with No Comments

Privacy Laws – Non US Countries

TOPIC EU – GDPR AUSTRALIA – Privacy Act CANADA – Personal Information Protection and Electronic Documents Act PIPEDA) SINGAPORE – Personal Data Protection Act BRAZIL – General Data Protection Law SOUTH KOREA – Personal Information Protection Act JAPAN – Protection of Personal Information Act

Purpose

To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data. The [Personal Data Protection Act (PDPA) of Singapore governs] the collection, use and disclosure of individuals’ personal data by organizations in a manner that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use and disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances Data processing by a natural person exclusively for private and non-economic purposes; data processing if undergone exclusively for journalistic and artistic purposes; for academic purposes; or for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses. To provide for the processing of the personal information for the purpose of enhancing the right and interest of citizens, and further realizing the dignity and value of the individuals by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information. “To protect the rights and interests of individuals while ensuring due consideration for the usefulness of personal information by basic principles for the proper handling of personal information.
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”

Material Scope

Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law. Jackson “Any organization that collects, uses or discloses personal information in the course of commercial activities
Excluding government institution to which the Privacy Act (RSC 1985, c. P-21) applies
Possibility of exclusion from the application of PIPEDA in certain provinces. (by decree)”
“The PDPA has limited scope and does not apply to all personal data processing activities, most notably, it does not apply to the activities of the public sector or any organization acting as an agent of a public agency in processing personal data.
Further, business contact information has effectively been excluded entirely from the operation of the PDPA.
Also excluded from much of the PDPA obligations are data intermediaries, although data intermediaries do need to abide by the provisions on the protection of personal data and the deletion of personal data when the purposes are no longer served in their retention.”
Applies to any public institution, corporate body, organization, individual, etc., that manages personal information directly or via another person to administer personal information files as part of their duties. Applies to the use of a personal information for business. The APPI has a very broad and open concept of data processing.

Territorial Scope

Any company that has a branch in the EU or offers services to the EU market and collects and treats personal data of data subjects located in the EU, regardless of the nationality, will be subject to the new law Johnson “Any company that has a branch in Brazil or offers services to the Brazilian market and collects and treats personal data of data subjects located in the country, regardless of the nationality, will be subject to the new law.
Data flows that are merely transmitted into Brazil, but not further processed, do not fall within the scope of the law.”
Although the territorial scope is not specified in the law, the standard for enforcement of South Korean data protection law is similar to the GDPR in that companies established in South Korea are certainly subject the law, and foreign companies that target South Korean users are likely also within the ambit of enforcement action. The APPI does not have express provisions dealing with jurisdiction and territoriality.

Personal Data

“Any information:
(a) Relating to an identified or identifiable natural person;
(b) An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
“The Privacy Act governs the handling of “”personal information,”” defined as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.””
“Any information about an identifiable individual
Whatever the physical form or characteristics
Particular regime for “business contact information” (name, position, title, address, professional phone number, etc.)Only covers employees of, or applicants for employment with, an organization that collects, uses or discloses personal information in connection with the operation of a federal work, undertaking or business”
Data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organization has or is likely to have access. This includes unique identifiers; photographs or video images of an individual; as well as any set of data, which when taken together would be able to identify the individual. Any information relating to an identified or identifiable natural person. There are no examples on the definition brought by the law. “Personal information” means information pertaining to any living person that makes it possible to identify such individual by their name and resident registration number, image, etc. (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information). Personal data means any information relating to an identified or identifiable natural person.

