What key protections exist for personal data?
Technology (second edition)
The key protections for personal data under Indonesian law are:
a. the requirement of consent for any electronic system provider to handle personal data (e.g., collecting, processing, distributing);
b. the requirement of data-onshoring for any electronic system provider providing “public services” (as explained below);
c. the requirement of full disclosure for any use of personal data;
d. the deletion of personal data after a certain period of time or at the request of the personal data owner.
The processing of personal data (i.e., any information relating to an identified or identifiable natural person) is subject to the rules laid down in the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, "Wbp").
On 25 May 2018, the Wbp will be replaced by the General Data Protection Regulation (GDPR). Under the Wbp, data controllers may only process personal data when certain specific conditions are met, including:
- Personal data may only be processed if there is a lawful basis to such processing activity (e.g., consent of the individual, the performance of a contract or the legitimate interests of the data controller);
- Personal data may only be processed for well-defined purposes;
- Personal data may not be kept longer than necessary in view of the purposes for which the data were collected;
- Appropriate technical and organisational measures should be implemented to safeguard personal data;
More stringent rules apply to "sensitive" personal data, such as health data or data related to criminal convictions. Also, under the Wbp mandatory notification duties may apply in case of unauthorised or unlawful processing, and against accidental loss of or destruction of personal data. Notification may have to be submitted to the Dutch Personal Data Protection Authority and the individual to which the personal data relates.
The Brazilian data protection legal framework is going through a significant change. After years of legislative process, the Brazilian Congress approved in July, 2018, a comprehensive data protection law (Lei Geral de Proteção de Dados – “LGPD”), which regulates the use of personal data by both private and public entities in Brazil. Before the approval of the LGPD, privacy and data protection were generally protected under the Federal Constitution (as fundamental rights of individuals) and by sector-specific laws. The final enactment of the LGPD is expected to occur in August 2018, and the companies will have 18 months thereafter to ensure compliance with the law.
The LGPD mirrors a number of obligations and rights set forth in the General Data Protection Regulation – “GDPR” of the European Union, establishing detailed rules for the collection, use, processing and storage of personal data, which will affect all economic sectors, both in the digital and physical environment.
The LGPD introduces new rights to data subjects, such as the right to obtain information regarding the processing of data, right to access, rectify and delete data, right to withdraw the consent at any time, the right to data portability to another supplier of goods and services and the right to obtain the review of automated decisions.
Under the LDPG, the processing of personal data may only be carried out when based on one or more of the legal grounds provided for in such law. Among other cases, the processing of personal data is authorized upon the consent of the data subject, for the purpose of compliance with legal or regulatory obligations, when necessary for the performance of a contract, or when necessary to meet the legitimate interest of the data controller. Other specific legal basis apply to the processing of sensitive data (which definition includes, among others, health information and biometric and/or genetic data of the data subject).
According to the LGPD, data controllers and processors must adopt certain actions, which may include, but are not limited to:
(a) Define and document the legal grounds for processing personal data;
(b) Appoint a data protection officer, who will be in charge of handling personal data within the organizations;
(c) Report data breaches and security incidents to the national data protection authority and, in some cases, to the affected data subjects;
(d) Adopt technical and organizational measures to protect personal data from unauthorized access and from accidental or unlawful destructions, loss, change, communications, transmission, or any other occurrence resulting from inadequate or illegal treatment; measures that shall be adopted since the creation of any new technology or product (privacy by design);
(e) Perform privacy impact assessments where required by the national data protection authority;
(f) Observe strict requirements in the transfer of data out of the country (as detailed in answer 8 below).
Until the LGDP becomes effective, the Consumer Protection Code (Law No. 8,078/9, the “Consumer Code”) and the Internet Act (Law No. 12,965/14) remain as the most prominent federal statutes governing the use, collection and processing of personal data.
The Consumer Code is applicable whenever a consumer relationship is formed between an individual (or corporate entity, in certain circumstances) and a service provider or a product manufacturer. The privacy of consumer relations and handling of databases are regulated by this Code. The Consumer Code requires that the individual whose data is being collected must be informed of the input of his/her information into a database (there is no requirement for consent, but rather, a notice). The consumer should have the right to access, rectify and correct his/her database information.
In addition, there are other sector-speciﬁc laws that deal with privacy and data protection, such as the Wiretap Act (Law No. 9,296/96), the Bank Secrecy Act (Complementary Law No. 105/01), and the Information Access Act (Law No. 12,527/01), which governs information collected by federal government. Other privacy and data protection regulations apply to speciﬁc sectors of the economy, labor relationships and the exercise of profession (doctors, attorneys and ﬁnancial advisors, for example).
