Given the current privacy reform and cyber threat environment, the question we get asked a lot is – what are the privacy risks that should be assessed in our organisation and how do we prioritise these? Unfortunately this isn’t always a ‘one size fits all’ answer but there are some basic matters you can check as to whether your organisation is considering privacy risks proactively.Read More
The theme of this year’s Privacy Awareness Week (PAW) is “back to basics”. It’s fitting to consider some lessons arising from recent high-profile breaches affecting millions of Australians, and the consistent messages we’ve been hearing from the Australian Information Commissioner in the midst of those incidents.
Data breaches can happen to anyone. We know cyberattacks can be big business, and sophisticated criminal networks make a good living from these. And if your organisation has taken reasonable steps to avoid or mitigate such breaches, the fact you’ve encountered one will not, of itself, be held against you.Read More
Presumably inspired by the recently released “Honor Among Thieves”, a film based on table-top roleplaying game Dungeons & Dragons, the Australian government invited representatives from the Reserve Bank, the AFP and regulators ASIC and APRA for a three-hour session of cybersecurity roleplay. Further exercises are expected to be conducted with major banks and financial services, and eventually with the aviation sector and other critical infrastructure areas.Read More
Shortly after the Government announced their ambition to make Australia a global leader in cyber security, Australia has been named the country with “the greatest progress and commitment toward creating a cyber defence environment” in MIT’s Cyber Defence Index of 2022/23.
However, the Office of the Australian Information Commissioner’s latest notifiable data breaches report paints a different picture. The Commissioner reported a 26% increase in the number of total reported data breaches and a 41% increase in the number of reported data breaches arising from malicious or criminal attacks compared with the first half of 2022. Health service providers and the finance sector were the worst hit, together representing almost a third of reported data breaches.
In releasing the report, the Commissioner once again stressed the need for organisations to collect only the minimum amount of personal information required and deleting it when it is no longer needed. In the report the Commissioner has recommended a number of steps to address the kinds of issues featured in the second half of 2022, including:Read More
By Amigo L. Xie
2023 is destined to be a big year for the hottest issues of the China Personal Information Protection Law (PIPL) for MNCs doing business in or with China especially in the areas of: cross-border personal data transfers, localization, compliance, and enforcement.
It is worth noting the following milestones in your timeline for China data privacy compliance in 2023:Read More
Not content with merely implementing broad-scale privacy reform, the Government has announced a new position, the Coordinator for Cyber Security to be added to the Department of Home Affairs as a step towards their aim of “making Australia the most cyber secure nation by 2030“. This would seem to be a rather aspirational target!
The Coordinator will be supported by a National Office for Cyber Security, and their role will be to oversee steps to prevent future cyber security incidents and to help manage cyber incidents as they occur.Read More
Multinational entities with operations in or having businesses with the People’s Republic of China (PRC) should take note of the PRC’s new Personal Information Protection Law (PIPL), which took effect on 1 November 2021 and is extraterritorial in scope and effect.
This alert lays out the differences between the requirements under Article 52 PIPL (PIPO appointment) and Article 53 PIPL (PRC-based representative appointment / establishment of an agency in the PRC). It also examines statutory obligations under PIPL upon designated personnel and highlights important sector-specific regulations and provincial and municipal government practices.
Click here to read the full alert.
Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.
Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.
With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, implemented several additional safeguards including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).
The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.
Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220).
On 19 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines on the interplay between Article 3 GDPR (territorial scope) and Chapter V GDPR (transfer of personal data to third countries or international organization) of the General Data Protection Regulation (“GDPR”).
Those draft Guidelines aim at clarifying the mechanism of international transfers and more specifically provide a necessary assistance to controllers and processors in the European Union (“EU”) or otherwise subject to GDPR, including guidance on when a data importer would be subject to GDPR and an interpretation of the concept of international transfer.
In order to characterize a processing as a “transfer”, the EDPB relied on the three following cumulative criteria:
- The data exporter (a controller or processor) is subject to the GDPR for the given processing;
- As a reminder, while GDPR generally applies to all entities processing personal data and established in the EU, it can also have an extra territorial reach for certain processing operations consisting in (i) offering products or services to individuals in the EU (e.g. ecommerce and apps) or (ii) monitoring of EU individuals’ behavior taking place in the EU (e.g. cookies and other tracking technologies).
- The data exporter transmits or makes available the personal data to the data importer (another controller, joint-controller or processor); and
- In that regard, the mere remote access to the data would still qualify as a “data transfer” and it remains to be hopefully clarified in the final Guidelines whether the sharing of personal data among joint-controllers (both subject to GDPR from the inception of the processing operations) would in and of itself be considered as a data transfer.
- The data importer is in a third-country or is an international organization.
In addition, a processing that meets these three criteria will be considered a transfer when the importer is established in a third-country and subject to the GDPR following provisions of article 3.2 GDPR. The EDPB considered that when the controller located in a third-country is already subject to GDPR, “less protection/safeguards are needed”. Nevertheless, conflicting national laws, government access in the third-country as well as the difficulty to enforce and obtain redress against an entity outside the EU should be addressed when developing relevant transfer tools.
The EDPB specified that personal data directly collected from the data subjects, at their own initiative, should not to be considered as a transfer.
An online public consultation is opened on the matter until 31 January 2022.
On 1 November 2021 the People’s Republic of China (PRC) effected the Personal Information Protection Law (PIPL).
The PIPL joins existing Cybersecurity Law and Data Security Law to broaden privacy obligations within the PRC. This comprehensive legislation governs the treatment of personal information within the PRC and strengthens the existing data localisation requirements.