Data Subject

Relating to an identified or identifiable natural person. “Individual”” is defined as “a natural person”.
Regulator guidance indicates that a deceased person is not a natural person (APP Guidelines para. B95)”

Data Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or member state law, the controller or the specific criteria for its nomination may be provided for by Union or member state law. “The Privacy Act does not distinguish between controllers and processors.
Instead, the APPs apply to any APP entity that collects personal information.
The definition of “”APP entity”” includes:
• Most Australian Government agencies
• All private sector and not-for-profit organizations with an annual turnover of more than AUS $3 million
• All private health service providers, and
• Some small businesses (i.e., that trade in personal information for a benefit, are a contracted service provider to the Australian Government, or are a credit reporting body; ss 6(1), 6A).”
The act does not distinguish between controllers and processors. Both a controller and a processor are considered a “Personal information processor.” Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data Controller

A natural or legal person, public authority, agency or another body that processes personal data on behalf of the controller. However, GDPR does also have a definition for “third party”: A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. See above. “Personal information processor” means a public institution, legal person, organization, individual, etc. that processes directly or indirectly personal information to operate personal information files for official or business purposes. Because the act does not distinguish between controllers and processors, it is important to note that processors in South Korea are subject to many requirements that are reserved for controllers under the GDPR. Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

Consent

“Should be an informed, unambiguous and free indication of the data subjects’ agreement for processing data as a general rule.
Should be explicit for processing sensitive data and for international data transfer.”
“Consent”” is defined as “express consent or implied consent” (6(1)).
Regulator guidance indicates that the four key elements of consent are:
• The individual is adequately informed before giving consent
• The individual gives consent voluntarily
• The consent is current and specific
the individual has the capacity to understand and communicate consent.”
“May be express or implied depending on the circumstances and the type of information, taking into account the reasonable expectations of the individual concerned.
Should generally be express when processing sensitive information.
May be withdrawn at any time, subject to legal or contractual restrictions and reasonable notice.
Not required when exceptions apply (for example, in the case of a “business transaction”)”
“When an individual voluntarily provides his/her personal data to an organization and it is reasonable for the individual to do so
Voluntarily provided data to one organization can be passed on to another organization for a particular purposeExceptions:
Consent is not needed for the following uses and circumstances:
For collection of personal data: Second schedule
For use of personal data: Third schedule
For disclosure of personal data: Fourth schedule”
“Should be an informed, unambiguous and free indication of the data subjects’ agreement for processing data as a general rule.
Should be specific for processing sensitive data and for international data transfer.”
“An information processor should use personal information only for the purposes specified to the data subject in any applicable consent.
The personal information processor shall inform the data subject of the duration of data retention when obtaining consent for processing as well as make efforts to process personal information in anonymity, if possible.The law specifies that when obtaining consent from the data subjections, the personal information processor shall notify the data subjects of the fact by separating the matters requiring consent and helping the data subjects to recognize it explicitly. When obtaining consent for processing, the personal information requiring consent should be segregated from the personal information not requiring consent.
The personal information processor shall not deny goods and services on the basis that the data subject did not consent to certain processing (such as agreeing to receive solicitations).”

Sensitive Data

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. “Sensitive information”” is a subset of personal information and is defined as:
• Information or an opinion (that is also personal information) about an individual’s:
◊ Racial or ethnic origin
◊ Political opinions
◊ Membership of a political association
◊ Religious beliefs or affiliations
◊ Philosophical beliefs
◊ Membership of a professional or trade association
◊ Membership of a trade union
◊ Sexual orientation or practices, or
◊ Criminal record
• Health information about an individual
• Genetic information (that is not otherwise health information)
• Biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
• Biometric templates (s 6(1)).
APP 3 provides that sensitive information about an individual must not be collected unless the individual consents and the collection is reasonably necessary for an APP entity’s functions or activity, or a listed exception applies.”
“No definition of “sensitive information”
Ensure a level of security appropriate to the sensitivity of the information.”
Sensitive personal information pertains to ideology, belief, joining and withdrawing from trade unions or political parties, political opinion, health, sexual life, criminal history data, and DNA information acquired from genetic examination, as well as other personal information that, if processed, is likely to infringe the privacy of data subjects.

Accountability

The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses. “The personal information processor must appoint a privacy officer.
The Minister of Public Administration and Security has the right to request goods and documents that demonstrate compliance with the law and to enter the premises and inspect if the personal information processor fails to furnish the materials.”
The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses.

