july 2017 welcome message - drew & napier updates/5-jul-17... · information is accurate as of...
TRANSCRIPT
July 2017
This newsletter is intended to provide general information and may not be reproduced or transmitted in any form or by any means without the prior written approval of Drew & Napier LLC. It is not intended to be a comprehensive study of the subjects covered, nor is it intended to provide legal advice. Specific advice should be sought about your specific circumstances. Drew & Napier has made all reasonable efforts to ensure the information is accurate as of 3 July 2017.
WELCOME MESSAGE
The Drew & Napier Telecommunications, Media
and Technology Practice Group is pleased to
present the latest issue of our Data Protection
Quarterly Update. In this Quarterly Update, we will
provide a snapshot of important data protection
law developments in Singapore as well as in
jurisdictions around the world.
At the outset, we will study the reasons behind the
six most recent enforcement decisions issued by
the Personal Data Protection Commission (PDPC),
the statutory authority that administers and enforces
the Personal Data Protection Act 2012 (No. 26 of
2012) (PDPA), which involved the PDPC taking
action against several entities for breaching their
obligations under the PDPA. Thereafter, in light of
how courts, governments, and regulators around
the world continue to deal with rapid technological
advancements and its implications on personal
data, we will proceed to analyse the emergence of
new regulatory instruments and frameworks in
several jurisdictions including Australia and
Philippines. These developments are undeniably
helpful in providing guidance for regulators and
businesses in managing their data protection
obligations.
We hope that this new publication will be useful for
you, as you navigate the increasingly complex
regulatory landscape in data protection law. We
welcome your feedback and questions on any of
the data protection news and articles featured in
this Quarterly Update, as well as any suggestions
that you may have on topics to be covered in
future publications.
For more details on the Drew & Napier
Telecommunications, Media and Technology
Practice Group, please visit:
http://www.drewnapier.com/Our-Expertise/
Telecommunications,-Media-Technology.
IN THE NEWS SINGAPORE The PDPC issues Enforcement Decisions
Between April and June 2017, the PDPC issued
enforcement decisions against six organisations,
for breaching their data protection obligations
In this issue
Welcome Message 1
In The News:
– Singapore 1
– Malaysia 10
– Philippines 11
– China 12
– Australia 13
– New Zealand 13
– Russia 15
– European Union 16
– United Kingdom 19
– United States 23
2
under the PDPA. These organisations are as
follows:
(a) Tech Mahindra (Singapore) Pte Ltd (Tech
Mahindra) (the decision was issued on 6 April
2017);
(b) National University of Singapore (NUS) (the
decision was issued on 26 April 2017);
(c) Asia-Pacific Star Private Limited (APS) (the
decision was issued on 31 May 2017);
(d) Furnituremart.sg (Furnituremart) (the
decision was issued on 31 May 2017);
(e) Hazel Florist & Gifts Pte Ltd (Hazel Florist)
(the decision was issued on 20 June 2017);
and
(f) DataPost Pte Ltd (DataPost) (the decision
was issued on 20 June 2017).
On 12 June 2017, the PDPC also issued a
consolidated no-breach decision in respect of
complaints made against certain Management
Corporation Strata Title and managing agents of
condominiums (collectively, Property Managers)
for alleged breaches of the Property Managers’
data protection obligations under the PDPA.
Tech Mahindra
Background
On 29 February 2016, Singapore
Telecommunications Limited (Singtel) was
notified that certain personal particulars of their
customers that were displayed in their online user
account interface, as accessed through the Singtel
mobile application and web portals, were replaced
with the personal particulars of an individual
Singtel customer (Customer).
Singtel’s internal investigations had disclosed that
Tech Mahindra, the Information Technology (IT)
vendor for its single log-in service (ONEPASS),
had omitted a clause in the database script
(Clause) that was operative in limiting user
updates to a particular customer. This resulted in
the disclosure of the Customer’s personal
particulars to Singtel’s customers in general, which
included sensitive details such as his NRIC
number.
