ANNUAL REVIEW
Data Protection & Privacy Laws 2013
September 2013 | DATA PRIVACY
financierworldwide.com
Click cover to download
(Subscriber-only password access)
Not a subscriber?
Click here to join the FREE mailing list and receive password access
Financier Worldwide canvasses the opinions of leading professionals around the world on the latest trends in data protection & privacy laws.
UNITED STATES
S. Keith Moulsdale
Whiteford, Taylor & Preston LLP
“US regulatory risks stem from: the enforcement of sector-specific federal data privacy and security laws, such as the Gramm-Leach-Bliley Act – which regulates financial institutions, the Health Insurance Portability and Accountability Act (HIPAA), and the Fair Credit Reporting Act (FCRA); and expanded regulatory interpretations of laws which are neither sector-specific nor specific to data processing.”
CANADA
Adam Kardash
Heenan Blaikie
“Canada has one of the most active privacy regulatory enforcement arenas in the world. In particular, the Office of the Privacy Commissioner of Canada (OPC) and the provincial privacy regulatory authorities in the provinces of Ontario, Alberta and British Columbia have been very active in investigating privacy complaints as well as publishing a prolific volume of guidance and research on a range of emerging privacy issues.”
MEXICO
Salomon Rico
Deloitte
“One of the key regulatory risks that Mexican companies currently face is the risk of not complying with the requirements of the personal data protection law. Some of the negative consequences are related to loss of brand value, loss of client confidence, and fines.”
COLOMBIA
Enrique Álvarez
Lloreda Camacho & Co.
“In Colombia, companies have undertaken activities related to data processing for a long time – nonetheless, those activities were not regulated and therefore data was collected with no specific requirements. Since data protection regulation was recently issued in Colombia, it has been established that in order to transfer and store data, companies must have authorisation from the data subject. International data transfer is not authorised unless the company complies with the requirements established in the law.”
CHILE
José Antonio Lagos Melo
Deloitte
“As expected, the financial services industry is by far the most regulated. Local regulatory entities have increased requirements regarding business continuity in order to provide stability to the industry and increased control over third-party service providers. In this regard, operational changes towards cloud services are forcing every decision on technology strategy to be accompanied by an important risk assessment of how data is treated by third parties, for instance when personal or financial records are stored in cloud services supported in data centres abroad.”
UNITED KINGDOM
Bridget Treacy
Hunton & Williams
“Businesses are aware of the opportunities created by aggregating vast volumes of data – for instance, big data – and using data analytics, but are often unaware that data protection laws impose limitations on these activities. A key constraint is that personal data collected for one purpose cannot be used for different purposes without the individual’s consent. Further, personal data may not be kept indefinitely, but only for as long as necessary for the purposes for which it was collected.”
GERMANY
Stefan Simon
Buse Heberer Fromm
“Companies face a situation whereby the data protection provisions currently in effect, particularly those governing the use and transfer of data, do not meet the requirements of modern forms of economic collaboration. In particular, as a practical matter, there are no suitable legal standards with respect to cloud solutions for data storage and management under which companies can manage data with legal certainty. This applies especially to the question of access rights, deletion rights, and proof of data security for cloud solutions.”
SPAIN
Iban Díez
Gómez-Acebo & Pombo
“Data protection becomes more complex from a regulatory standpoint as companies increase their data processing activities, which usually occurs when they experience fast growth. An example of this is the technical and organisational implementation of security measures required by regulation. The law features three levels of security: basic, medium and high. Taking this into account is crucial since the regulation is stricter, the higher the level.”
SWITZERLAND
Matthias Bossardt
KPMG
“Data protection becomes more complex from a regulatory standpoint as companies increase their data processing activities, which usually occurs when they experience fast growth. An example of this is the technical and organisational implementation of security measures required by regulation. The law features three levels of security: basic, medium and high. Taking this into account is crucial since the regulation is stricter, the higher the level.”
BELGIUM
Wim Nauwelaerts
Hunton & Williams LLP
“Companies face the risk that their data processing activities might be scrutinised by the Belgian data protection authority – the ‘Privacy Commission’. The Privacy Commission is in charge of monitoring compliance with Belgian privacy and data protection law. It has the power to investigate possible violations, at its own initiative or following complaints from individuals whose personal data are at stake.”
DENMARK
Peter Kold
KPMG Denmark
“With increased centralisation of data processing activities and the utilisation of cross-border setups, certain local regulatory risks arise. Danish legislation prohibits the preservation of accounting data outside of Denmark. It is, however, possible to obtain an exemption under a number of conditions. We have seen an increased focus on compliance with local legal requirements and a rise in the number of applications for exemptions, as part of many companies’ outsourcing and off-shoring activities.”