Transfer of Personal Information to 3rd Countries

Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification. APP 8 provides that, before disclosing personal information outside of Australia, a business must take reasonable steps to ensure that the recipient does not breach the APPs in relation to the information unless a listed exception applies. An APP entity that discloses personal information to an overseas recipient is accountable for a breach of the APPs by the recipient in relation to the information. “By way of contract or otherwise, provided that a comparable level of protection is provided for the personal information.
The individuals must be informed that their information may be sent to a foreign country for processing purposes and that it may be accessible to the courts and the law enforcement and national security authorities of that jurisdiction (according to the Processing Personal Data Across Borders Guidelines).”
Need for adequacy decision to freely transfer data to other countries. In case of lack of adequacy, legal instruments provided by the regulation. Cannot be based on legitimate interest, express consent maybe a legal basis. “A data protection agreement must be in place between the personal information processor in the context of any outsourcing. This requirement applies also to international personal information transfers.
The personal information processor must also inform data subjects when the personal information processor provides personal information to a third party overseas, and the personal information processor shall not enter into a contract for unlawful cross-border transfer when it obtains consent.”
Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.

Right to Restriction of Processing

The data subject shall have the right to obtain from the controller restriction of processing where a specified ground applies. No equivalent. “Request for access in writing. Response within 30 days (this period may be extended). A charge may be required subject to certain conditions
An organization shall assist any individual who requests assistance.Right to correct/rectify if the information is inaccurate or incomplete.”
“Section 21 of the PDPA allows an individual to request access to personal data held by an organization and to information concerning its use or disclosure in the preceding one year. This right to request access is, however, subject to many exceptions.
Similarly, Section 22 of the PDPA grants a right to request corrections in the personal data held by an organization that is due to error or omission.
However, organizations can, on reasonable grounds, choose not to correct the data. If organizations decide against correction, then the personal data should be annotated with the correction that was requested but not made. There are also numerous exceptions to this right.”
The data subject has the right to demand access to and suspend processing of, and to make correction, deletion and destruction of their personal information. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject)

Right to be Forgotten

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where a specified ground applies “No equivalent.
APP 11.2 requires that APP entities must destroy or de-identify personal information that they no longer require for a lawful business purpose.
However, individuals have no right to require APP entities to destroy or de-identify the information that they hold about them.”
PIPEDA also contains a basic right to erasure. Principle 4.5 of Schedule 1 of PIPEDA states that “personal information shall be retained only as long as necessary for the fulfilment of those purposes.” The word “shall” in principle 4.5 is a mandatory obligation and is one of the provisions that can be enforced in court under an application under s. 14 of PIPEDA.

Data Portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. “No direct equivalent.
APP 12.1 provides that if an APP entity holds personal information about an individual, the entity must, on request by the individual, give the individual access to the information.
APP 12.5 provides that the entity must take reasonable steps to give access in a way that meets the needs of the entity and the individual.”
The data subject shall have the right to receive the personal data concerning him or her and have the right to transmit those data to another controller without hindrance. Data subjects may demand access to data, with some exceptions. The law does not specify that access must be in the form of an export or other form of portability.

Data Breach Notification

“The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural personas, the controller shall communicate the personal data breach to the data subject without undue delay.”
“Amendments to the Privacy Act to introduce a mandatory data breach notification requirement came into force on February 22, 2018.
APP entities that experience “”eligible data breaches”” (that generate a “likely risk of serious harm” to affected individuals) must give a statement in a prescribed format to the Information Commissioner as soon as practicable (s26WK), and to affected individuals (26WL).
If it is unclear whether a breach is eligible, APP entities must conduct an assessment within 30 days of becoming aware of the breach (s26WH).”
“Notification to the Office of the Privacy Commissioner as soon as feasible of any breach that creates a “real risk of significant harm”.

Notification to the individual as soon as feasible of any breach that creates a “real risk of significant harm” to him/her.

