As businesses prepare for the Brazil General Law for Data Protection, or LGPD, one key provision is still up in the air: the date the law takes effect.  Under the original law, the LGPD was scheduled to take effect next Sunday, August 16.  For the past several months, however, that date has been a moving target.
Continue Reading An Uncertain Date: Preparing for the LGPD to Take Effect

On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework.  In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes several ongoing and planned initiatives.  The report is a follow-up to a prior report issued in January 2018, and was informed to a great extent by the ongoing work of the Multi-stakeholder Group, which is comprised of civil society and business representatives, academics and practitioners, to support the application of the GDPR.  The report will contribute to the Commission’s formal 2-year review of the GDPR to take place in May 2020.

Continue Reading European Commission Issues Report on the Implementation of the GDPR

Key Provisions in India’s Draft Personal Data Bill

This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or services in India.

High Level Insights

The General Data Protection Regulation (GDPR) as a Model: For the most part, the Committee’s recommendations use GDPR as a model. The draft bill grants individual rights, institutes heightened consent requirements, mandates organizational practices such as DPIAs, and imposes stiff penalties for non-compliance. However, the draft bill coins new terminology, referring to GDPR’s “data subjects” as “data principals” and GDPR’s “data controllers” as “data fiduciaries.”

Data Localization: The Committee includes a data localization provision that requires copies of Indian personal data be stored in India. Likewise, it erects barriers that make it more difficult to transfer personal data out of India.

The Central Role of the Data Protection Authority (DPA): As in GDPR, the draft bill would introduce a DPA with the power to interpret regulations, investigate businesses, and issue fines, injunctions, and even criminal penalties. But unlike GDPR, the Committee’s proposal empowers the DPA to engage in rulemaking. For example, the DPA could identify new categories of sensitive data, specify new lawful bases for processing, and decide whether a particular business needs to hire a DPO, perform a DPIA, or undergo a data audit. As such, the DPA’s leadership and structure may have a substantial impact on the scope of India’s data protection regime.

Continue Reading Key Provisions in India’s Draft Personal Data Bill

On August 14, Brazilian President Michel Temer signed into law the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (English translation), making Brazil the latest country to implement comprehensive data privacy regulation.

The law’s key provisions closely mirror the European Union’s General Data Privacy Regulation (“GDPR”), including significant extraterritorial application and vast fines of up to two percent of the company’s previous year global revenue (the GDPR allows for up to four percent in certain aggravated circumstances).

Continue Reading Brazil’s New General Data Privacy Law Follows GDPR Provisions

Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive).  The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.

Organisations that are interested in responding to the consultation have until September 30, 2017 to do so.  The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next.  A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details.
Continue Reading UK Government Proposes Cybersecurity Law with Serious Fines

On August 18, 2017, the Central Bank of Kenya (“CBK”) used its authority under Section 33(4) of the Banking Act to publish a Guidance Note on identifying and mitigating cyber risk.  The Guidance Note directs institutions licensed under the Banking Act (Cap. 488) (“Institutions”) to develop and implement a comprehensive set of program requirements to mitigate cybersecurity risk.

According to a 2016 report by Serianu, a Kenya-based IT services and business consulting firm, Kenya lost approximately $175 million to cybercrime in 2016.  The report identifies the introduction of e-services in both the private and public sector as a major factor behind the dramatic increase in new cyber weaknesses.  Other experts say the interconnectivity of the Kenyan economy and the automation of banking services have further exposed Kenya’s financial sector to risk.  In issuing the Guidance Note, the CBK also recognized the “interconnectedness” of financial Institutions and the need for a coordinated approach and information sharing to maintain “public trust and confidence in the financial system.”

As a result, CBK’s Guidance Note establishes minimum requirements that Institutions should adopt in order to develop effective cybersecurity policies and procedures, but recognizes that it is “not a replacement for and does not supersede the legislation, regulations and guidelines that institutions must comply with as part of their regulatory obligations.”  Among other things, the Guidance Note provides regulatory guidance for the following key areas:
Continue Reading Central Bank of Kenya Issues Guidance Note on Cybersecurity

The EU Network and Information Security (NIS) Directive now looks likely to enter into force in August of this year.  Member States will then have 21 months to implement it into national law before the new security and incident notification obligations will start to apply to the following entities:

  • designated* “operators of essential services” within the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors; and
  • certain “digital service providers” that offer services within the EU, namely online market places, online search engines and cloud computing services, excluding small/micro enterprises.

* Once implemented in national law, Member States will have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules; they do not need to undertake this exercise in relation to digital service providers, which shall be deemed to be under the jurisdiction of the Member State in which it has its “main establishment” (i.e., its head office in the Union).
Continue Reading EU Cyber Security Directive To Enter Into Force In August

On December 7, 2015, the European institutions reached an informal agreement on the EU Network and Information Security (NIS) Directive — dubbed the Cybersecurity Directive (see press release from the Council).  Among other things, the NIS Directive imposes security and incident reporting obligations on operators of essential services in critical sectors and on some digital service providers.

As we reported in the summer, the scope of the NIS Directive has been controversial since the Commission published its original proposal back in February 2013.  Several stakeholders, including some Member States, have expressed reservations about subjecting online companies to the same obligations as operators of essential services in the energy, transport and other critical sectors.  Following many months of negotiations, a compromise has now been reached by introducing a lighter-touch regime for certain digital service providers that fall within the scope of the Directive.
Continue Reading European Institutions Reach Agreement on EU Cybersecurity Rules

By Eric Carlson and Scott Livingston

On Friday, August 8, 2014, a Chinese court convicted British fraud investigator Peter Humphrey and his wife, Yu Yingzeng, a naturalized US citizen, of illegally obtaining personal information.  Mr. Humphrey was sentenced to two and a half years in prison and fined RMB 200,000 (about US $32,000); Ms. Yu was sentenced to two years in prison and fined RMB 150,000 (US $24,000).  For more information on the original arrests and Mr. Humphrey’s subsequent confession on state-owned TV, please see our earlier blog post here

The husband and wife team ran a China-based consulting firm, ChinaWhys Co., that specialized in providing risk advisory services to multinational companies doing business in China.  Under China’s Criminal Law, companies and individuals are subject to criminal penalties for illegally selling or obtaining the personal information of others where such violation is “serious.”  Prosecutors alleged that the couple violated the law’s prohibition on illegal obtainment by collecting 256 personal information records, including hukou (city residential permit) information, family information, and travel and phone records.  According to prosecutors, ChinaWhys purchased this information for RMB 800 to RMB 2000 (about US $130 to $325) per record and used it in background investigation reports prepared for ChinaWhys’ clients.

Continue Reading Fraud Investigators Imprisoned for Illegally Collecting Personal Data in China