ANNUAL REVIEW

Data Protection & Privacy Laws 2015

November 2015  |  RISK MANAGEMENT

financierworldwide.com


Click cover to download

(Subscriber-only password access)

 

Not a subscriber?

Click here to join the FREE mailing list and receive password access


If all continues to plan, the end of 2015 will welcome the most significant piece of privacy legislation in 20 years. The EU’s General Data Protection Regulation is poised to supplant the Directive of 1995 and put in place an EU-wide scheme that would see vastly increased powers for data protection authorities, new requirements for data breach notification and, perhaps, new working definitions of things like ‘purpose limitation’ and ‘data minimisation’. Of course, that ‘perhaps’ looms large. We won’t know until after the trilogue negotiations are finished just which definition or regulation we’ll need to comply with going forward. That has much of industry on pins and needles, and rightly so.

 

UNITED STATES

Daniel Farris

Polsinelli

“In the US, companies are confused. Led again by California, 13 US states have passed new privacy-related laws, and 52 other bills were introduced in state legislatures during 2015 alone. Two different bills – the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act – passed the federal House of Representatives, and the Senate recently passed the Cybersecurity Information Sharing Act, which now must be reconciled. Most importantly, however, the effects of the EU Court of Justice’s Schrems decision have US companies reeling. The current environment is characterised by anxiety and confusion. Most companies are investing in data security and privacy compliance, and most want to be good corporate citizens, but regulators are making that an increasingly difficult task.”

 

CANADA

Raymond Doray

Lavery, De Billy, LLP

“The main challenge for companies operating in Canada results from the Canadian legislative structure under which privacy matters are regulated by federal and provincial statutory regulations, both broad and focused. For example, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to personal information collected, used and communicated in the course of commercial activities within those provinces and territories that have not enacted substantially similar legislation, and across Canada, to exterritorial transfers of data. It does not apply to employee personal information, unless it is held by a federal undertaking.”

 

MEXICO

Fernando Roman Sandoval

PwC Mexico

“The Mexican privacy law was issued in July 2010, but after five years many companies still do not understand the impact and importance of the law and privacy. We have seen over the last year that companies are being more conscious about the financial and reputational impact of this law because the authorities are establishing high monetary penalties for non-compliance in all types of business and sectors. Previously, companies in Mexico believed that privacy simply involved notifying data owners of the purpose for which their data was being used. However, they are now becoming more aware that privacy involves many different aspects including technical, physical and administrative security measures, and also involves making changes to their processes and how data is handled to mitigate risks such as data loss, leakage or malicious usage.”

 

UNITED KINGDOM

Bridget Treacy

Hunton & Williams

“The degree to which different companies understand their privacy and data protection compliance obligations varies considerably. In general, companies that operate in highly regulated industries, or routinely process large volumes of personal data – such as banks, pharmaceutical companies, search engines, or insurance companies – are the most likely to have well-structured risk management procedures deeply embedded within their respective corporate cultures. Many other companies, however, do not fully understand their data protection obligations, or focus their attention too narrowly on data security while neglecting broader compliance requirements. For example, the Information Commissioner’s Office (ICO) recently issued a £200,000 fine – the largest ever issued for direct marketing offences in the UK – to a company that had failed to understand its compliance obligations.”

 

FRANCE

Claire François

Hunton & Williams LLP

“Companies are getting a better understanding of their data protection obligations under the current regulatory framework. This may be explained by a number of factors, including the fact that the French data protection authority (CNIL) regularly publishes guidance. For example, on 19 February 2015, the CNIL published practical information to remind companies of best practices related to Bring Your Own Device programmes. On 2 September 2015, the CNIL released new guidance to help child-directed website publishers comply with French data protection law. However, the CNIL has not taken an official position in every instance and companies are constantly developing new technologies involving the processing of personal data, which may raise questions on how to reach compliance in these new circumstances.”

 

BELGIUM

Wim Nauwelaerts

Hunton & Williams LLP

“The ongoing discussions about the proposed EU General Data Protection Regulation (GDPR), the more active enforcement approach taken by certain Data Protection Authorities, as well as some major data incidents, have made privacy and data protection compliance a recurrent topic in the press. This has moved compliance up the agenda of many companies, which are increasingly investing significant efforts to fully understand and comply with their obligations under data protection laws. This is especially the case for businesses that handle massive volumes of data, such as cloud service providers, or routinely deal with ‘sensitive’ personal data, such as health-related information.”

 

LUXEMBOURG

Alain Grosjean

Bonn & Schmitt

“Companies usually see data protection and all its binding rules as an impediment to their development. On the contrary, a real programme for data protection should be perceived as a commercial argument, a real asset. The European Regulation that will come into force next year will impose on companies a certain number of protective measures. The European Regulation proposal contains important sanctions for non-compliance with its provisions. Companies will, in any case, have to comply with principles like accountability that will completely change the way they process data. It is up to them to turn these obligations into a positive policy consisting of protection, security, trust and transparency. I do believe that companies can clearly benefit from this age of evolving laws.”

 

DENMARK

Elsebeth Aaes-Jørgensen

Norrbom Vinding

“Companies tend to focus on their primary business with customer needs as their first priority. Their second priority is complying with accounting principles and tax regulation. Generally speaking, efforts are dedicated to other administrative procedures only to the extent that companies have the time and manpower to do so. For many years, data protection was regarded as one of the things that would be given attention when time permitted. But in the last few years, the understanding of, and focus on, data protection and privacy have grown tremendously, and efforts related to complying with the data protection legislation are increasing. And there is no doubt that – with the new General Data Protection Regulation (GDPR) on the horizon – data protection will be given even higher priority in the future.”