Keep a record of every data breach and, on request, provide the Office of the Privacy Commissioner with access to the record”

Controllers need to notify both DPAs and data subjects within a reasonable time (provision can be adjusted by the DPA). “The personal information processor must notify the aggrieved data subjects without delay when it becomes aware that personal information has been breached.
Breaches that affect more than a certain number of individuals as set forth in a presidential decree must be disclosed to the data protection authority.”

Breach Mitigation

“Notification to data subjects is not required if:
· The controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular, those that render the data unintelligible to any person who is not authorized to access it, such as encryption; or
· The controller has taken subsequent measures that ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialize; or
· It would involve a disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.”
“There’s no specific provision that allows for a harm or risk test or application of mitigation to avoid the requirement to notify of a breach, but the personal information processor is obligated to take countermeasures to minimize damage.

The law provides that state and local governments shall devise policies to prevent harmful consequences of beyond-purpose collection; abuse and misuse of personal information; and enhance the dignity of human beings and individual privacy. Preventing harm is also expressed as a reason for certain personal information to be classified as sensitive.”

Penalty

“• Up to 10,000,000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body.
• Up to 20,000,000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject’s rights, transfer beyond EU, etc.
Under Article 84, each member state can lay down the rules on other penalties applicable to infringements of GDPR in particular for infringements which are not subject to Article 83 and can take all measures necessary to ensure that they are implemented.”
A breach of the APPs is an “interference with privacy (s13). Serious or repeated interferences with privacy may be subject to a civil penalty of up to AUD $2.3 million for companies (s13G). “Fines not exceeding S$5,000-10,000 (depending on the offence) or imprisonment of up to 12 months. (For individuals)
Fines not exceeding S$50,000-100,000 (depending on the offence) (For organizations)”

Anonymized Data

Outside of the scope of the law, taken into consideration reasonable steps to re-identify. Outside of the scope of the law, taken into consideration reasonable steps to re-identify. Might be considered personal data if used for profiling purposes.

Pseudonymized Data

Within the scope of the law, since it should be considered to be information on an identifiable natural person. Not defined by the law, except for research undergone by public health agencies.

Lawful Processing

Six lawful legal bases: (i) consent; (ii) legal obligation; (iii) life protection; (iv) public interest; (v) contractual performance; (vi) and legitimate interest. Ten legal bases, which are: (i) consent; (ii) legal obligation; (iii) implementation of public policies by the public administration; (iv) research by public study entities; (v) contractual performance; (vi) exercise of rights in legal proceedings; (vii) life protection; (viii) health protection; (ix) legitimate interest; and (x) protection to credit.

Data Subject Access Requests

Up to 30 days, gratuity is optional. Right of access, up to 15 days. Other rights, reasonable time, gratuity is mandatory (free of charge).

Employee Data

Article 81 of the GDPR permits EU member countries to enact specific laws to address employee data, which may be more strict than the GDPR. For Canadian organizations, it is important to recognize that PIPEDA only regulates the collection, use and disclosure of employee personal information for federal works, undertakings and businesses. These are usually employers such as airlines, banks, shipping companies and other federally regulated employers. However, this covers a very limited subset of the Canadian economy. The vast majority of employers are regulated by provincial legislation.

Data Protection Officers

“Not mandatory to all controllers. Conditions are established by the regulation, such as volume and type of data processed, of use new technologies and risks to data subjects. Size of the data controller is not a condition.
Not mandatory to be a natural person or an employee of the controller, it can be a legal entity. It can be outsourced, not mandatory to be located at the European Union.”
Obligation to designate an individual who is accountable for compliance with PIPEDA and to disclose such individual’s identity “Mandatory to all controllers, regardless of the size, type and volume of the data processed and risks to data subject (provision can be adjusted by the DPA).
Mandatory to be a natural person. Not mandatory to be an employee of the controller, it can be outsourced. Not mandatory to be located in Brazil.”