The PDPC’s Decision
Upon the conclusion of the PDPC’s investigations,
Tech Mahindra was found to have breached its
obligation under section 24 of the PDPA, as it had
failed to implement reasonable security measures
to protect the personal data in its possession or
under its control, for the reasons as follows.
(a) Failure to adhere to Singtel’s express
instructions
In an email dated 2 April 2015, Singtel had
specifically instructed Tech Mahindra to update
the Customer’s profile on the ONEPASS
database, in particular, informed Tech Mahindra
that the Clause was to be a primary key and could
not be omitted. Notwithstanding Singtel’s
instructions, Tech Mahindra had omitted the
Clause in its update to the database script,
resulting in the disclosure of the Customer’s
personal data.
(b) Failure to observe standard operating
procedures relating to sandbox development
testing
Singtel and Tech Mahindra had a standard
operating procedure (SOP) where changes to the
database script would be first tested in a sandbox
environment before they are executed in an actual
production environment. This would ensure that
any bugs or errors would be detected early in a
test-bedding environment, and to avoid any
significant impact to Singtel’s operations.
However, Tech Mahindra failed to adhere to the
stipulated SOP and had directly executed the
database script ‘live’.
(c) Failure to comply with internal SOPs relating
to the review and verification of database
updates
In addition, Tech Mahindra failed to comply with its
internal policies pertaining to any modification or
update of the database script. Prior to the
execution of any update, Tech Mahindra had an
internal policy that the update would be reviewed
by a more senior member of the support team.
The employee was also expected to verify that the
update was correct post-execution of the database
script. However, these internal SOPs and policies
were not complied with.
3
The PDPC’s Actions
In assessing the breach and the directions to be
imposed on Tech Mahindra, the PDPC took the
following factors into consideration:
(a) The personal data disclosed in the data
breach incident, particularly the Customer’s
NRIC number, is of a sensitive nature.
(b) There was also an unauthorised modification
of the personal data of 2.78 million ONEPASS
users.
(c) The data breach incident could have been
avoided if Tech Mahindra had followed Singtel
and Tech Mahindra’s SOPs.
(d) From the 2.78 million ONEPASS users whose
accounts had been modified, only 2,518 users
had viewed the Customer’s NRIC number, as
access to the Singtel applications and portals
were promptly disabled.
(e) Tech Mahindra and Singtel had jointly notified
the PDPC of the data breach incident, and
was cooperative in the course of the
investigation.
(f) Singtel and Tech Mahindra took prompt
remedial and preventive actions.
Based on the above factors, the PDPC imposed a
S$10,000 fine on Tech Mahindra, which is to be
paid within 30 days from the date of the PDPC’s
direction.
NUS
Background
The PDPC had received a complaint from a
student of NUS that a URL link that was being
circulated for the NUS orientation camp had
disclosed, without the relevant parties’ consent or
authorisation, the personal data of approximately
143 student volunteers from a residential college
of NUS. The URL link provided access to an
online Excel spreadsheet (Spreadsheet), which
contained personal data of the student volunteers,
including their full names, mobile numbers,
matriculation numbers (i.e., NUS-issued student
identification numbers), shirt sizes, dietary
preferences, dates of birth, dormitory room
numbers, and email addresses.
While access to the Spreadsheet was limited to
the student leaders of the orientation camp, the
access permissions were subsequently changed
to an open access setting, such that any user who
had the URL link could access the personal data
of the student volunteers contained within the
Spreadsheet. Consequently, the student
volunteers’ personal data was accessible by any
member of the public.
The PDPC’s Decision
Upon the conclusion of its investigations, the
PDPC found that NUS had breached its obligation
under section 24 of the PDPA as it had failed to
implement reasonable security measures to
protect the personal data in its possession or
under its control.
