developing privacy and security issues in the global south
TRANSCRIPT
Laura Juanes MicasGlobal Director, Privacy Policy Engagement, Facebook
Developing Privacy and Security Issues in the Global South
Privacy & Security Forum, Fall Academy
1
Global Context
2
Sectoral / Comprehensive Privacy Laws in Place
Sectoral
Comprehensive
Sectoral / Comprehensive / State
Developing Privacy and Security Issues in the Rest of the World
3
Sectoral / Comprehensive Privacy Projects
LatAm:BoliviaEl SalvadorGuatemalaHonduras
MEA: JordanOmanMauritaniaNamibiaNigerNigeria RwandaSaudi ArabiaSouth SudanTanzaniaUAEZambiaZimbabwe
APAC: AustraliaBangladeshChinaHong KongIndiaIndonesiaMalaysiaPakistanPhilippinesSingaporeTaiwan Vietnam
US: Sectoral / Comprehensive / State
EcuadorChileParaguay
Developing Privacy and Security Issues in the Rest of the World
4
When we say privacy…
Developing Privacy and Security Issues in the Rest of the World
5
Latin America
Developing Privacy and Security Issues in the Rest of the World
6
Comprehensive LawsEnacted:
• Argentina• Aruba• Brazil• Bahamas• Barbados• Bermuda
• Cayman Islands
• Colombia• Costa Rica• Curaçao• Dominican
Republic• Jamaica
• Mexico• Nicaragua• Panamá• Peru• Saint Kitts
& Nevis
• Saint Martin
• Trinidad & Tobago
• St. Lucia• Uruguay
Work in progress:
• Bolivia • Chile • Ecuador• El Salvador
• Guatemala • Honduras• Paraguay
2nd generation:
• Uruguay
7
Trends
Developing Privacy and Security Issues in the Rest of the World – Latin America
8
Generally speaking…
EU inspired norms, adapted
to Latin American needs
With registration obligations
Consent based
Focus on individual rights
(access,rectification, correction,
opposition…)
Adequacy based Criminal liability
Scattered precedent and
case law
Habeas DataOrigin
Developing Privacy and Security Issues in the Rest of the World – Latin America
9
Highlights Closest alignment to GDPR: Uruguay, Brazil, Barbados
Most sui-generis: Mexico
Legitimate interest as a legal basis: Brazil, Caribbean
Other available basis: contractual necessity, legal requirements
Mandatory DPO requirement: Bermuda, Brazil, Colombia, Mexico, Uruguay
Registration obligations: Colombia, Barbados, Argentina
Data breach notifications: Mandatory in Colombia, Brazil
Exercise of individual rights: Deadlines between 10- 20 days to respond
Data portability rights: Barbados, Brazil, Panama
Unique transfer mechanisms: Colombia, Mexico
Adequate countries: Argentina & Uruguay
Developing Privacy and Security Issues in the Rest of the World –Latin America
10
Towards regional harmonization?
• Drafting led by the Mexican DPA• GDPR - inspired• Not binding – yet very influential
http://www.redipd.es/documentacion/common/Estandares_eng_Con_logo_RIPD.pdf
Developing Privacy and Security Issues in the Rest of the World –Latin America
11
Country Profiles
Developing Privacy and Security Issues in the Rest of the World – Latin America
12
Brazil- LGPD (or Law n. 13,709/2018) is the first comprehensive privacy law in Brazil - encompassing
online and offline processing, as well as private and public sectors- History goes back to 2010, when the Ministry of Justice released a draft bill, strongly influenced
by the then EU Directive n. 95/46/EC. The bill was signed in 2018 by President Temer- Entered into effect on August 16th
- The DPA (Autoridade Nacional de Proteção de Dados Pessoais -ANPD) has been established as an organization initially subjected to the Presidency but that can be transformed into an independent authority in the future.
- Directors have been appointed, including 3 members of the military, 1 civil servant and 1 lawyer. - Other authorities have shown interest in enforcing data protection – including the Public
Prosecutor’s Office and consumer protection bodies (at state and federal level) - The bill is largely inspired by GDPR (although with less specificity):
- Ample legal bases (beyond GDPR) - DPO required (only for data controllers, regardless of level of risk)
- Need further clarity on DPIAs - Mandatory data breach notification- Adequacy-based for data transfers (but no guidance)- Extraterritorial application - Penalties up to two percent (2%) of revenue, limited to R$ 50 million per infringement 13
Argentina - Body of law: Section 43 of the Argentine National Constitution and regulated in the
Law 25,326 (PDPL), the Regulatory Decree 1558/2001 (DP Decree) and provisionsissued by the DPA.