Since 25 May 2018, the General Data Protection Regulation (GDPR) (EU) 2016/679 has been in effect in Luxembourg. A complementing law in Luxembourg has been voted on 26 July 2018 to adapt the national legal framework to the GDPR provisions (the "Local DPA").
Under Article 5 of the GDPR, personal data must be processed lawfully, fairly and in a transparent manner. It must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The personal data must be adequate, relevant and limited to what is necessary in relation to the purpose of processing as well as accurate and, where applicable, kept up to date. Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the data are processed. Furthermore, it must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures. The controller is responsible for and must be able to demonstrate compliance with the above principles.
A controller must only process personal data in the basis of one or more of the legal grounds set out in Article 6 of the GDPR, which includes the data subject´s consent to the processing for one or more specific purpose, when it is necessary for entering or performing a contract with the data subject, when it is necessary for the performance of a task carried out in the public interest or on the exercise of official authority vested in the controller or in a third party to whom the data is disclosed, when processing is necessary in order to protect the vital interests fo the data subject or of another natural person, when it is necessary for the purposes of legitimate interests pursued by the controller og by a third party, except when those interests are overridden by the interests or the fundamental rights and freedoms of the data subject which require protection of personal data.
Although many of the former EU Directive's core principles remain the same under GDPR, the GDPR does impose some new and additional requirements. The following examples are not exhaustive.
There is increased territorial scope of GDPR as it applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU regardless of whether the processing takes place in the EU or not (Art. 3(1)). Additionally, the GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU where the activities relate to either the i) offering of goods or services to data subjects in the EU, irrespective of whether a payment of the data subject is required or ii) the monitoring of the behaviour of data subjects as far as their behaviour takes place within the EU. Other major changes are that the conditions for consent have been strengthened, and it must be easy for data subjects to withdraw consent.
The rights of the data subjects are substantially expanded under the GDPR. Part of that is the right for data subjects to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall, if requested, provide a copy of the personal data, free of charge. Data Erasure entitles data subjects to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties stop processing of the data. The conditions for erasure are stipulated in Art. 17 of the GDPR and include, inter alia, that the data is no longer relevant to the original purpose for processing, or data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects´ rights to "the public interest in the availability of the data" when considering such requests. GDPR also has provisions on data portability, which entails the right for data subjects to receive the personal data concerning them, which they have previously provided in a "structured, commonly used and machine readable format" and have the right to transmit that data to another controller.
Moreover, appointing a Data Protection Officer (DPO) is mandatory under certain circumstances under the GDPR. The DPO shall be involved, properly and in a timely manner in all issues related to the protection of personal data, and data subjects may contact the DPO regarding processing of their personal data and to exercise their rights under the GDPR. Breach notification, within a specific and narrow timeframe, has become mandatory in all member states where a data breach is likely to "result in a risk for the rights and freedoms of individuals." Organizations (either controllers or processors) in breach of the GDPR, can be fined up to 4% of annual global turnover or €20 million (whichever is greater), for the most serious infringements.
Numerous GDPR provisions allow EU member states to enact national legislation specifying, restricting, or expanding the scope of the GDPR's requirements. The Local DPA provides for three specific provisions that complement the GDPR in the matters that were left to the discretion of the member states.
1. Processing of personal data for the purposes of journalism, university research, art or literature:
- Processing of such data is not subject to prohibition provisions set out in Article 9 of the GDPR.
- Processing of such data is not subject to limitations applicable to processing of personal data relating to criminal convictions and offences provided that (Article 10 of the GDPR):
- such processing concerns data made publicly available by the data subject; or
- if the concerned data are connected to the public life of the data subject; or
- if the data is closely connected to the event in which the data subject has willingly become involved.
- Processing of such data is not subject to obligations imposed on the data controller in case of a transfer of personal data to third countries or international organisations
- Processing of such data is not subject to the obligation of the data controller to provide particular information to the data subject where personal data is collected from the data subject, (Article 13 of the GDPR).
- Processing of such data is not subject to the obligation of the data controller to provide information to the data subject where personal data has not been obtained from the data subject (Article 14 of the GDPR).
- Processing of such data is not subject to the obligation to provide the data subject with the right of access to his/her personal data. Such right may only be exercised with the assistance of the National Data Protection Commission (CNPD) and with the President of the Press Council present or his representative.