Lack of training provided to student leaders
The PDPC found that NUS did not have any
formalised data protection training in place to train
and equip its students with the required mind-set,
knowledge, skills and tools to protect personal
data. After a survey of statements issued by its
foreign counterparts, the PDPC noted that data
protection training was generally regarded to be a
type of administrative or organisational security
measure that had a direct impact on the proper
implementation of the organisation’s data
protection policies and practices.
In the present case, the PDPC found that NUS
ought to have conducted training sessions for the
elected student organisers. Given that the
freshman orientation camp was conducted on a
yearly basis, it was reasonably foreseeable that
the organisers of the camp, and such other
student leaders, would be handling the personal
data of students, including the incoming batch of
students and student volunteers, in the course of
organising and conducting the freshman
orientation camp. NUS also had ample
opportunities to plan and conduct the training
sessions, which may be tailored to cater for the
possible data handling scenarios that the student
leaders would face.
However, on the facts, the PDPC found that NUS
had not provided any effective data protection
training to the student organisers of the orientation
camp. While classroom training had been
conducted previously, there was only one session
for a select group of students and was
subsequently discontinued. Separately, even
4
though an e-training programme was made
available through the online student portal called
Integrated Virtual Learning Environment, this was
found to be similarly ineffective, as the e-training
programme was not provided on a compulsory
basis to the student organisers and as a matter of
fact, none of the student leaders had subscribed to
the e-training programme prior to the said
orientation camp.
In its representations, NUS cited the issue of
organisation-wide data protection policies and
guidelines as a form of adequate protection for the
personal data in its possession and under its
control. These guidelines had provided general
data protection guidance for student activity
planners, and reminded them of their data
protection duties when collecting personal data in
the process of conducting student activities.
However, these were found to be inadequate as a
security arrangement. The PDPC reasoned that
even if the student leaders were apprised of these
policies and guidelines, the guidelines were
couched on a high-level basis such that the
guidance therein did not naturally translate into
actionable practices for student organisers to
implement on the ground. The PDPC noted that
proper guidance is not easily substitutable or
replaceable by general guidelines that an
organisation may set.
The PDPC’s Actions
In assessing the breach and the directions to be
imposed on NUS, the PDPC took into account the
following factors:
(a) A significant number of individuals
(approximately 143 students) were affected
by the data breach incident.
(b) The potential adverse consequences from a
misuse of the student matriculation number by
other persons. However, it was noted that the
student matriculation number is only used for
the duration of the student’s undergraduate or
postgraduate course and not for an extended
period of time.
(c) NUS was cooperative with the PDPC and
forthcoming in its responses during the
PDPC’s investigation.
The PDPC also considered and acceded to the
representation made by NUS in respect of the
PDPC’s preliminary directions, as the
representations did not detract from the key
principles, functions and purposes of the PDPC’s
grounds of decision and directions. The PDPC’s
final directions to NUS were that:
(a) NUS were to, within 120 days, from the date
of the PDPC’s directions:
(i) Design training that would address
personal data protection in the context of
the collection and processing of personal
data for student events and of the
resulting interaction.
(ii) Make arrangements for such training to
be mandatory for any student leader.
(iii) Make other arrangements as would be
reasonably required to meet the
objectives set out in (i) and (ii) above.
(b) NUS shall submit to the PDPC a written
update on the arrangements for the training
provided, no later than 14 days after the
above actions have been carried out..
APS
Background
On 27 July 2016, the PDPC received a complaint
that the passenger name list for a Tiger Airways
Singapore Pte Ltd (Tigerair) flight (Flight
Manifest) had been improperly disposed off in a
rubbish bin in the gate hold room at Changi
Airport. The Flight Manifest contained a
passenger’s personal data such as the
passenger’s name, booking reference number,
amongst other personal data. The disclosed
personal data may also be used as login
credentials to access the passenger’s “Manage
My Booking” webpage on Tigerair’s website,
whereupon additional personal data about the
passenger could be retrieved, including the
passenger’s passport number, home address,
phone number, email address and the last four
digits of the credit card used to pay for the flight
ticket.
