Government Regulation, Legislation & Enforcement – Page 5

The Importance of Managing DSARs

Jun 28 2022

By Claude-Étienne Armingaud and Inès Demmou

With its December 2021 fine imposed on French telephone operator Free Mobile, the French data protection authority (CNIL) reiterated the importance of responding to data subject access requests (DSARs) within the relevant timeline (usually 30 days), with all the relevant and required information (Article 13 and 14 GDPR) and ensuring the security of users’ personal data (Article 32 GDPR).

Another sanction by the Dutch Supervisory Authority relating to the principle of data minimization confirmed that such DSARs could not be conditioned by overly complex mechanisms, such as a requirement to upload a full copy of an identity document.

These sanctions demonstrate that data subjects have acquired the awareness necessary to exercise their rights, and that data controllers must implement effective channels and internal processes to handle DSARs properly, effectively, in a timely manner, and in a way that would not, in turn, generate its own set of breaches of the GDPR.

To find out more, see our full alert here.

New concerns over China’s ability to access user data on WeChat

Jun 21 2022

By Cameron Abbott and Hugo Chow

A recent report by cybersecurity firm, Internet 2.0, has raised concerns about the Chinese Communist Party’s ability to access the data of millions of users around the world of social media and payment application, WeChat.

WeChat is significant as it is the application that nearly all citizens in China use on a daily basis for communication, payments for services and as a way for citizens to connect through social media. Although the majority of WeChat’s more than 1 billion users are located in China, there are approximately 600,000 users in Australia, 1.3 million users in the UK, and 1.5 million users in the United States.

One of the concerns the report outlines is that although WeChat states that its servers are kept outside mainland China, all user data that WeChat logs and posts to its logging server goes directly to Hong Kong. And the report argues that under Hong Kong’s new National Security Legislation, there is little difference between Hong Kong resident servers and servers in mainland China.

As a result, due to China’s National Intelligence Law which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”, there are concerns that the WeChat logging data that goes to servers in Hong Kong may be accessed by the Chinese Government upon request. The report states that the data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, the version of the operating system of the device, but does not include information such as content of a conversation.

Another concern the report outlines is that although there was no evidence that chats were stored outside the user’s device, the report found that WeChat had the potential to access all the data in a user’s clipboard. This means that there is the potential for WeChat to access the data that is copied and pasted by users on WeChat, which is a risk to people using password managers that rely on the clipboard feature to copy and paste their passwords.

We expect to hear more about these sorts of concerns from a range of jurisdictions.

EU-REPUBLIC OF KOREA ADEQUACY DECISIONS FINALIZED

Jan 14 2022

By Claude-Etienne Armingaud, Andrew L. Chung, Camille Scarparo and Eric Yoon

Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.

With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, implemented several additional safeguards including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).

The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.

Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220).

The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the UK).

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

New GDPR Guidelines on Data Transfers

Dec 01 2021

Claude-Étienne Armingaud, Camille Scarparo and Bastien Pujol

On 19 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines on the interplay between Article 3 GDPR (territorial scope) and Chapter V GDPR (transfer of personal data to third countries or international organization) of the General Data Protection Regulation (“GDPR”).

Those draft Guidelines aim at clarifying the mechanism of international transfers and more specifically provide a necessary assistance to controllers and processors in the European Union (“EU”) or otherwise subject to GDPR, including guidance on when a data importer would be subject to GDPR and an interpretation of the concept of international transfer.

In order to characterize a processing as a “transfer”, the EDPB relied on the three following cumulative criteria:

The data exporter (a controller or processor) is subject to the GDPR for the given processing;
- As a reminder, while GDPR generally applies to all entities processing personal data and established in the EU, it can also have an extra territorial reach for certain processing operations consisting in (i) offering products or services to individuals in the EU (e.g. ecommerce and apps) or (ii) monitoring of EU individuals’ behavior taking place in the EU (e.g. cookies and other tracking technologies).
The data exporter transmits or makes available the personal data to the data importer (another controller, joint-controller or processor); and
- In that regard, the mere remote access to the data would still qualify as a “data transfer” and it remains to be hopefully clarified in the final Guidelines whether the sharing of personal data among joint-controllers (both subject to GDPR from the inception of the processing operations) would in and of itself be considered as a data transfer.
The data importer is in a third-country or is an international organization.

In addition, a processing that meets these three criteria will be considered a transfer when the importer is established in a third-country and subject to the GDPR following provisions of article 3.2 GDPR. The EDPB considered that when the controller located in a third-country is already subject to GDPR, “less protection/safeguards are needed”. Nevertheless, conflicting national laws, government access in the third-country as well as the difficulty to enforce and obtain redress against an entity outside the EU should be addressed when developing relevant transfer tools.

