Cyber Law Watch

Insight on how cyber risk is being mitigated and managed across the globe.

1
Argentina announces upgrades to data protection obligations
2
UK Government publishes new proposed data protection law
3
New World tech fall victim to Old World tricks
4
Attorney-General Mark Dreyfus pledges sweeping data privacy reforms
5
The Importance of Managing DSARs
6
New concerns over China’s ability to access user data on WeChat
7
Queen’s speech heralds UK GDPR overhaul
8
What is Required under The PIPL: A PRC-Based Representative or a Personal Information Protection Officer?
9
EU-REPUBLIC OF KOREA ADEQUACY DECISIONS FINALIZED
10
Critical Vulnerability: Vulnerability in Widely Used Open Source Software is Discovered

Argentina announces upgrades to data protection obligations

By Cameron Abbott, Stephanie Mayhew and Dadar Ahmadi-Pirshahid

Argentina’s Data Protection Authority, the Agency for Access to Public Information (the Agency), has published a draft bill that proposes to bring Argentina’s 22 year old data protection law more in line with the European Union’s General Data Protection Regulation.

Amongst other things, the bill modernises Argentina’s data protection law to deal with more recent issues including cloud computing, biometric and genetic data. It provides greater scope for international transfers of information by allowing transfers under the sanction of adequate data protection guarantees in the absence of a decision by the Agency that the importing country has adequate data protection. It additionally requires Data Controllers to document and notify the Agency of data breaches within 48 hours of becoming aware of a breach.

The draft bill is open for public comment until 30 September 2022. Any entity wishing to submit commentary is encouraged to reach out to K&L Gates to help facilitate the submission process.

UK Government publishes new proposed data protection law

By Claude-Étienne Armingaud, Nóirín McFadden and Keisha Phippen

The UK Government has finally published its highly anticipated Data Protection and Digital Information Bill (the Bill), marking the first significant post-Brexit change to the UK’s data protection regime. Following Brexit, the UK continued following the EU General Data Protection Regulation, incorporated into UK law as the UK GDPR, and the UK implementation of the EU ePrivacy Directive, the Privacy and Electronic Communications Regulations 2003 (PECR), also remained in force.

The Bill is only at the start of the legislative process, and it remains to be seen how it will develop if it is amended during its passage through Parliament, but early indications are that it represents more of an evolution than a revolution in the UK regime. That will come as a relief to businesses that transfer personal data from the EU to the UK, because it reduces the risk that the EU might rescind the UK’s adequacy status.

For a start, the Bill actually preserves the UK GDPR, its enabling legislation the Data Protection Act 2018, and the PECR, because it is drafted as an amending act rather than a completely new legislative instrument. This does not contribute to user-friendliness, as interpreting UK data protection requirements will require a great deal of cross-referencing across texts.

The more eye-catching proposed changes in the Bill include:

  • The inclusion of a list of “legitimate interests” that will automatically qualify as being covered by the lawful basis in UK GDPR Article 6(e).
  • Some limitations on data subject access requests, such as the possibility of refusing “vexatious or excessive” requests.
  • More exemptions from the requirement to obtain consent to cookies.
  • Much higher fees for breach of PECR.

The Bill will now progress through various Parliamentary stages over the coming months in order to become law.

New World tech fall victim to Old World tricks

By Cameron Abbott, Rob Pulham and Dadar Ahmadi-Pirshahid

OpenSea have reported a breach whereby email addresses registered with the site have been shared with an unauthorised third party.

For landlubbers, OpenSea is the world’s largest marketplace for non-fungible tokens (NFTs).

The Head of Security at OpenSea identified an employee of OpenSea’s third party email delivery vendor as the source of the breach. The employee reportedly misused their access privileges to download and share the list of the site’s registered email addresses with an external party.

People who have shared an email address with OpenSea, such as subscribers to the site’s newsletter, are warned to remain vigilant about attempts by malicious parties to impersonate communications from OpenSea.