2. Processing of personal data for the purposes of statistics or scientific or historical research.
The rights of the data subject specified under Articles 15, 16, 18 and 21 of the GDPR may be limited provided that such limitations are proportional to the aim pursued and take into consideration the nature of the data and of the processing. Such limitation may only be applied where the data controller has taken additional appropriate safeguard measures for the rights and freedom of the data subject, such as, in particular:
- Appointment of a DPO.
- Making an analysis of the impact of the contemplated processing on the protection of personal data.
- Anonymising the data processed, etc.
3. Processing of sensitive data.
The Local DPA provides that the processing of sensitive data, including health data, may be carried out by the relevant medical bodies and healthcare professionals in the framework of their activities, as well as by research bodies (with appropriate safeguards), social security organisms, insurance companies, pension funds, the Medical and Surgical Mutual Fund and other approved organisms.
In addition to the above, the Law of 30 May 2005 regarding the protection of privacy in the electronic communications sector, that implements Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), lays down some specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector.
Furthermore, specific provisions of the Luxembourg Labour Code (L.261-1 and L.261-2) regulate the processing operations for workplace supervision purposes.
On May 2018 the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) became directly applicable in Romania.
As a consequence, the former Romanian national legal framework has been repealed and new attributions have been granted to the National Supervisory Authority for Personal Data Processing (“Data Protection Authority”) by Law no. 129/2018 for modification and completion of Law no. 102/2005 regarding the establishment, organization and functioning of the National Supervisory Authority for Personal Data Processing and repealing Law no. 677/2001 with regard to the processing of personal data and on the free movement of such data (“Law 129/2018”).
Law 129/2018 mainly refers to the powers of the President of the Data Protection Authority, the control and claims settlement attributions of the said authority and the judicial remedies available to data subjects.
In order to implement the provisions of article 9 paragraph (4) and articles 37-39, 42, 43, 83, 87-89 of GDPR, Romania has also adopted Law no. 190/2018 on GDPR implementing measures (“Law 190/2018”).
The implementing measures provided by Law 190/2018 mainly refer to the following:
- the processing of genetic data, biometric data or data concerning health for an automated decision-making or profiling should be made based upon the explicit consent of the data subject or an express legal provision and with the establishment of appropriated measures;
- the processing of a national identification data (personal identification number, identity card’s series and number, passport and driver license number, health social security number) and collection or disclosure of the documents that contain the same can be made only in accordance with article 6 paragraph (1) of GDPR; in case of a processing based upon letter f) of article 6 paragraph (1) of GDPR, the controller or the third party should establish certain warranties;
- data processing in the context of employment; in case an employer utilizes monitoring systems by electronic and / or video means, the processing of employees’ personal data based on employer’s legitimate interest is permitted only under certain specific conditions set out by Law 190/2018;
- for the processing of personal data and of special categories of personal data in the context of fulfilling a task carried out in the public interest, the controller or the third party should establish certain warranties set out by the law;
- the processing of personal data carried out for journalistic purposes or the purpose of academic artistic or literary expression can be made if the used data have been explicitly made public by the data subject or such data are closely linked to the capacity of the data subject as a public person or to the public character of the data subject facts;
- derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are granted pursuant to article 89 of GDPR;
- the processing of personal data and of special categories of personal data by political parties, nongovernmental organizations of citizens belonging to national minorities and nongovernmental organization is permitted without the consent of the data subject, subject to certain warranties;
- the designation and the tasks of the data protection officer are in line with the ones provided by articles 37-39 of GDPR;
- the accreditation of certification bodies provided by article 43 of GDPR shall be made by Romanian Accreditation Association (in Romanian language - Asociația de Acreditare din România – RENAR) according to the EN-ISO/IEC 17065 standard and supplementary requirements issued by the Data Protection Authority;the corrective measures and penalties for public authorities and bodies are derogatory and refer to a remedy plan and the level of maximum fine (Ron 200,000, proximately EUR 43,000).
In Spain, until 25th May 2018, personal data has been regulated under Organic Law 15/1999, of 13th December 1999, on the Protection of Personal Data ("LOPD") and Royal Decree 1720/2007, of 21st December 2007, that approves the implementation of Regulation of the LOPD ("RLOPD"). Since the 25th May 2016, the EU Regulation 679/2016 ("GDPR") has partially de-regulated both the LOPD and the RLOPD and is now the main regulation that sets out how personal data shall be processed in Spain. A new Spanish data protection act, which will implement and complement the GDPR, is currently being developed in Spain, although the date on which it will come into effect has not yet been decided. In the meantime, the Spanish government has adopted an emergency ordinance (Royal Decree-Law 5/2018, of 27th July 2018, of emergency measures for the adaptation of the European Union data protection legislation to Spanish law ) to give the powers to the Spanish DPA that are required by the GDPR.