The EDPB specified that personal data directly collected from the data subjects, at their own initiative, should not to be considered as a transfer.

An online public consultation is opened on the matter until 31 January 2022.

Long awaited increase to privacy breach penalties – a step closer to reality

Oct 26 2021

By Cameron Abbott, Rob Pulham, Max Evans and Ella Richards

On October 25 the Australian Attorney-General’s Department released a draft bill amending the Privacy Act 1988 (the Draft Bill), inviting industry submissions by 6 December 2021.

We have been hearing about an alignment with Australian consumer and competition law penalties for quite some time – and the Draft Bill does not disappoint.

Under the Draft Bill, the maximum penalties applicable to companies for serious or repeated privacy breaches will increase to the greater of:

$10 million
three times the value of any benefit obtained through the misuse of information, or
10% of the corporate group’s annual Australian turnover.

The Draft Bill also enables the introduction of an online privacy code, covering a wide scope of organisations to regulate social media services, large online platforms and data brokerage services. It is expected that industry will be given the first opportunity to develop the code, for approval by the Commissioner – with the ability for the Commissioner to develop the code in certain circumstances.

Finally, the Draft Bill introduces information sharing powers to facilitate greater engagement between the Information Commissioner and law enforcement bodies, alternative complaint bodies and State, Territory or foreign privacy regulators. This means the Information Commissioner or the receiving authority will be able to share information and documents to more effectively exercise their respective functions and powers.

With regulators banding together, maximum penalties becoming meaningful and a binding online privacy code on the horizon – there has never been a better time to get your Privacy house in order!

Good practice – the storage of COVID-19 vaccination certificates

Oct 24 2021

By Cameron Abbott, Rob Pulham and Ella Richards

As the public’s focus in NSW and Victoria turns quickly to reopening and emerging from lockdowns, we have experienced an increased focus across the country on vaccination rates. Public health orders and laws in several Australian jurisdictions have changed to require businesses to, amongst other things, collect, store and hold vaccine information about their workers, and to take steps to ensure unvaccinated persons do not enter their premises.

This has led to businesses collecting vaccination information including in the form of government-issued COVID-19 vaccination certificates. However the collection of this information creates additional legal and cyber security risks. Some federal government issued certificates contain an individual healthcare identifier (IHI) – a number individually identifies an Australian for healthcare purposes (it is more sensitive than your Medicare number). The IHI combined with the individual’s name and date of birth creates an attractive opportunity for cyber criminals. It is so sensitive that it comes with its own specific legislation sanctions including criminal penalties for breach.

Businesses should ensure they have the right processes in place when collecting and storing this kind of information to avoid exposure to civil and criminal penalties, including up to two years’ imprisonment for improper use or disclosure of an IHI.

For more information on the appropriate processes for collection and storage of vaccination information, please contact Cameron Abbott from our Privacy team. K&L Gates will keep you informed of any further updates.

Privacy obligations when collecting COVID-19 vaccination status

Oct 15 2021

By Cameron Abbott, Rob Pulham and Ella Richards

Some Australian jurisdictions have imposed obligations on businesses and employers to either sight, or collect and hold, information about their workers’ COVID-19 vaccination status, or to take reasonable steps to ensure unvaccinated individuals do not enter their worksites or premises. For example, on 7 October 2021, the Premier of Victoria released Directions that require employers to collect information about workers’ COVID-19 vaccination status before allowing them to work anywhere outside of the employees’ usual place of residence. Industry-specific obligations (with some differences to those Directions) also apply to some settings such as education, construction and healthcare. Similarly, under public health orders in New South Wales, certain businesses from 11 October 2021 must take reasonable steps to ensure people who are not fully vaccinated do not enter their premises.

The Victorian Government Directions for workers are in effect from today, 15 October 2021, meaning that many employees must provide proof of either receiving their first dose or having booked their first dose by 22 October 2021.

To comply with privacy obligations (including under applicable health records legislation), employers must provide employees with a clear collection statement that outlines, among other things:

the types of sensitive information that the employer is collecting;
the purpose of the collection;
who the employer may disclose the information to, including specifying if any of these parties are outside of Australia; and
a reference to the employer’s Privacy Policy that applies to the information collected about employees.

Even where a business is not subject to these mandatory collection requirements, they may wish to collect this information from employees to assist the business to maintain a safe and secure working environment (including, for example, to provide encouragement to staff to get vaccinated – subject to the requirements around providing incentives to do so).

