Technology has transformed and disrupted long standing industries as well as created new industries along the way. The digital revolution in the healthcare industry appears to have been long promised but much delayed. There may be a number of understandable reasons why the wheels have not turned so quickly. For instance, unlike say the financial services industry which is private sector led, the healthcare industry has obvious public sector touch points which can make any sort of change slower. But just as information about an individual’s bank balance or salary is considered confidential, so a person’s health information is particularly sensitive, both in a legal sense (because health information is categorised as sensitive under EU data protection law) but also in an obviously everyday sense – people feel that their health information (in most but not all circumstances) is private.
Although Asia’s data privacy laws draw from a common set of guiding principles, each law is unique. Moreover, as freshly minted regulators come to grips with these new laws, differences in interpretation and underlying policy are becoming apparent. As a consequence, there is now a ‘patchwork’ of compliance requirements across the region. Depending on the country, sector specific laws, consumer protection laws, employment laws and laws in emerging areas such as cybersecurity, also complicate the compliance picture for Asia, and there is no common framework for any of these laws.
On 29 December, 2014, Hong Kong’s Privacy Commissioner for Personal Data published a guidance note concerning the potential implementation of section 33 of the Personal Data (Privacy) Ordinance, which would restrict the export of personal data from Hong Kong. In a recent client alert, partner Mark Parsons and associate Peter Colegate from the Hogan Lovells Hong Kong office explore the Commissioner’s understanding of how section 33 would be implemented, including some important nuances that are particularly relevant to multi-national businesses operating in Hong Kong and the wider region.
All eyes are currently on the Council of the EU to figure out when and in what form we are likely to see a new EU data protection law emerging. The adoption of this law, which has been in the making since the European Commission presented its vision for a modern privacy regime in 2010, will have vital and global implications for the future of our data-driven existence. This explains the cautious progress so far, but the need for a modernised regime is pressing. Six presidencies have so far managed the adoption process within the Council—which together with the European Parliament has legislative responsibility for passing EU laws—and each has made its own contribution to the process. But the Council has been the key focus of attention of the ongoing legislative process since the European Parliament approved its own draft of the EU Data Protection Regulation in early 2014.
The chairwoman of the French data protection authority (the CNIL), Isabelle Falque-Pierrotin, has long been an outspoken proponent that companies should have internal accountability mechanisms for data protection compliance. On January 13, 2015 the CNIL published a standard defining what accountability means in practice. Companies that demonstrate that they comply with the new standard will be able to obtain an “accountability seal” from the CNIL.
You know a matter is serious when a top international tribunal takes upon itself to change the course of society. This year, three rulings of the Court of Justice of the European Union, the highest judicial authority of the EU, show its grave concern for the data-hungry world in which we live and its desire to change it. Each of these rulings targets a different audience – the state, the corporate world and the citizen – but all of them uphold the role of privacy as a right that is threatened by our tech-driven existence. The effects of these decisions go beyond the pure legal technicalities of interpreting European data protection law because their consistent message is that society as a whole, in the EU and elsewhere, should be less tolerant of and more concerned about our dependence on data.
On 31 December, the Russian President signed into Federal Law No. 526-FZ a proposal to change the effective date of Russia’s Data Localization Law, first passed last summer, from 1 September 2016 to 1 September 2015.
On 17 December, the State Duma (the lower chamber of the Russian Parliament) passed legislation that would change the effective date of Russia’s new law requiring the local storage in Russia of the personal data of Russian citizens (Data Localization Law) from 1 September 2016 to 1 September 2015. The legislation currently is subject to the Federation Council’s (the upper chamber of the Russian Parliament) and president’s approvals.
In a recent client alert, partner Mark Parsons and associate Peter Colegate from the Hogan Lovells Hong Kong office highlighted the attention increasingly paid by privacy regulators around the world to the manner in which mobile apps collect, process, and transmit personal data.
Following on the heels of the IAPP Congress in Brussels, the CNIL’s (the French data protection authority) international chief, Florence Raynal, engaged in a dialogue with the members of the American Chamber of Commerce’s Digital Economy Committee in France. Raynal engaged with AmCham members on questions relating to the EU-US Safe Harbor framework, focusing on the practicalities of onward transfers. The discussion involved two kinds of transfers.
On 7 November 2014 the Polish Parliament passed the Act on the Facilitation of Business Activity which substantially amends the existing Act on Personal Data Protection. As we previously reported, this new Act requires an administrator for information security to be given an independent position within the data controller’s organization. Additionally, the new Act introduces provisions facilitating the transfer of personal data to countries outside the European Economic Area (further implementing provisions from Directive 95/46/EC and the proposed draft General Data Protection Regulation). The new law will come into force on 1 January 2015.
The Court of Justice of the European Union has today published its decision in the case of Ryneš and has found that domestic CCTV which films a public area cannot be exempt from the obligations contained in the EU Data Protection Directive by virtue of the “household exemption”.
On November 12, 2014, the CNIL issued a new compliance pack for the insurance sector drafted in collaboration with the sector trade associations. Compliance packs are a new tool that the CNIL has been promoting for the past few months as an operational response to the needs of professionals concerning the application of the French data protection law. The CNIL has previously published compliance packs about electric “smart meters” and about social housing. Two new compliance packs are already announced to be published soon: one about banking activities and one about social services.