Fines

Up to 4 percent of global revenue of the economic group, up to 20 million euros.

Data Protection Impact Assessment

There is a specific chapter and duty to carry out a DPIA in the case that data processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. There is no specific chapter or duty to carry out a DPIA. However, a DPIA may be mandatory in situations already characterized as risky or, at the request of the authority, where the processing of data is based on legitimate interest.

Publicly Available Information

The processing of publicly available information may be permitted for certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available. There is no specific exception to applicability that relates to publicly available information.

US State Privacy Laws

US STATES PRIVACY LAWS/BILLS SIMILARITIES TO CCPA DIVERGENCES FROM CCPA

Massachusetts Data Privacy Law (S-120)

“1. Consumer Access to collection and sharing of personal information.
2. Right to Delete
3. Explicit notification of privacy rights and a chance to opt out of third party sales.
4. A broad definition of personal information
5. Exclusions of data covered by other laws.”
“1. Right for consumers to sue for any violation of the proposed Massachusetts Law. Consumer need not suffer a los of money or property as a result of the violation to bring action in the form of a lawsuit.
2. Plaintiffs can recover up to $750 per consumer for the violation of the proposed law.
3. There is no 30 day cure provision for enforcement by the Massachusetts Attorney General.
4. It applies to all for-profit businesses that collect personal information and does not contain a threshold regarding the number of consumers.
5. Excludes employee data specifically. CCPA is ambiguous or silent on that aspect. “

New York Privacy Act (S 5642)

“1. Right to delete and request personal information
2. The definition of personal information is a very extensive list “
“1. Private right of action for any violation of the law AND the law applies to ALL businesses without the revenue threshold.
2. Only requires businesses to disclose broad category of information shared with third parties and ONLY under some circumstances the consumers would have the right to request copies of specific information.
3. Ability to correct inaccurate information (similar to GDPR)
4. The covered entities will provide consumers notice of their rights and provide consumers with the opportunity to opt-in and opt-out using a method that the consumer must clearly select and indicate their consent or denial.
5. Includes the concept of ‘data fiduciary’ which means that all NY businesses will be legal responsible for the consumer data they hold. The duty of care, loyalty and confidentiality expected with respect to securing the personal data of a consumer against a privacy risk is the same as what is expected out of a fiduciary. “

Washington Privacy Act (S 6281)

“1. Exclusions of data covered by other laws.
2. Right to Access, to deletion and right to opt-out”
“1. Exclusively preempts local laws, ordinances, regulations or equivalent regarding the processing of personal data by controllers or processors. This in turn prevents any city in Washington from passing facial recognition technology permissions at the municipal level.
2. Includes right to correction.
3. Includes right to data portability.
4. The WaPA requires controllers to establish an internal process for consumers to appeal a refused request.
5. Includes purpose specification, data minimization and processing limitation that are similar to the provisions of GDPR.
6. Incorporates the concept of processing assessments for each processing activity that involves personal data and an additional assessment anytime there is a material increase in risk to the consumers.
7. Businesses that process personal data of equal to or more than 100,000 consumers and eliminates the annual revenue requirement.
8. Does not include a private right of action in any capacity. “

Prepared by Christopher L. Rasmussen, Esq., Managing Partner – Commercial, Trademark, and Privacy Practice Group, Inventus Law, PC., 3260 Hillview Avenue, Palo Alto, CA 94304,chris@inventuslaw.com, 1.408.482.3216 and Abhilipsa Panda, Intern, Inventus Law, PC., 3260 Hillview Avenue, Palo Alto, CA 94304, abhilipsa@inventuslaw.com. If you have any questions about this spreadsheet, privacy, or Privacy Policies, please contact Mr. Rasmussen on 1.408.482.3216 or chris@inventuslaw.com or Ms. Panda on 650-843-0988 or abhilipsa@inventuslaw.com.

 

2020 Inventus Law. All rights reserved. | Website Designed By Blue Astral