The GDPR lays down many obligations for companies that process personal data within the EU and/or personal data of EU nationals. In general terms, under the GDPR personal data shall be processed in accordance with the data protection principles (‘lawfulness, fairness and transparency’); collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). Other obligations include the need to satisfy the data protection rights of data subjects, to notify the Spanish data protection supervisory authority (Agencia Española de Protección de Datos or "AEPD") of personal data breaches, the need to have in place a record of processing activities, the obligation to adopt appropriate security measures or the need to respect the restrictions for international transfers of personal data.
The Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 (RSPP-SPD Rules or Rules) notiﬁed under the Information Technology Act, 2000 (IT Act) presently governs the handling of personal data by body corporates. The RSPP-SPD Rules deﬁnes ‘personal data’ and ‘sensitive personal data’, and puts forth the conditions for obtaining consent, processing, usage and transfer of both personal and sensitive personal data. The Rules also mandate the implementation of an organisational policy for dealing with personal data.
The year 2017-2018 has been a watershed year for data privacy laws in India. The Supreme Court of India recognised ‘the right to privacy’ as a fundamental right enshrined in the Constitution and outlined the principles on which the State must enact laws for data privacy. Many sectoral regulators also proposed draft legislations protecting the rights of data subjects within their respective domains. The Reserve Bank of India (RBI) which is the central bank of India issued a data localisation order in April, 2018, requiring all payment system operators in India to store all transactional data with respect of payments ‘eco-system’ within the Country. Later, the Ministry of Electronics and Information Technology (MeitY) published the draft Personal Data Protection Bill (on July 27, 2018) which is an all-encompassing legal framework for data privacy in India. This Bill once enacted will supersede existing legislations.
The protection of personal data is recognized as a fundamental right under Article 20(3) of the Constitution of the Republic of Turkey as of its amendment in 2010. Law on Protection of Personal Data numbered 6698 (“DP Law”) which constitutes the main legislative instrument which specifying the principles and procedures concerning the processing and protection of personal data, has been published in the Official Gazette on 7 April 2016 and is in effect as of this date.
Additionally, data protection authority established by the DP Law, Personal Data Protection Board (Board) is currently active and has been regularly publishing secondary legislation of the DP Law as well as principle decisions and guidance documents concerning the application of the DP Law. Additionally, certain sector specific data protection rules are scattered under sector-specific laws.
The DP Law applies to all natural persons whose personal data are processed. All natural or legal persons processing personal data shall also be considered within the scope of the DP Law.
Article 5 of the DP Law lays down the conditions for conditions for processing of personal data: as a general principle, processing of personal data without obtaining the explicit consent of the data subject is prohibited. However, there are certain conditions provided by the DP Law under which the consent of the data subject shall not be required for the relevant data processing operation.
Accordingly, consent of the data subject is not necessary for lawful personal data processing where the data processing;
a) is expressly envisaged under law;
b) is necessary in order to protect the life or physical integrity of the data subject or another person in cases where the data subject is physically or legally incapable of giving consent;
c) is necessary for the conclusion or performance of a contract, provided that the processing is directly related to the parties of the contract;
d) is necessary for compliance with a legal obligation to which the data controller is subject;
e) shall be conducted on information that has already been revealed to the public by the data subject;
f) is necessary for the establishment, exercise, or protection of a right;
g) is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject shall not be overridden.
Lastly, according to Article 11 of the DP Law, data subjects are entitled to the following rights;
- learn whether personal data relating to him/her are being processed,
- request further information if personal data relating to him/her are being processed,
- learn the purpose of the processing of personal data and whether data are being processed in compliance with such purpose
- learn the third-party recipients to whom the data are disclosed within the country or abroad,
- request rectification of the processed personal data which is incomplete or inaccurate and request such process to be notified to third persons to whom personal data is transferred,
- request deletion or destruction of data in the event that the data is no longer necessary in
- relation to the purpose for which the personal data was collected, despite being processed in accordance with the Law and other applicable laws and request such process to be notified to third persons to whom personal data is transferred,
- object to negative consequences resulting to from an analysis conducted exclusively by automated systems,
- demand compensation for the damages suffered as a result of an unlawful personal data processing operation.
The key protections are mainly laid out in the GDPR, together with some supplementary Swedish legislation. In summary, the following can be said about the protection.