OpenSea has dealt with several security incidents this year. Only a month ago, a former OpenSea product manager was arrested and is reportedly the first person to have been charged in connection with a digital asset insider trading scheme. The product manager’s responsibilities included deciding which NFTs would be featured on the site’s homepage, which he allegedly used for his own financial gain. When OpenSea had discovered his conduct in September 2021, OpenSea requested and accepted the product manager’s resignation. Immediately afterwards, OpenSea commissioned a third party review of the incident and implemented the review’s recommendations to strengthen their existing policies.

In May this year, OpenSea’s Discord server was hacked. Just a few months earlier, 254 NFTs valued at around $1.7million USD were stolen through what appear to have been phishing attacks. OpenSea has reportedly reimbursed the victims.

These incidences highlight the status of NFT marketplaces as high value targets for malicious actors and reveals that many of the security vulnerabilities faced in the ‘old’ world of cyber technology remain a threat in the new world of blockchain and NFTs.

Once again, these incidents serve as a reminder for organisations to develop effective cyber security risk management, which requires an approach that encompasses all security vulnerabilities and that includes mechanisms governing employee access and use of sensitive information.

Attorney-General Mark Dreyfus pledges sweeping data privacy reforms

By Cameron Abbott, Rob Pulham and Hugo Chow

Newly sworn-in Attorney-General Mark Dreyfus has announced that there is a range of “sweeping reforms” that are needed to be made to Australia’s privacy laws, and that he is committed to making these changes during the government’s first term in parliament.

Mr Dreyfus’ department is currently reviewing the feedback it has received from its discussion paper around the current review of the Privacy Act 1988 (Cth) (Privacy Act). Mr Dreyfus said that “Everyone agrees that the Commonwealth Privacy Act is out of date and in need of reform for the digital age”, and that he is hoping to bring a final report of reform proposals into the public domain in the coming months.

Privacy practitioners have for years been anticipating some level of reform as the winds of change have been blowing, but it has not been easy to predict what may change, or when. Proposed changes include strengthening individuals’ privacy rights, including creating a direct cause of action or statutory right for breaches of privacy laws; introducing specific codes for certain industries; and increasing maximum penalties which are significantly out of step with international jurisdictions and with other key Australian business laws.

However such changes are not likely to be welcomed by all, even if “everyone agrees” the Privacy Act is out of date and in need of reform, with business groups opposed to areas of proposed reform such as allowing individuals to bring claims directly against companies.

It is a fascinating precursor to what may become hotly contested reforms with significant impact on how businesses engage with their customers. It may be hard to tell but privacy nerds are on the edge of our seats as the reforms, much talked about, move a step closer to taking shape. There’s never been a better time to start paying attention.

The Importance of Managing DSARs

By Claude-Étienne Armingaud and Inès Demmou

With its December 2021 fine imposed on French telephone operator Free Mobile, the French data protection authority (CNIL) reiterated the importance of responding to data subject access requests (DSARs) within the relevant timeline (usually 30 days), with all the relevant and required information (Article 13 and 14 GDPR) and ensuring the security of users’ personal data (Article 32 GDPR). 

Another sanction by the Dutch Supervisory Authority relating to the principle of data minimization confirmed that such DSARs could not be conditioned by overly complex mechanisms, such as a requirement to upload a full copy of an identity document.

These sanctions demonstrate that data subjects have acquired the awareness necessary to exercise their rights, and that data controllers must implement effective channels and internal processes to handle DSARs properly, effectively, in a timely manner, and in a way that would not, in turn, generate its own set of breaches of the GDPR. 

To find out more, see our full alert here.

New concerns over China’s ability to access user data on WeChat

By Cameron Abbott and Hugo Chow

A recent report by cybersecurity firm, Internet 2.0, has raised concerns about the Chinese Communist Party’s ability to access the data of millions of users around the world of social media and payment application, WeChat.

WeChat is significant as it is the application that nearly all citizens in China use on a daily basis for communication, payments for services and as a way for citizens to connect through social media. Although the majority of WeChat’s more than 1 billion users are located in China, there are approximately 600,000 users in Australia, 1.3 million users in the UK, and 1.5 million users in the United States.

One of the concerns the report outlines is that although WeChat states that its servers are kept outside mainland China, all user data that WeChat logs and posts to its logging server goes directly to Hong Kong. And the report argues that under Hong Kong’s new National Security Legislation, there is little difference between Hong Kong resident servers and servers in mainland China.

