considering the quantum of the penalty, the ICO further took into consideration the following two aggravating factors: (a) Keurboom’s lack of cooperation with the ICO’s investigations. (b) Keurboom may have obtained a commercial advantage over its competitors by generating leads from unlawful marketing practices.
ICO announces formal investigation into the use of data analytics for political purposes On 17 May 2017, the ICO announced the commencement of a formal investigation into the use of data analytics for political purposes. The reasons driving this investigation include the following: (a) Engagement with the electorate is vital to the democratic process. (b) The public has the right to expect that political campaigns are conducted in accordance with the laws related to data protection and electronic marketing. (c) Data analytics have a significant potential impact on individual’s privacy and so greater transparency about the use of data analytics is required to ensure that people have control over their own data. In terms of the methodology in carrying out this formal investigation, the ICO intends to consider the following:
(a) Practices deployed during the UK’s European Union Referendum campaign. (b) Potentially, practices deployed during other campaigns. (c) Given the transnational nature of data, the practices of companies operating internationally with impact or handling of data in the UK. The ICO envisions that an update with respect to the formal investigation would be available later in the year.
ICO issues fines against 11 charities totaling £138,000 for misusing information from past donors for the purpose of receiving further funds On 5 April 2017, the ICO announced that it has fined 11 charities for breaches of their obligations under the DPA 1998. These fines follow the fines issued to two other charities (i.e., the Royal Society for the Prevention of Cruelty to Animals was issued with a £25,000 fine and the British Heart Foundation was issued with a £18,000 fine) in December 2016. The ICO’s investigation between 2015 and 2017 revealed that the 11 charities have been: (a) Ranking donors based on wealth: some charities hire companies to investigate income, lifestyle, property values, and a person’s friendship circle in order to find the most wealthy and valuable donors; and these companies identify donors they believe charities should target because they are most likely to leave monies in their wills. (b) Finding out information that donors did not provide: some charities hire companies to update information and/or find missing information in their databases; and/or (c) Sharing personal data with other charities for any purpose and with no record: some charities exchange donor information with other charities through an external organisation to get details of prospective donors. The charities and their breaches are as follows:
21
(a) Battersea Dogs’ and Cats’ Home: fine of £9,000 issued for trying to find out information that was not provided by donors a total of 740,181 times between 2011 and 2015. (b) Cancer Research UK: fine of £16,000 issued for ranking 3,523,566 donors based on wealth between 2010 and 2016; and trying to find out information that was not provided by donors by matching 678,887 telephone numbers to these donors between 2011 and 2016.
2009; ranking 466,206 donors based on wealth between 2012 and 2013; finding out information that was not provided by donors by matching 220,286 telephone numbers to donors between 2006 and 2016 and 50,282 email addresses to donors between 2012 and 2013; and emailing donors without their consent. (i)
The National Society for the Prevention of Cruelty to Children: fine of £12,000 issued for not informing 22,608 donors between 2014 and 2015 that their personal data collected would be used for marketing purposes by telephone and mail; finding out information that was not provided by donors by matching 246,751 telephone numbers to donors and 115,741 email addresses to donors between 2010 and 2016; and ranking 5,870,135 donors based on wealth in 2014.
(j)
The Royal British Legion: fine of £12,000 issued for ranking 1,499,799, 1,478,279 and 2,455,670 donors based on wealth in 2010, 2012 and 2014 respectively; and finding out information that was not provided by donors by matching 900,000 telephone numbers to donors and 52,966 email addresses to donors between 2010 and 2016.
(c) Cancer Support UK (formerly Cancer Recovery Foundation UK): fine of £16,000 issued for sharing of 3,075,550 records with organisations including a health supplements company, and lottery and prize promotion companies between 2010 and 2016. (d) Great Ormond Street Hospital Children’s Charity: fine of £11,000 issued for sharing 910,283 records between 2011 and 2015; sending an average of 795,000 records per month to a wealth screen company between 2010 and 2016; and finding out information that was not provided by donors by matching 103,500 email addresses and 208,000 dates of birth to donors. (e) Macmillan Cancer Support: fine of £14,000 issued for ranking 2,188,508 donors based on wealth between 2009 and 2014; and finding out information that was not provided by several hundred thousand donors since 2009; (f)
Oxfam: fine of £6,000 issued for finding out information that was not provided by sending marketing text messages in response to text messages making donations between 2013 and 2015.
(g) The Guide Dogs for the Blind Association: fine of £15,000 issued for ranking 1,770,221 donors based on wealth between 2008 and 2015; finding out information that was not provided by donors by matching 248,094 telephone numbers to donors between 2010 and 2016; and also used this approach to identify supporters who had not agreed to gift aid their donations to the charity but to other charities between 2014 and 2015.
(k) WWF-UK: fine of £9,000 issued for sharing 174,512 donor records between 2012 and 2015; ranking 643,531 donors based on wealth in 2006, 2011 and 2016; and finding out information that was not provided by 55,684 donors. Notably, these fines do not reflect the severity of the offences committed by the charities as the ICO is of the view that depriving charities of large sums would only inflict further distress on donors and thus, have significantly reduced the quantum of the fines. On a related note, the Charity Commission for England and Wales is currently contemplating whether further action should be taken against individual trustees.