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1) of the GDPR, not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Furthermore, data controllers are obliged to be able to demonstrate that, and how, they fulfil the obligations of the GDPR (accountability).
All processing of personal data has to rest on at least one of the six legal grounds set out in the GDPR. The six legal grounds are the following:
- Processing of personal data that emanates from consent from the data subject. The consent can cover one or several specific purposes.
- Processing of personal data that is necessary to fulfil a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
- Processing of personal data that is necessary to fulfil a legal obligation.
- Processing of personal data that is necessary to protect vital interests of the data subject or other natural persons.
- Processing of personal data that is necessary to carry out a task that is of public interest, or in line with the exercise of official authority of the data controller.
- Processing of personal data that is necessary for purposes of legitimate interests pursued by the data controller or a third party. This does not apply when interests or fundamental rights and freedoms of the data subject require protection of the personal data, especially when the data subject is a child. The exclusion cannot be applied to processing executed by public authorities in the performance of their tasks.
It must be clear for the data subjects how their personal data are processed. Accordingly, the data subjects must be made aware of the processing of personal data per se, why the data is being processed, and how it is used. Understandable information must be provided by the data controller about the processing and in a manner which makes it easy for the data subjects to find the information. If the data subjects are children, the language needs to be even clearer. See articles 13 and 14 of the GDPR.
Rights of the data subjects
Data subjects have a number of rights listed in the GDPR. These are mainly laid out in articles 15 up to and including 21 and comprise the following rights:
- Right to information and access by the data subject;
- Right to rectification;
- Right to erasure;
- Right to restriction of processing;
- Right to notification of erasure or restriction of processing;
- Right to data portability; and
- Right to object.
The data subjects have the right to receive the personal data provided to a data controller in a structured, commonly used and machine-readable format (Right to access). Upon request from the data subject, the personal data is under certain circumstances to be erased (Right to erasure). Moreover, the data subject has the right to transfer those data to another data controller without hindrance where (i) the processing is based on consent pursuant to point (a) of article 6(1) or point (a) of article 9(2) or on a contract pursuant to point (b) of article 6(1); and (ii) the processing is carried out by automated means (Right to data portability). When it is technically feasible, the data subject has the right to have personal data transmitted directly from one data controller to another.
It shall also be noted that more stringent rules apply to ‘sensitive’ personal data (e.g. personal data relating to health or trade union membership).
Switzerland is a member state to certain international treaties regarding data protection, such as the European Convention on Human Rights and Fundamental Freedoms and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (Convention ETS 108) and its additional protocol of 8 November 2001.
The Data Protection Act (DPA) is currently undergoing revision and a draft for the revised DPA has been published in September 2017. However, the draft is still subject to parliamentary debate and therefore the final wording of the revised DPA remains uncertain. The Swiss parliament has decided to divide the ongoing revision into two parts as follows:
- The first part includes the revision of only those provisions of the DPA which are required due to the implementation of Directive 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data. This Directive must be implemented by Switzerland as it forms part of the Schengen acquis. The scope of the Directive is limited to the processing of personal data by competent authorities for aforementioned purposes. Accordingly, it only imposes additional obligations on authorities conducting such processing as a controller and natural or legal persons processing personal data as a processor on behalf of such an authority.
- The second part of the DPA revision will include the revision of those DPA provisions necessary to uphold the EU adequacy decision for Switzerland and, accordingly, will contain an equivalent of many of the provisions introduced in the EU through the GDPR. This second part will be taken up subsequently and the respective timing remains unknown (although it is currently not expected that the second part of the revision will enter into force before late 2019 or 2020).
‘Personal data’ or ‘personal information’ under the Cyber Security Law refers to various types of information that can be used separately or in combination with other information to identify a natural person, including but not limited to name, date of birth, identity certificate number, genetic information, address and telephone numbers. According to the Cyber Security Law, when network operators collect personal information, they shall follow the principles of legitimacy, rightfulness and necessity, disclose their rules of collecting and using the information, specify the purpose, ways and scope of collecting and using the information, and obtain consent from the information subjects. Network operators shall not divulge, tamper with or damage the personal information they have collected, and shall not provide the personal information to others without the consent of the information subjects.
The Guidelines for the Protection of Personal Information (GB/Z 28828-2012) divides personal information into personal general information and personal sensitive information. Personal sensitive information means the information which, once exposed or modified, will have an adverse impact on the information subject. For personal sensitive information, before collecting the information, expressed consent from the information subject is required.