As a result, due to China’s National Intelligence Law which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”, there are concerns that the WeChat logging data that goes to servers in Hong Kong may be accessed by the Chinese Government upon request. The report states that the data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, the version of the operating system of the device, but does not include information such as content of a conversation.

Another concern the report outlines is that although there was no evidence that chats were stored outside the user’s device, the report found that WeChat had the potential to access all the data in a user’s clipboard. This means that there is the potential for WeChat to access the data that is copied and pasted by users on WeChat, which is a risk to people using password managers that rely on the clipboard feature to copy and paste their passwords.

We expect to hear more about these sorts of concerns from a range of jurisdictions.

Queen’s speech heralds UK GDPR overhaul

By Claude-Étienne Armingaud and Nóirín McFadden

In the Queen’s speech at the state opening of parliament on 10 May 2022, the UK government announced its intention to change the UK’s data protection regime in a new Data Reform Bill. This follows a consultation last Autumn on how the UK GDPR could be reformed following the UK’s exit from the European Union (EU).

The government claims that the new Bill would:

  • Create a data protection framework focused on “privacy outcomes” that would reduce the burdens on businesses, and a “clearer regulatory environment” to encourage “responsible innovation”.
  • Ensure that citizens’ data is “protected to a gold standard”, while enabling more efficient sharing of data between public bodies.
  • Modernise the Information Commissioner’s Office and require it to be “more accountable to Parliament and the public”.

The Queen’s speech also announced plans to replace the Human Rights Act 1998, which incorporated the European Convention on Human Rights into UK law. According to the government a new “Bill of Rights” would “end the abuse of the human rights framework and restore some common sense to [the] justice system”. This would be achieved by “establishing the primacy of UK case law”, which means that UK courts would no longer be required to follow the case law of the European Court of Human Rights.

Taken together, both of these proposed new legislative measures could change the balance of protection of individuals’ rights in the UK, both generally and in the specific area of personal data regulation. Their development will be closely watched by data protection professionals, because any significant changes in the UK data protection regime could prompt the EU to review its post-Brexit UK adequacy decision, potentially leading to the end of decades of seamless transfers of personal data from the EU to the UK.

What is Required under The PIPL: A PRC-Based Representative or a Personal Information Protection Officer?

By Dr. Amigo L. Xie, Xiaotong Wang, Grace Ye and Yibo Wu

Multinational entities with operations in or having businesses with the People’s Republic of China (PRC) should take note of the PRC’s new Personal Information Protection Law (PIPL), which took effect on 1 November 2021 and is extraterritorial in scope and effect. 

This alert lays out the differences between the requirements under Article 52 PIPL (PIPO appointment) and Article 53 PIPL (PRC-based representative appointment / establishment of an agency in the PRC). It also examines statutory obligations under PIPL upon designated personnel and highlights important sector-specific regulations and provincial and municipal government practices.

Click here to read the full alert.

EU-REPUBLIC OF KOREA ADEQUACY DECISIONS FINALIZED

By Claude-Etienne Armingaud, Andrew L. Chung, Camille Scarparo and Eric Yoon

Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.

With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, implemented several additional safeguards including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).

The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.

Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220). 

The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the UK).

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

Critical Vulnerability: Vulnerability in Widely Used Open Source Software is Discovered

By Cameron Abbott, Rob Pulham, Max Evans and Ella Krygier

A critical security vulnerability has been discovered in Apache Log4j, an open-source logging library used by many popular Java applications to provide logging functionality for troubleshooting purposes, according to the Australian Cyber Security Centre (ACSC).

The software’s vulnerability, known as Log4Shell, allows for remote code execution, which, if left unfixed, could allow cybercriminals to take control of IT systems, steal personal data, passwords and files, and install backdoors for future access, simply by adding an additional line of arbitrary code. According to the ACSC, malicious cyber actors have used this vulnerability to target and compromise IT systems globally and in Australia, which led the ACSC to publish advice on mitigation and detection recommendations.

Read More

Copyright © 2022, K&L Gates LLP. All Rights Reserved.