Addressing the French Parliamentary Commission on Digital Rights, CNIL and Article 29 Working Party Chair Isabelle Falque-Pierrotin commented on the current state of negotiations of the proposed European General Data Protection Regulation, warning that excessive reliance on a risk-based approach could undermine fundamental rights. A risk analysis is useful as a guide to allocate resources, but should not affect the underlying rights of the data subject, she said. To illustrate her point, Falque-Pierrotin used the analogy of a home owner who lives in a part of the city where burglaries are frequent. The risk-based approach means that the home owner will buy more locks for doors, and that police authorities may devote more resources to patrolling. It does not mean, however, that home owners have different rights depending on where they live. Falque-Pierrotin is concerned that the current negotiations on the risk-based approach may confuse these two concepts, leading to a situation where individuals’ rights are reduced or ignored for low-risk processing.
During a November 13, 2014 hearing before the Digital Rights Commission of the French National Assembly, Jean-Marie Delarue, the head of France’s oversight Commission for National Security Interceptions said that France’s 1991 law on national security wiretaps needed to be updated to better protect individuals. Currently, the CNCIS is consulted by the Prime Minister’s office before the implementation of national security wiretaps. According to Mr. Delarue, this system works well for wiretaps. But the collection of metadata falls largely outside this procedure. According to Delarue, a major overhaul of the 1991 law on national security wiretaps is needed to catch up with modern intelligence gathering techniques and to better reflect the case law of the European Court of Human Rights. According to Delarue, justifications for government invasion of privacy need to be narrowly defined by law. Broad justifications such as “fundamental interests of the nation” are too vague to withstand scrutiny under European constitutional principles.
At the heart of EU data protection law is the passionate belief in the right to privacy. Indeed, the Treaty of Lisbon has now recognised both privacy and data protection as fundamental rights under EU law. As fundamental rights, there is a sense in which the scope of privacy and data protection must be expanded to the furthest extent possible. Yet, like any other law, it must be clear when and where EU data protection rules apply and the applicable law provision in the current Data Protection Directive has caused some headaches along the way. Whether the proposed new EU regime will prove to be a calming tonic remains to be seen. Today’s technology pays no attention to geographic borders. What do Cloud Computing networks care about the Atlantic Ocean so long as the network is resilient and customers can access their data? Businesses typically structure their systems in order to provide the best commercial proposition which often (but not always) involves cross-border data transfers. Therefore, cross-border data transfers are a part of everyday business. But businesses need to understand which laws apply to their operations to ensure compliance and avoid being chased by regulators or disgruntled customers. Unfortunately, the Directive’s provision concerning when it applies has not always provided much clarity.
Asia has seen a proliferation of new and stepped-up data privacy laws in recent years. Many of these laws draw from a common source in the APEC Privacy Framework, a principles-based document that shares origins with Europe’s Directive 95/46. But regional framework notwithstanding, these laws have been implemented with unique features and important nuances in each jurisdiction across the Asia region. Critically, these laws are now being enforced, with high profile data security breaches and enforcement action regularly hitting the headlines in Asia, as elsewhere. Data privacy issues are now board level issues in Asia. Our Data Privacy Regulation Comes of Age in Asia gives an overview of regional developments and features a “heat map” that compares and contrasts regulatory standards and the enforcement environment in Asia’s key jurisdictions.
In a recent client alert, partner Natalia Gulyaeva and associate Maria Sedykh from the Hogan Lovells Moscow Office joined associate Bret Cohen from the Hogan Lovells Washington, D.C. office to highlight key insights from the fifth annual conference on “Personal Data Protection” hosted by Roskomnadzor, Russia’s Data Protection Authority.
Until very recently, data protection in South Africa was regulated only under the broad constitutional right to privacy, the common law and a few pieces of legislation that contained interim provisions relating to data protection. In November 2013, South Africa enacted the Protection of Personal Information Act, the country’s first data protection-specific legislation. The Act partially came into force in April 2014 to create an information regulator and to codify concepts such as “processing” and “personal information”. The commencement of those sections is indicative of the processes being put in place by the government of South Africa to ensure that the commencement of the remaining sections is met with relevant support, in the form of regulations and the establishment of an information regulator. Though the remaining sections of the Act (including the material provisions) are not yet enforceable and have no foreseeable or determinable effective date, businesses operating in South Africa should be aware of the Act’s provisions as they may one day come into force.
The European Union’s executive branch has a brand new engine. Following the European Parliament’s election earlier this year and after months of political manoeuvring, a new European Commission is now in place and fully operational. The Commission’s functions remain as they were but under a revised structure of one president – Jean-Claude Juncker – seven vice-presidents responsible for designated policy areas and 20 commissioners. As the main policy making body in the European Union, the Commission continues to be in charge of pushing forward the ongoing data protection legislative reform that will lead to a new legal framework for privacy across the EU.
Thank you to everyone who attended our webinar last Tuesday on the new Russian law introducing rules requiring the local storage of the personal data of Russian citizens. For those who were unable to make it, linked to this blog post are a recording of the entire webinar and a copy of the slide deck.
Assuming a fair amount of hard work and that the EU institutions are able to put their political skills to good use, 2015 may be the year that sees the culmination of a legal modernisation process that has been running for the best part of four years. It was in 2010 when the European Commission formally acknowledged that the 1995 Data Protection Directive was ready for a makeover to address the privacy and data protection needs of the 21 century. Since then, stakeholders covering a whole spectrum of views have participated in a process that is approaching a decisive stage. In early 2014, the European Parliament came forward with a bold proposal to amend the Commission’s original draft and put the ball firmly in the Council of the EU’s court. As the Council finalises its own proposal, a picture of what the new framework will look like is starting to emerge.
On Tuesday, October 28, Natalia Gulyaeva of Hogan Lovells’ Moscow office and Bret Cohen of our Washington, D.C. office will host a complimentary webinar outlining implications for businesses of the new Russian Data Storage Law. The law, which may come into effect as early as January 2015, requires that data “operators” – organizations that process personal data of Russian citizens, including providers of Internet-based services – to store the personal data of Russian citizens on databases located in the country.