SWEDEN
Emil Gullers
PricewaterhouseCoopers AB
“New and emerging technologies bring challenges when it comes to data privacy and data protection. For example, cloud technologies, off-shoring, multi-sourcing, service applications, social media and mobility, all make the ICT landscape and echo system even more interconnected. Complying with data privacy requirements becomes a more complex task and it is no longer adequate to simply consider domestic laws and regulations. Organisations must adopt an organisation-wide global approach and engage specialists with global experience and reach.”
TURKEY
Gökhan Gökçe
YukselKarkinKucuk Attorney
“In Turkey, data protection is regulated by the general provisions of various laws and some sector specific regulations, but there is still no specific data protection law. However, commercial practice is far ahead of this legislative status, as Turkey acts as a hub between Europe and Asia and attracts a significant level of direct foreign investment. Presently, the lack of a data protection authority and specific legislation appears to be the main hurdle that companies face, as they are not able to receive any administrative guidance.”
INDIA
Atul Dua
Seth Dua & Associates
“Companies are required to abide with the Intermediary Guidelines and the Sensitive Personal Data Rules while handling ‘sensitive personal data’. Obtaining the consent of the data subject is one of the prerequisites to the collection, disclosure and transfer of sensitive personal data. If the body corporate handling the sensitive personal data is negligent in implementing and maintaining the reasonable security practices and procedures, causing wrongful loss or wrongful gain to a person, the body corporate shall be liable to pay damages as compensation to the affected person.”
PHILIPPINES
Jaime Renato B. Gatmaytan
Gatmaytan Yap Patacsil Gutierrez & Protacio
“Certain entities, such as banks and other financial institutions, may need to strike a balance between the requirements of data privacy and protection against those of other laws and regulations that apply to them or their operations. The Data Privacy Act expressly provides that its provisions do not amend or repeal the provisions of existing laws governing the secrecy of bank deposits, and yet information needed by public authorities in order for the Philippine central monetary authority, law enforcement, and regulatory agencies to perform their functions are denied the protection of the Data Privacy Act.”
MALAYSIA
Bong Kwang Teo
Wong Jin Nee & Teo
“In 2010, Malaysia passed the Personal Data Protection Act 2010 (PDPA). The PDPA was scheduled to come into force on 16 August 2013, but due to technical reasons, the operative date of the PDPA has been deferred. The PDPA has adopted the seven data protection principles – similar to those found in the UK PDPA – namely, the General Principle; the Notice and Choice Principle; the Disclosure Principle; the Security Principle; the Retention Principle; the Data Integrity Principle; and the Access Principle.”
AUSTRALIA
Matthew McMillan
Henry Davis York
“Companies engaged in the processing of personal information face increased regulatory risks with the recent amendments to the Privacy Act and the 13 Australian Privacy Principles (APPs) which come into force in March 2014. These APPs apply to the majority of organisations in Australia and govern their handling of personal information throughout the information-handling lifecycle, including transfer and storage. A company in breach may be investigated by the Australian Privacy Commissioner – either in response to a complaint by an individual or on the initiative of the Commissioner himself.”
UNITED ARAB EMIRATES
James Bowden
Afridi & Angell Legal Consultants
“The laws of the UAE pertaining to data protection were, with a small number of recent exceptions, not drafted in contemplation of the information age. As a result, there is significant ambiguity around this area of law in the UAE. These laws essentially focus on the confidentiality of information, and require that certain information or records be retained by parties in certain relationships, such as employer/employee, certain professionals and their clients, and so on.”
SOUTH AFRICA
Russell Nel
PwC South Africa
“In South Africa, there are a number of laws that regulate data protection and privacy. Regulatory compliance risks include reputation damage, financial penalties and imprisonment. Depending on the applicable law and the nature of the offence, fines can range from R5000 to R5m. Prison sentences typically fall into two categories: less severe offences or misdemeanours carry a sentence of up to 12 months, while more severe offences carry sentences of up to 10 years.”
CONTRIBUTORS
Afridi & Angell Legal Consultants
Buse Heberer Fromm
Deloitte
Gatmaytan Yap Patacsil Gutierrez & Protacio
Gómez-Acebo & Pombo
Heenan Blaikie
Henry Davis York
Hunton & Williams LLP
KPMG
Lloreda Camacho & Co.
PricewaterhouseCoopers AB
PwC South Africa
Seth Dua & Associates
Whiteford, Taylor & Preston LLP
Wong Jin Nee & Teo
YukselKarkinKucuk Attorney