 

ITALY

Alfredo Gallistru

PwC Italy

“In order to have a better understanding of the local context, it is worth highlighting the limited number of large-size operators and high number of medium and small-size enterprises operating in Italy. However, large operators represent a significant portion of the country’s competitive potential, so the degree of awareness of privacy issues varies. Large companies operating in Italy have a satisfactory understanding of privacy issues, as the officers in charge work constantly to ensure their company follows the most recent decisions and guidance of the authorities. Possible areas for improvement include appointing a responsible officer, such as a privacy officer, capable of overseeing a holistic approach, better communication among corporate functions such as legal and IT, and better enforcement of system requirements.”

 

JAPAN

Takashi Nakazaki

Anderson Mori & Tomotsune

“Large Japanese companies are aware of their duties of confidentiality and data protection under the Act on the Protection of Personal Information (APPI). However, many small and medium-sized companies are unaware of their duties, since private businesses which have less than 5000 individuals listed in their electronic or manual database at any time in the past six months are exempt under the APPI’s small business exception. This exception will be abolished under the amendments to the APPI which will come into force in 2017, and as a result, small and medium-sized companies must be prepared to achieve compliance with their new confidential obligations and ensure protection of personal data and privacy. Large companies must also reconsider their privacy policies, internal data protection rules and information security systems following the 2017 amendments.”

 

CHINA

Manuel Maisog

Hunton & Williams LLP

“The frequency and extent of abusive uses of personal information, such as unwanted text advertising messages, in China suggests that companies are not as aware of the risks and duties associated with personal information as they should be. Repeated enforcement campaigns, in which suspects are rounded up for investigations – seemingly in wholesale waves – as well as repeatedly reactive rulemaking in which regulations are promulgated only after and in response to an event or crisis, seem to suggest weaknesses in the overall attitude with which privacy related risks are regarded in China.”

 

TAIWAN

Chin-Jui Chang

PwC Taiwan

“Taiwan passed the Personal Data Protection Act (PDPA) in April 2010 and it came into force in October 2012. The PDPA applies to all companies, individuals and public organisations and is a milestone piece of legislation. After three years of PDPA enforcement, the awareness of data protection in Taiwan varies by sector. The Taiwanese authorities enforce the data protection order to those companies who hold a large amount of personal data, such as firms in the telecoms, e-commerce and especially the financial services industry. Accordingly, those companies have committed considerable resources to boosting cyber security under the PDPA, particularly compared to companies in other industries. Most firms have implemented Personal Information Management Systems (PIMS) in order to comply with the regulation.”

 

AUSTRALIA

Grace Guinto

PwC Australia

“Australian organisations are playing catch-up with the rest of the world. However, the amendments that were made to federal privacy legislation 18 months ago, together with recent high profile enforcement actions taken by the Office of the Australian Information Commissioner (OAIC) against organisations that were deemed to have violated the privacy of their consumers, has raised the profile of this topic to the board and C-suite executives. There are still varying degrees of privacy maturity across Australian organisations. Some believe a simple update to their market-facing privacy statement is enough to satisfy their duties of confidentiality and data protection, while others have used their privacy compliance efforts to drive forward their responsibilities and build a competitive advantage by engendering consumer trust.”

 

NEW ZEALAND

Steve McCabe

PwC New Zealand

“The gap in New Zealand understanding is due to the speed of digital change rather than evolving privacy laws. New Zealand privacy legislation is more than 20 years old, and while there have been some amendments over time, it is not comprehensively equipped to govern and regulate privacy in a rapidly changing digital landscape. Recognising this, privacy law reform was signalled by the Minister of Justice in 2014, with proposals to address some of the shortcomings following an earlier Law Commission review, although there is yet to be a bill before parliament. We are seeing improvements in the understanding of privacy laws, especially in the public sector, yet there is still a great deal of variation in the maturity of privacy practices across organisations, and their understanding of their obligations, especially in areas such as offshore cloud services, outsourcing and cross-border information transfers and disclosures.”

 

SOUTH AFRICA

Busisiwe Mathe

PwC South Africa

“Most South African companies are familiar with confidentiality requirements, but privacy and the requirements for lawful processing of personal information is a relatively new concept to many. Exceptions to this include financial institutions, among others, which have been preparing for the commencement of South African privacy law since 2009 and before, resulting in a greater understanding of privacy and data protection requirements. In addition, awareness among South African companies in general has been steadily increasing since the Protection of Personal Information Act was signed into law in 2013, and certain sections of the Act commenced in April 2014. Another factor in rising levels of awareness has been the increased pressure being experienced by South African companies to provide evidence of compliance with data protection requirements in their dealings with both local and international counterparts, trading partners, clients and vendors. All of this has resulted in the initiation of privacy compliance efforts and programmes to implement compliance.”


CONTRIBUTORS

Anderson Mori & Tomotsune

Bonn & Schmitt

Hunton & Williams

Lavery, De Billy, LLP

Norrbom Vinding

Polsinelli

PwC Australia

PwC Italy

PwC Mexico

PwC New Zealand

PwC South Africa

PwC Taiwan


©2001-2016 Financier Worldwide Ltd. All rights reserved.