Further, the Article 253 of the Criminal Law and its 9th amendment defines the criminality of selling or providing citizen's personal information, causing serious circumstances. To give more guidance of applying the criminal law, the Interpretations of the Supreme Court and the Supreme Procuratorate on Several Issues Concerning the Application of Law in Handling Criminal Cases of Invading Personal Information further specifies the criminality stipulated in Article 253.
The processing of personal data is regulated under the Personal Data held by Private Parties Act (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) and the Personal Data Held by Government Entities Act (Ley General de Protección de Datos Personales en Posesión de los Sujeto Obligados) (the “Data Protection Legal Framework”).
The key protections for data subjects, under the Data Protection Legal Framework, are the following:
- Controllers must process personal data in accordance to the principles of legality, consent, information, data quality, proportionality and liability provided under the Data Protection Legal Framework;
- All processing of personal data is subject to the data subjects’ consent, except in certain situations provided under the Data Protection Legal Framework (for instance, when data is publicly available, when the same is necessary for medical attention or when processing is permitted under applicable law). Consent may be tacit (opt out), when general personal data (i.e. name, email, telephone number, etc.) is processed, but must be explicit (opt in) when processing financial data (i.e. credit card number, bank account statements) and/or sensitive data (i.e. health condition, sexual preference and political affiliation), in which cases the written consent must be obtained from data subjects; and
- Data controllers and processors must implement adequate physical, administrative and technological security measures to guarantee the integrity and confidentiality of the personal data.
The Personal Data Protection Act 2010 (“PDPA”) regulates the processing of personal data in commercial transactions and applies to anyone who processes and has control over or authorises the processing of any personal data in respect of commercial transactions. The Personal Data Protection Commissioner (“Commissioner”) has also issued subsidiary legislation pursuant to the PDPA, particularly Personal Data Protection Regulations 2013 (“Regulations”) and Personal Data Protection Standard 2015 (“Personal Data Protection Standard”).
The PDPA establishes 7 key principles which must be complied with by data users when processing personal data: (i) consent; (ii) notice and choice; (iii) disclosure; (iv) security; (v) retention (vi) data integrity; and (vii) access. The PDPA also imposes a duty on data users to have adequate security and indemnity measures to inhibit the theft, misuse, unauthorized access, accidental disclosure, alteration or destruction of personal data under their care. Non-compliance with the PDPA may result in the organisation upon conviction to be liable to a fine ranging from RM100,000 to RM500,000 and/or to imprisonment ranging from 1 to 3 years.
Codes of practice may be implemented by various data user forums or the Personal Data Protection Commission for various classes of users in differing sectors. These codes of practice would have binding effect on the various classes of users registered with the Personal Data Protection Commission. The Association of Banks in Malaysia has issued a code of practice targeted at all banks and financial institutions licensed under the Financial Services Act 2013, the Islamic Financial Services Act 2013 and the Development Financial Institution Act 2002. The code of practice provides for inter alia (1) measures to be deployed by banks and financial institutions to ensure the non-infringement of the data subjects’ rights when processing personal data; and (2) matters for the consideration of banks and financial institutions to ensure that risks to the personal data of data subjects are minimised. The Personal Data Protection Code of Practice for the Utilities Sector (Electricity), and the Personal Data Protection Code of Practice for the Insurance/Takaful Industry are also other codes of practice that have been approved and registered by the Commissioner.
The General Data Protection Regulation 2016/679 issued by the EU Parliament and Council on 27 April 2016 (‘RGPD’/‘GDPR’) replaced the existing 1978 Act on 25 May 2018. Implementation texts will be adopted at both EU and national levels.
Under the GDPR, personal data may be collected and further processed only under certain conditions, such as:
- when the concerned person (‘data subject’) has consented;
- when it is necessary for the performance of a contract to which the data subject is a party, or to comply with a legal obligation imposed on the data controller; or
- where it is necessary to safeguard an individual’s vital interests or for the performance by the data controller of its public interest mission or official authority;
- where there is a ‘legitimate reason’ for the processing, provided this does not harm the data subject's fundamental rights and freedoms.
Other key protections must be followed by the ‘data controller’ (i.e. the person who determines the purposes and means of the data processing) such that:
- the personal data must be processed lawfully, fairly and in a transparent manner;
- personal data must be collected for specified, explicit and legitimate purposes and must be subsequently processed in accordance with these purposes;
- the personal data that is collected must be adequate, relevant, and non-excessive in view of the purposes for which it is collected (this is called ‘data minimisation’);
- all personal data must be accurate and, when necessary, kept up to date;
- personal data must not be retained for longer than necessary in light of the purposes for which it is processed; and
- the data controller must implement appropriate organizational and technical measures to ensure the security and confidentiality of the personal data, both against unauthorized or unlawful processing and against accidental loss, destruction or damage to the data.