- Supervision and enforcement under AAIP (Independent Transparency & DataProtection Agency)
- Database registration is required- EU adequate (with Uruguay)- There is no specific requirement to appoint a DP- Cross-border transfer of personal data is prohibited to countries or international or
supranational organization which do not provide adequate protection to such data- Personal data may only be transferred for legitimate purposes of the transferor and
the transferee, and generally with the prior consent of the data subject who must beinformed of the transfer’s purpose and of the transferee’s identity
- Data breach notification is not specifically required- Argentine President submitted to National Congress Bill No. MEN-2018-147-APN-PTE,
aiming to replace in its entirety the Personal Data Protection Law No. 25,326
14
Mexico - Body of law: Constitution + Comprehensive Law ‘LFPDPP’ (2010)+
Developing Regulation (2012)+ State Laws- Supervision and enforcement under INAI (Independent Transparency
& Data Protection Agency) + State Agencies - Only LatAm country adhered to CBPRs (but no agent)
- Strict formalities around privacy notices (long / short forms)- Implicit consent as default - Explicit incentives for binding self-regulation- Intra-group data transfers are authorized- Recent guidance issued on Biometrics- Fines up to 3m USD + criminal liability
15
Colombia - Body of law: Constitution + Law 1581 of 2012 - Supervision and enforcement under SIC, a technical supervisory
body also charged with Competition, IP registration and Consumers
- Strict controller obligations, with only consent as a basis to process (with legal exceptions).
- Active DPA with relatively large fining power (in excess of USD$500.000).
- Published Accountability Guidelines in 2015 as a consequence ofColombia’s OECD accession process.
- Stringent DB registration and data breach notification obligations- Published a Data Transfer adequacy “white list” in 2018 with intense
debate over decision to include the US as adequate.
16
Asia Pacific
Developing Privacy and Security Issues in the Rest of the World
17
• Australia • Hong Kong• Japan • Korea• Macao• Malaysia• New Zealand• Philippines• Singapore• Taiwan• Thailand
Comprehensive Laws
Enacted: Work in progress:• Australia• Bangladesh• China• Hong Kong• India• Indonesia• Malaysia• Pakistan• Philippines• Singapore• Taiwan • Vietnam
2nd Generation:
• Australia• Japan• New Zealand • South Korea
18
Trends
Developing Privacy and Security Issues in the Rest of the World – Asia Pacific
19
Generally speaking…
Largely different origins &
motivations
Different degrees of maturity
Reliance on notice
Focus on breaches and
security
Increasing data transfer
limitations
Active enforcement
Wide variety and disparity of rules
Personal liability
Developing Privacy and Security Issues in the Rest of the World – Asia Pacific
Overall strengthening
of regimes
20
HighlightsClosest alignment to GDPR: Macao
Most sui-generis: South Korea
Piecemeal approach: China, Indonesia
Registration obligations: Macao, Malaysia, and the Philippines
Recently amended laws: Japan, South Korea, New Zealand
Strong security enforcement: Japan, South Korea, Australia, Philippines
Enforcement for other violations: Hong Kong, China, Singapore
Breach notification: Australia, South Korea, New Zealand, Philippines, Singapore (upcoming), Taiwan, Hong Kong (recommended), Japan (not yet in effect)
DPA Changes: Thailand (TBD), South Korea (KCC), Taiwan (PDPO)
Extraterritoriality: New Zealand, Australia, Philippines, Thailand, Indonesia (upcoming)
Adequate countries: New Zealand & Japan (first country post Schrems I)
Developing Privacy and Security Issues in the Rest of the World –Asia Pacific
21
Towards regional harmonization?
Developing Privacy and Security Issues in the Rest of the World –Asia Pacific
There are currently nine participating APEC CBPR system economies: USA, Mexico, Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei, and the Philippines.
The APEC Cross-Border Privacy Rules (CBPR) System is a government-backed data privacy certification that companies can join to demonstrate compliance with internationally-recognized data privacy protections. The CBPR System implements the APEC Privacy Framework endorsed by APEC Leaders in 2005 and updated in 2015.
22
Country Profiles
Developing Privacy and Security Issues in the Rest of the World – Asia Pacific
23
India - The 2011 IT (Amendment) Act Regulations of 2011 prescribe how
personal information may be collected. Consent is required only for sensitive information, very broadly defined (different from EU SCDs)
- In 2017, the Supreme Court ruled that citizens have a fundamental right to privacy under the Constitution in response to the government’s biometric data base (Aadhar) and the potential security and misuse risks.
- A comprehensive privacy bill was first released for public comment in 2018 with substantial implications such as data localization (softened in 2019 version, but still onerous):
- “Critical personal data” (CPD) would only be allowed to be processed in India; could only be transferred out of India for emergency processing or pursuant to an adequacy decision
- “Sensitive personal data” (SPD) must be stored in India, although it may be transferred outside of India for processing under specific conditions
- The Central Government could, in consultation with the DPA, direct companies to provide any anonymized or non-personal data to enable better targeting of services or formulation of evidence-based policies by the Central Government.