(h) The International Fund for Animal Welfare: fine of £18,000 issued for sharing 4,948,633 records between 2011 and 2015; ranking donors based on wealth between 2007 and 22
UK’s National Data Guardian (NDG) criticised the transfer of 1.6 million patient records from the Royal Free Hospital to Google’s artificial intelligence company, DeepMind Health (DeepMind), as having an “inappropriate legal basis” DeepMind has received 1.6 million identifiable personal medical records pursuant to a data sharing agreement between the Royal Free National Health Service Trust in London (Trust) and DeepMind. On 16 May 2017, the NDG, Dame Fiona Caldicott, who advises and challenges the UK health and social care system to help ensure that confidential information of citizens are used properly and safeguarded securely, has criticised that this transfer was conducted on an “inappropriate legal basis”. The Trust informed NDG that it had implied consent to share the data with DeepMind as the initial legal basis for the transfer of these records was for the data to be used for the purposes of “direct care” of the patients. However, during the pilot test of an app called Streams that could potentially assist to diagnose acute kidney injuries in National Health Service patients, it appears that the main goal was to ensure that the app was functioning well and not to assist in the direct care of patients. As such, NDG is of the view that, given that Streams was going through testing, any role that Streams might have played in supporting the provision of direct care would have been limited and secondary to the purpose of the data transfer.
Verizon, Comcast and AT&T, to obtain its customers’ consent prior to the collection, use and sharing of their customer personal information, amongst other data-related rules. Opponents to the repealed FCC Rules argued that the privacy rules created an uneven regulatory landscape that applied differently to ISPs and other website operators, where website operators were only required to comply with the less strict regulatory regime under the oversight of the Federal Trade Commission’s (FTC), which was enforced on an ex post case-by-case basis. Under the repealed FCC rules, ISPs were required to obtain customer consent prior to using their customer data for targeted advertising practices, which were widely used by advertising giants such as Google and Facebook without the need for additional consumer consent. In addition, the requirement for customer consent expands to categories of information such as web browsing history, communications content and application usage history, which are not regulated under the FTC framework. Moreover, the use of customer consent as a condition for the offer of broadband services was previously prohibited under the FCC regulations, which is permitted under the FTC guidelines. With the repeal of the FCC regulations, the regulation of privacy issues in the offer of broadband access would be regulated under the general FTC regulatory regime.
While the NDG is not an independent regulator, Caldicott’s opinion has informed an investigation into this matter conducted by the ICO. In May 2017, the ICO has expressed that the investigation is close to its conclusion.
UNITED STATES Trump signs repeal of broadband privacy rules On 3 April 2017, US president Donald Trump has signed into law a bill that reverses the Federal Communications Commission (FCC) broadband privacy rules (FCC Rules), which were adopted during the previous Obama administration. The repealed privacy rules required Internet Service Providers (ISPs) in the United States, such as
23
The Drew & Napier Telecommunications, Media and Technology Team For more information on the TMT Practice Group, please click here.
Lim Chong Kin Director and Head of TMT Practice Group Chong Kin practices corporate and commercial law with strong emphasis in the specialist areas of TMT law and competition law. He regularly advises on regulatory, licensing, competition and market access issues. Apart from his expertise in drafting “first-of-its-kind” competition legislation, Chong Kin also has broad experience in corporate and commercial transactions including mergers and acquisitions. He is widely regarded as a pioneer in competition practice in Singapore and the leading practitioner on TMT and regulatory work. Chong Kin has won plaudits for his “excellent legal knowledge and in-depth understanding of the regulator” (Asia Pacific Legal 500 2017); has been recognised as “incisive, insightful and knowledgeable” (Chambers Asia Pacific 2017: Band 1 for TMT); and has been endorsed for his excellence in regulatory work and competition matters: Practical Law Company’s Which Lawyer Survey 2011/2012; Who’s Who Legal: TMT 2016 and Who’s Who Legal: Competition 2016. Asialaw Profiles 2017 notes: “'He’s provided excellent client service and demonstrated depth of knowledge.” Tel: +65 6531 4110 Fax: +65 6535 4864 Email:
[email protected]
Charmian Aw Director Charmian is a Director in Drew & Napier’s TMT Practice Group. She is frequently involved in advising companies on a wide range of corporate, commercial and regulatory issues in Singapore. Charmian has also been actively involved in assisting companies on Singapore data protection law compliance, including reviewing contractual agreements and policies, conducting trainings and audits, as well as advising on enforcement issues relating to security, access, monitoring, and data breaches. Charmian is “recommended for corporate-related TMT and data privacy work” by The Asia Pacific Legal 500 2016, and a Leading Lawyer in Who’s Who Legal TMT 2016. In 2015, she was listed as one of 40 bright legal minds and influential lawyers under the age of 40 by Asian Legal Business and Singapore Business Review respectively. Charmian is a Certified Information Privacy Professional for Europe, the United States, and Asia (CIPP/E, CIPP/US, CIPP/A), and is currently a co-chair of the International Association of Privacy Professionals (IAPP) KnowledgeNet chapter in Singapore. Tel: +65 6531 2235 Fax: +65 6535 4864 Email:
[email protected]
Copyright in this publication is owned by Drew & Napier LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval. Drew & Napier LLC accepts no liability for, and does not guarantee the accuracy of information or opinion contained in this publication. This publication covers a wide range of topics and is not intended to be a comprehensive study of the subjects covered nor is it intended to provide legal advice. It should not be treated as a substitute for specific advice on specific situations.
24