Data subjects are granted certain specific rights that include the right to access their personal data and to request correction, deletion and/or portability of such data.
More stringent rules may apply, depending on the sensitivity of data at stake. Individuals may file claims with their national authority (in France, Commission Nationale de l’Informatique et des Libertés - CNIL).
The key protection for personal data is found in the GDPR (DS-GVO) and the new version of the German Federal Data Protection Act (BDSG) . Since 25th May 2018 the GDPR and the revised BDSG have been in force. The new regulation on the protection of personal data for the whole of the European Union pursues the objective to ensure a quite harmonized approach to data protection within all member states. In general, the GDPR can be considered to be very strict, particularly due to the very high fines it imposes for breaches.
In accordance with Art. 6 GDPR the processing of personal data shall only be lawful if and to the extent that a statutory permission is applicable or the data subject has given consent to the processing. Art. 6 (2) GDPR permits the processing of personal data in particular to the extent necessary for the performance of a contract (lit. b), for compliance with a legal obligation (lit. c) and in case of prevailing interests of the data controller (lit. f) as general permissions.
In addition, German law also contains sector specific protection for personal data. Section 88 TKG is an important provision for the telecoms sector as it stipulates the requirement of secrecy of telecommunications. Further telecom-specific regulations on data protection are found in sections 91 et seqq. TKG. The data protection regulations of the TKG, which have been issued to implement the directive 2002/58/EG, will continue to be applicable in accordance with Art. 95 GDPR.
In respect of electronic information and communication services (“telemedia”) which are not consider telecommunications, in particular websites, specific protection rulings were found in sections 11 et seqq. in the Telemedia Act (TMG). However, since the GDPR came into force, it was unclear whether the special regulations of the TMG remain applicable. The TMG was until now not adapted to the new data protection laws. In this regard the DSK (Datenschutzkonferenz, a joint committee of the data protection authorities of the German federal states) issued a position paper in April 2018. Hereinafter the sections 12, 13, 15 TMG are no longer applicable. Sections 67 et seqq. of the Volume X of Social Security Statute Act (SGB X) contain special provisions protecting social data which have been revised in the context of the GDPR and continue to apply in this respect.
The Personal Data Protection Act (Act 26 of 2012) ("PDPA") provides the overarching legislative framework which governs the protection of personal data in Singapore. The PDPA sets out minimum standards and obligations for organisations to comply with when handling personal data. The following are the key principles of the PDPA relating to the collection, use and disclosure of personal data: (i) consent; (ii) notification of purpose; (iii) access and correction; (iv) retention; (v) protection; (vi) accuracy; and (vii) transfer out of Singapore.
Additionally, there are also sector-specific legislative and regulatory frameworks which operate in tandem with the PDPA. Examples of such sector-specific considerations include additional legislation and/or regulations governing the handling of personal data by financial institutions or certain organisations in the life sciences or healthcare industry. Such other legislations would prevail over the PDPA to the extent of any inconsistencies.
The Privacy Act 1988 (Privacy Act) regulates the collection and handling of personal information. The Australian Privacy Principles (APPs), which comprise Schedule 1 to the Privacy Act, contain 13 key protections for personal information, and regulate the following activities with respect to personal and sensitive information (as those terms are defined in the Privacy Act):
(a) collection, use and disclosure;
(b) direct marketing (to the extent the provisions of the Spam Act 2003 (Cth) or the Do Not Call Register Act 2006 (Cth) do not apply);
(c) cross-border disclosure; and
Consent is not always needed for the collection of personal information, however it must be lawfully obtained in accordance with the requirements of the Privacy Act. Once collected, subject to limited exceptions, APP 6 provides that personal information may only be used or disclosed by an organisation where an individual has either expressly or impliedly consented to such activities or would reasonably expect their personal information to be used for such purposes. Breach of an APP is considered an interference with privacy, and such a breach is subject to the same penalties as any other contravention of the Privacy Act.
The APPs are binding on government agencies and organisations, with small businesses being exempt. However, it is considered good practice to comply with the APPs despite not being bound to do so.