- Other stringent requirements are a mandatory annual audit by an external auditor, parental consent for all processing of under 18s 24
South Korea - Body of Law: 2012 Personal Information Protection Act (Act No. 10465) – PIPA- Amended in January 2020 to bring several existing data protection provisions under
one legislative roof and create a single Data Protection Authority - Starting in August, PIPC became the sole agency to enforce PIPA
- Extensive consent obligations, including separate consents for each stage of handling personal data, including cross-border transfers are required
- Data breach notices to affected individuals and government authorities are required for leaks involving 10,000 or more individuals
- Extensive technical, administrative and physical security measures Privacy officers personally liable
- The Amended PIPA has two categories of data controllers - online service providers (OSPs) and non-online service providers
- Amendment broadens definition of sensitive information to include physical/ physiological/ behavioral information created to identify the individual by using a technology, and any information on race or ethnicity which may be used to unfairly discriminate
25
Australia - Body of Law: 1988 Privacy Act, amended in 2012 - Notifiable Data Breaches scheme introduced in 2018- Supervision and enforcement under the OAIC
- Extraterritorial application: the Australian Privacy Principles (APPs) apply to overseas processing by organizations with an ‘‘Australian link”
- Maximum civil penalty for individuals and organisations of AUD420,000 and AUD2.1 million
- Adequacy based for data transfers (consent, contract or law of similar protection) - Mandatory breach notification
- If a breach is likely to result in “serious harm” - can include psychological, emotional, physical, reputational or other - must conduct an assessment within 30 days if a breach is suspected, and the notification must be made as soon
as practical
26
New Zealand - Body of Law: on December 1st 2020 the Privacy Act 2020 will repeal and replace the
Privacy Act of 1993. - Supervision and enforcement under the Office of the Privacy Commissioner- EU adequate country (with Japan)
- Explicit extraterritorial application: clarifies application to foreign entities that carry on business in New Zealand.
- Civil penalties still low NZ$10,000 (US$2,400). - Adequacy based for data transfers (consent, contract, law of similar protection or
treaty) - Mandatory breach notification
- If a breach results or is likely to result in “serious harm” - Notification must be made as soon as practical
New Zealand - Body of Law: on December 1st 2020 the Privacy Act 2020 will repeal and replace the
Privacy Act of 1993. - Supervision and enforcement under the Office of the Privacy Commissioner- EU adequate country (with Japan)
- Explicit extraterritorial application: clarifies application to foreign entities that carry on business in New Zealand.
- Civil penalties still low NZ$10,000 (US$2,400). - Adequacy based for data transfers (consent, contract, law of similar protection or
treaty) - Mandatory breach notification
- If a breach results or is likely to result in “serious harm” - Notification must be made as soon as practical
27
Africa & Middle East
Developing Privacy and Security Issues in the Rest of the World
28
Comprehensive LawsEnacted: Work in Progress:
• Jordan• Oman• Bahrain• Mauritania• Namibia• Niger• Nigeria • Rwanda• Saudi Arabia• Tanzania• UAE• Zambia• Zimbabwe
• Algeria• Angola• Bahrain• Benin• Botswana• Burkina Faso• Cape Verde• Chad• Cote d’Ivoire• Egypt• Equatorial Guinea• Gabon• Ghana• Israel• Kenya• Lebanon• Lesotho• Madagascar• Mali• Mauritius• Morocco• Niger• Qatar• Senegal• Seychelles• South Africa• Tunisia• Togo• Turkey• Uganda 29
Trends
Developing Privacy and Security Issues in the Rest of the World – Africa & Middle East
30
Generally speaking…
Increasing EU influence post
GDPR
No uniformity in compliance requirements
Standardizing attempt by the African Union
African Network of Personal Data
Protection Authorities
(RAPDP)
Youthful population with
heightened privacy
awareness
Proliferationof sectoral legislation
Developing Privacy and Security Issues in the Rest of the World – Africa & Middle East
31
Criminal liability
With registration obligations
HighlightsClosest alignment to GDPR: Francophone Africa, GCC (Gulf Cooperation Council)
Most active DPAs: Israel, Mauritius, Morocco (all ICDPPC hosts)
DPAs with increasing activity: Ghana, Tunisia, Turkey, Senegal
Recently established DPAs: South Africa
Registration obligations: Algeria, Benin, Egypt, Ghana, Kenya, Uganda, Senegal
Criminal sanctions: Algeria, Egypt, Ghana, Kenya, Senegal, Uganda, South Africa
Most recent laws: Abu Dhabi Global Market, Bahrain, DIFC Dubai, Algeria, Benin, Botswana, Egypt, Kenya (no regulator yet), South Africa, Uganda
Data breach notifications: Angola, Benin, Cape Verde, Cote d’Ivoire, Gabon, Kenya, Madagascar, Mali, Mauritius, Morocco, Senegal, Seychelles, South Africa, Uganda, Tunisia
Data transfer restrictions: all of the above + Ghana
Adequate countries: Israel
Developing Privacy and Security Issues in the Rest of the World –Africa & Middle East
32