Privacy, Data Protection & Information Management – Page 7

What is Required under The PIPL: A PRC-Based Representative or a Personal Information Protection Officer?

Jan 17 2022

By Dr. Amigo L. Xie, Xiaotong Wang, Grace Ye and Yibo Wu

Multinational entities with operations in or having businesses with the People’s Republic of China (PRC) should take note of the PRC’s new Personal Information Protection Law (PIPL), which took effect on 1 November 2021 and is extraterritorial in scope and effect.

This alert lays out the differences between the requirements under Article 52 PIPL (PIPO appointment) and Article 53 PIPL (PRC-based representative appointment / establishment of an agency in the PRC). It also examines statutory obligations under PIPL upon designated personnel and highlights important sector-specific regulations and provincial and municipal government practices.

Click here to read the full alert.

EU-REPUBLIC OF KOREA ADEQUACY DECISIONS FINALIZED

Jan 14 2022

By Claude-Etienne Armingaud, Andrew L. Chung, Camille Scarparo and Eric Yoon

Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.

With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, implemented several additional safeguards including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).

The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.

Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220).

The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the UK).

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

Critical Vulnerability: Vulnerability in Widely Used Open Source Software is Discovered

Dec 24 2021

By Cameron Abbott, Rob Pulham, Max Evans and Ella Krygier

A critical security vulnerability has been discovered in Apache Log4j, an open-source logging library used by many popular Java applications to provide logging functionality for troubleshooting purposes, according to the Australian Cyber Security Centre (ACSC).

The software’s vulnerability, known as Log4Shell, allows for remote code execution, which, if left unfixed, could allow cybercriminals to take control of IT systems, steal personal data, passwords and files, and install backdoors for future access, simply by adding an additional line of arbitrary code. According to the ACSC, malicious cyber actors have used this vulnerability to target and compromise IT systems globally and in Australia, which led the ACSC to publish advice on mitigation and detection recommendations.

Mask Off: Social Media Giants to Unmask Trolls or Risk Themselves Becoming Liable for Defamation Payouts

Dec 01 2021

By Cameron Abbott, Rob Pulham, Warwick Andersen, Max Evans and James Gray

In a significant development in online regulatory oversight, the Australian government announced over the weekend that it will introduce new laws handing Australian courts the power to order social media companies to reveal the identities of anonymous trolls or risk themselves being liable for defamation payouts.

The so called “social media anti-trolling legislation” which the government has said will be introduced into parliament this week proposes to require social media companies stand up a functional and easy-to-use complaints and takedown process for users, who upon suspecting they are being defamed, bullied or attacked may file a complaint with the social media platform requesting that the relevant content be removed.

If that request is denied, the complainant can ask the social media company to provide the details of the “troll” so as to enable the complainant to commence an action. If this request is further denied, or if the social media platform is “unable to do this”, complainants may apply to obtain a court order requiring the social media company to release the identification details of the anonymous user so that a defamation action may be pursued. Failure to comply with such a court order will render the social media company themselves liable for the defamation claim.

Significantly, the reports indicate that these new laws will push legal responsibility for defamatory content from the author or page manager to the social media company which runs the platform. This represents a key move away from social media platforms being distributors of content but rather, in the eyes of online safety, being deemed publishers themselves. We will keep you posted as these proposed laws progress.

Privacy Pandemic: Australians Losing Trust in Institutions’ Use of Their Data

Dec 01 2021

By Cameron Abbott, Rob Pulham, Max Evans and James Gray

In the age of QR code check-ins and vaccination certificates, as Australia edges towards a post-pandemic (or mid-pandemic, it increasingly seems) “normal”, new research from the Australian National University (ANU) has revealed that Australians have become less trusting of institutions with regards to data privacy.

The ANU researchers said that the decrease in public trust between May 2020 and August 2021 was small but “statistically significant”. A key reason for this decrease, according to the researchers, was concern around “how their private data from check-in apps might be used by major institutions” as lockdowns and the use of apps for contact tracing intensified.

The institutions which experienced the greatest loss of trust were social media companies (10.1% decline), telecommunications companies, and federal, state and territory governments. This echoes sentiment from the OAIC following its recent ‘community attitudes to privacy’ survey that Australians trust social media companies the least when it comes to handling personal information, followed by the government.

While it remains to be seen whether this loss of trust becomes a permanent trend, one way to make Australians more comfortable with an organisation’s data practices – as reinforced by the OAIC – is to ensure the purpose of the collection and use of personal information is clearly understood. The OAIC has found that Australians are increasingly questioning data practices where the purpose for collecting personal information is unclear.

With increased penalties for privacy non-compliance looming, there’s never been a better time to revisit your privacy policies and collection statements to make sure that these are clear, so your organisation can stand out against this trend and build consumer trust.

And it’s here! China’s new privacy laws come into effect

Nov 22 2021

By Cameron Abbott, Rob Pulham and Ella Richards

On 1 November 2021 the People’s Republic of China (PRC) effected the Personal Information Protection Law (PIPL).

The PIPL joins existing Cybersecurity Law and Data Security Law to broaden privacy obligations within the PRC. This comprehensive legislation governs the treatment of personal information within the PRC and strengthens the existing data localisation requirements.

Our colleagues have summarised the PIPL Draft Bill here and prepared advice on the collection of employee’s personal information under the PIPL here.