The U.S. does not have omnibus protection for personal data; rather, it has taken a sectoral approach. Health related information is protected under the Health Insurance Portability and Accountability Act ("HIPAA"). HIPAA's Privacy Rule (and the privacy requirements under the HITECH Act) regulate the use and disclosure of protected health information by "covered entities", such as health plans, insurers and medical service providers, as well as "business associates", such as contractors and other service providers to covered entities. Individuals have a right to know the protected health information held by a covered entity and to require the correction of inaccurate information. HIPAA's Security Rule requires covered entities and business associates to maintain administrative, physical and technical measures to protect health information.
Consumer financial data is protected under the Financial Privacy Rule pursuant to the Gramm-Leach-Bliley Act ("GLBA"). The Privacy Rule requires financial institutions to provide privacy notices to consumers that permit them to opt out of sharing financial data with unaffiliated third parties. GLBA's Security Rule requires written security procedures to be in place for the safeguarding of consumer financial information. The Fair Credit Reporting Act ("FCRA") and the Fair and Accurate Credit Transactions Act ("FACTA") regulate the use of consumer credit information, entitle consumers to a free copy of their credit report from each credit reporting agency and provide for disputing inaccurate information.
All 50 states have enacted legislation requiring notice to customers when a security breach has or is reasonably believed to have exposed a consumer's personal information. Personal information under data breach is typically defined as a first name or initial, a last name, plus a social security number, driver's license or state ID number or an account number with a password or PIN. Recently, states have expanded this definition to include login credentials plus password. Recently, some states have begun to include biometric information as personal data for purposes of breach notification laws. The threshold for notice, timing requirements and liability vary by state.
There are also recent developments in state law that are expanding privacy protections beyond specific sectors. When the California Consumer Privacy Act of 2018 comes into effect in 2020, all businesses in California will have to observe restrictions on data monetization, accommodate individuals' rights to access, deletion, and porting of personal data.
The Act on the Protection of Personal Information (the APPI) is a comprehensive, cross-sectorial framework for the protection of personal information. While the APPI regulates private businesses using personal information, use of personal information by the public sector is separately regulated by certain laws and local ordinances. The APPI is implemented by cross-sectoral administrative guidelines prepared by the Personal Information Protection Committee (the Committee). With respect to certain sectors, such as medical, financial and telecommunications, sector-specific guidance and guidelines are published by the Committee or the relevant governmental ministries given the highly sensitive nature of personal information handled in those sectors. Self-regulatory organisations and industry associations have also adopted their own policies or guidelines. In addition, the Act on Utilisation of Numbers to Identify a Specific Individual in Administrative Procedures provides special rules concerning the handling of “individual numbers”, which are granted to each resident of Japan under the Individual Social Security and Tax Numbering System (known in Japan as the “My Number System”), and other specific personal information (i.e., personal information containing any “individual number”).
The obligations of all business operators handling “personal information” include: (i) specifying and notifying the purposes for which the personal information is used and processing the personal information only to the extent necessary for achieving such specified purposes; and (ii) not using deceptive or wrongful means in collecting personal information.
In addition, business operators handling “personal data” (i.e., personal information constituting a personal information database) are subject to certain obligations, such as: (i) endeavouring to keep the personal data accurate and up to date to the extent necessary for the purposes of use; (ii) undertaking necessary and appropriate measures to safeguard personal data; (iii) conducting necessary and appropriate supervision over its employees and its service providers who process its personal data; (iv) not providing personal data to any third party without the prior consent of the relevant individual (subject to certain exemptions); (v) preparing and keeping records of third-party transfers of personal data; and (vi) when acquiring personal data from a third party other than data subjects (subject to certain exceptions), verifying the name of the third party and how the third party acquired such personal data.
Business operators handling “retained personal data” (i.e., personal data that a business operator has the authority to disclose, correct, add content to or delete content from, discontinue the use of, erase, and discontinue its provision to a third party) are required, among other things, to: (i) make accessible to the relevant individual certain information regarding the retained personal data; and (ii) respond to a request of the relevant individual to, e.g., provide a copy of retained personal data to such individual, correcting, adding or deleting the retained personal data, or discontinuing the use of or erasing such retained personal data.
The APPI imposes stringent rules for “sensitive personal information”, which includes race, beliefs, social status, medical history, criminal records and the fact of having been a victim of a crime, and disabilities.
The APPI provides for special rules for “anonymized personal data”, which must meet certain requirements under the APPI. Business operators that created or retain such anonymized personal data are subject to certain obligations (e.g., disclosure of the creation of such anonymized personal data and prohibition of re-identification) but no consent of the data subject is required for the use or provision of such anonymized personal data.