If you would like advice on your Privacy obligations as an employer, please reach out to Cameron Abbott from our Privacy team. For further information on the Victorian Government Directions, see the Alert from our K&L Gates employment team here.

An even ‘hacking’ field – Government Surveillance Bill passed by Parliament

Aug 30 2021

By Cameron Abbott and Ella Richards

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (Identify and Disrupt Bill) passed both houses of federal parliament on 25 August 2021. The new legislation extends the power of law enforcement agencies to identify and disrupt suspected online criminal activity through the provision of three new warrants.

The new warrants provide the Australian Federal Police and the Australian Criminal Intelligence Commission with the power to:

Modify or delete the data of suspected offenders (data disruption warrants);
Collect intelligence on criminal networks (network activity warrants), and
Take control of a suspected offenders’ online account (account takeover warrants).

Anyone required to assist with government hacking is protected from civil liability. However, anyone who refuses to comply can face up to 10 years’ imprisonment.

Online criminal networks are evolving rapidly with the use of anonymising technology – making the detection of serious online crime near impossible. Encrypted applications such as Discord have stated that approximately 536 verified dealers sold $100,000+ of illegal substances/stolen goods in one week, despite Discord’s “zero-tolerance” approach to illegal activity.

On the other hand, the Office of the Australian Information Commissioner (OAIC) previously warned that the new warrant powers could adversely impact the privacy of a large number of individuals – including those with no suspected involvement in criminal activity.

The complexity of online crime makes it increasingly necessary for law enforcement agencies to level the playing field, identify suspected criminal activity and intercept that activity before it is actioned. However, proportionate consideration of individual privacy rights has created a lively debate in the passage of the legislation thus far.

The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 is now awaiting Royal Assent. Keep an eye on our Cyber Law Watch blog further updates.

UK unveils plan to diverge from GDPR

Aug 30 2021

By Norin McFadden and Claude-Étienne Armingaud

The UK government has announced that it intends to consult on a new, post-Brexit data protection regime, potentially moving away from the UK General Data Protection Regulation that currently underpins the UK’s data protection legislation. The Digital Secretary, Oliver Dowden, said, “It means reforming our own data laws so that they’re based on common sense, not box-ticking.”

A public consultation on the new legislation will follow, but it is clear that the United Kingdom must be careful about any changes it makes to its data regime in order to avoid disrupting the EU-UK adequacy decision with EU GDPR awarded just two months ago. The adequacy decision allows personal data from the European Union to flow freely to the United Kingdom (and vice versa), without businesses needing to put any additional paperwork in place. In granting the adequacy decision, the European Union placed particular emphasis on the fact that the United Kingdom was continuing to base its data protection laws on the same EU GDPR rules that had applied when it was a member of the European Union. A European Commission spokesperson commented that the EU will be closely monitoring any developments in UK data laws and noted that: “In case of problematic developments that negatively affect the level of protection found adequate, the adequacy decision can be suspended, terminated or amended, at any time by the Commission.”

It will be interesting to see how far the United Kingdom diverges, particularly as the current trend is that other countries seem to be keen to state that their data protection laws closely follow the EU GDPR.

The UK government also announced that its preferred candidate to be the next Information Commissioner, head of the UK data protection regulator, will be John Edwards, currently in charge of New Zealand’s data regulator, a country that also maintains an EU adequacy decision.

Reminder for One-Month Deadline to Implement New SCCs in New Contracts

Aug 27 2021

By Jake Bernstein and Jane Petoskey

In early June 2021, the European Commission published a new set of standard contractual clauses (SCCs) effective June 27, 2021 for cross-border data transfers and between controllers and processors. The new SCCs cover changes in data protection laws, including the invalidation of the EU-US Privacy Shield and the fallout from the Court of Justice of the European Union’s (CJEU) Schrems II opinion (regarding US intelligence laws). The new cross-border data transfer SCCs also use a modular approach to allow for more accurate identification of roles and responsibilities of the contracting parties. In terms of timing, organizations may use the old SCCs in new contracts until September 27, 2021, and contracts existing before September 27, 2021 must change to the new SCCs by December 27, 2022. For additional information on the SCCs, read our K&L Gates EU Data Protection Alert here.

Please do not hesitate to contact the K&L Gates LLP Cybersecurity and Privacy team of attorneys if you need assistance updating new or existing contracts with the new SCCs by the above deadlines.

Catagory:Government Regulation, Legislation & Enforcement