Long awaited increase to privacy breach penalties – a step closer to reality

Oct 26 2021

By Cameron Abbott, Rob Pulham, Max Evans and Ella Richards

On October 25 the Australian Attorney-General’s Department released a draft bill amending the Privacy Act 1988 (the Draft Bill), inviting industry submissions by 6 December 2021.

We have been hearing about an alignment with Australian consumer and competition law penalties for quite some time – and the Draft Bill does not disappoint.

Under the Draft Bill, the maximum penalties applicable to companies for serious or repeated privacy breaches will increase to the greater of:

$10 million
three times the value of any benefit obtained through the misuse of information, or
10% of the corporate group’s annual Australian turnover.

The Draft Bill also enables the introduction of an online privacy code, covering a wide scope of organisations to regulate social media services, large online platforms and data brokerage services. It is expected that industry will be given the first opportunity to develop the code, for approval by the Commissioner – with the ability for the Commissioner to develop the code in certain circumstances.

Finally, the Draft Bill introduces information sharing powers to facilitate greater engagement between the Information Commissioner and law enforcement bodies, alternative complaint bodies and State, Territory or foreign privacy regulators. This means the Information Commissioner or the receiving authority will be able to share information and documents to more effectively exercise their respective functions and powers.

With regulators banding together, maximum penalties becoming meaningful and a binding online privacy code on the horizon – there has never been a better time to get your Privacy house in order!

Good practice – the storage of COVID-19 vaccination certificates

Oct 24 2021

By Cameron Abbott, Rob Pulham and Ella Richards

As the public’s focus in NSW and Victoria turns quickly to reopening and emerging from lockdowns, we have experienced an increased focus across the country on vaccination rates. Public health orders and laws in several Australian jurisdictions have changed to require businesses to, amongst other things, collect, store and hold vaccine information about their workers, and to take steps to ensure unvaccinated persons do not enter their premises.

This has led to businesses collecting vaccination information including in the form of government-issued COVID-19 vaccination certificates. However the collection of this information creates additional legal and cyber security risks. Some federal government issued certificates contain an individual healthcare identifier (IHI) – a number individually identifies an Australian for healthcare purposes (it is more sensitive than your Medicare number). The IHI combined with the individual’s name and date of birth creates an attractive opportunity for cyber criminals. It is so sensitive that it comes with its own specific legislation sanctions including criminal penalties for breach.

Businesses should ensure they have the right processes in place when collecting and storing this kind of information to avoid exposure to civil and criminal penalties, including up to two years’ imprisonment for improper use or disclosure of an IHI.

For more information on the appropriate processes for collection and storage of vaccination information, please contact Cameron Abbott from our Privacy team. K&L Gates will keep you informed of any further updates.

Ransomware plan of action

Oct 18 2021

By Cameron Abbott, Rob Pulham and Ella Richards

Following the 60% increase in ransomware attacks over the past year, the Department of Home Affairs has released a Ransomware Action Plan – proposing to introduce mandatory reporting requirements for companies who have been hit by a ransomware attack.

Under the proposal, companies with a turnover of $10 million or more per year will be required to inform the Australian Cyber Security Centre soon after experiencing a ransomware attack and will face civil penalties if they fail to comply. The government is also planning to introduce a standalone offence for cybercriminals who seek to target critical infrastructure as part of the Security Legislation Amendment (Critical Infrastructure) Bill 2020.

This document is part of Australia’s overarching 2020 Cyber Security Strategy, with industry and community consultation anticipated in the near future. Stand by for further developments.

Privacy obligations when collecting COVID-19 vaccination status

Oct 15 2021

By Cameron Abbott, Rob Pulham and Ella Richards

Some Australian jurisdictions have imposed obligations on businesses and employers to either sight, or collect and hold, information about their workers’ COVID-19 vaccination status, or to take reasonable steps to ensure unvaccinated individuals do not enter their worksites or premises. For example, on 7 October 2021, the Premier of Victoria released Directions that require employers to collect information about workers’ COVID-19 vaccination status before allowing them to work anywhere outside of the employees’ usual place of residence. Industry-specific obligations (with some differences to those Directions) also apply to some settings such as education, construction and healthcare. Similarly, under public health orders in New South Wales, certain businesses from 11 October 2021 must take reasonable steps to ensure people who are not fully vaccinated do not enter their premises.

The Victorian Government Directions for workers are in effect from today, 15 October 2021, meaning that many employees must provide proof of either receiving their first dose or having booked their first dose by 22 October 2021.

To comply with privacy obligations (including under applicable health records legislation), employers must provide employees with a clear collection statement that outlines, among other things:

the types of sensitive information that the employer is collecting;
the purpose of the collection;
who the employer may disclose the information to, including specifying if any of these parties are outside of Australia; and
a reference to the employer’s Privacy Policy that applies to the information collected about employees.

Even where a business is not subject to these mandatory collection requirements, they may wish to collect this information from employees to assist the business to maintain a safe and secure working environment (including, for example, to provide encouragement to staff to get vaccinated – subject to the requirements around providing incentives to do so).

If you would like advice on your Privacy obligations as an employer, please reach out to Cameron Abbott from our Privacy team. For further information on the Victorian Government Directions, see the Alert from our K&L Gates employment team here.

Catagory:Privacy, Data Protection & Information Management