In the PDPC’s findings of fact, it was disclosed
that an employee of APS, which was the sub-
contractor for the provision of ground handling
services for Tigerair, had ran out of paper while
printing a copy of the Flight Manifest. Without
taking further precautionary measures, the
employee had disposed the partially printed Flight
5
Manifest in the rubbish bin in the gate hold room,
and reprinted the Flight Manifest in full.
The PDPC’s Decision
At the outset, the PDPC found that APS was
acting as a data intermediary of Tigerair when it
processed personal data, on behalf of Tigerair, in
relation to the ground handling services that it was
sub-contracted to perform. The PDPC also found
that APS had breached its obligation under section
24 of the PDPA as it had failed to implement
reasonable security measures to protect the
personal data in its possession or under its
control, for the reasons set out below:
(a) Failure to contextualise general group level
policies to ground operations
Although APS was a subsidiary in a corporate
group and was required to comply with the parent
organisation’s set of data protection policies,
which contain guidelines on security measures for
the protection of personal data, this was
inadequate as a security measure under section
24 of the PDPA. In particular, APS failed to
implement further procedures or policies to
translate the group-level policies into customised
practices that were required on the ground to
protect personal data. These practices should
have addressed specific scenarios of
inappropriate handling or disposal of Flight
Manifests, particularly where the personal data
leaked would be of a sensitive nature, such as the
retrievable details from the “Manage My Bookings”
portal.
(b) Failure to provide ongoing training on APS’
data protection obligations, policies and
procedures
In addition, APS should have provided training on
a customised and ongoing basis for its employees
who routinely handle passengers’ personal data.
This was particularly important given that APS
processes the personal data of a large number of
individuals on a regular basis in the course of its
duties. Ongoing refresher training would have
fostered, and maintained, an organisation-wide
awareness of data protection concerns, and would
have ensured that the organisation’s data
protection obligations were consistently acted
upon by its employees.
In its findings, the PDPC found that the APS’s
employees had only received a general data
protection briefing, which was conducted during
the employee induction programme designed for
new employees. This was not found to be an
adequate security arrangement to reasonably
protect the personal data in APS’s control or
possession, pursuant to section 24 of the PDPA.
The PDPC’s Actions
In assessing the breach and the directions to be
imposed on APS, the PDPC took into account the
following factors:
(a) The said gate hold room was accessible only
by passengers and airport staff.
(b) The bin where the Flight Manifest was
disposed could reasonably be expected to be
emptied regularly as part of routine
maintenance.
(c) The Flight Manifest held data that served as
login credentials to passengers’ personal data
on the Tigerair’s “Manage My Bookings”
portal. However, the PDPC notes that such
information was only accessible for a limited
time period, until the last travelling date on the
passengers’ itinerary.
(d) There were no complaints of any
unauthorised access to the “Manage My
Bookings” page of any passenger.
Based on the above factors, the PDPC directed
APS to:
(a) Conduct a review of its procedure for proper
disposal of personal data in its possession
and/or control.
(b) Introduce data protection policies that are
contextualised and pertinent to the services
provided by APS and functions performed by
its staff.
(c) Create an ongoing training programme for the
implementation of APS’s data protection
policies by its staff.
Furnituremart
Background
Furnituremart is in the business of trading
furniture, bedding, and other domestic products.
As represented by Furnituremart, signed copies of
6
invoices were returned to its office upon delivery of
goods and would, on a daily basis, be destroyed
by its staff. However, in the present incident, a
Furnituremart employee had erroneously placed a
returned copy of invoice into the printer feed tray,
whereupon another customer’s invoice was
printed. The said invoice was then issued to its
intended recipient. As a result, personal data of
the customer was disclosed, the customer’s
surname, home and delivery address, telephone
number and email address.
The PDPC’s Decisions
For the reasons as set out below, the PDPC found
that Furnituremart had breached its obligation
under section 24 of the PDPA as it had failed to
implement reasonable security measures to
protect the personal data in its possession or
under its control.
(a) Furnituremart failed to effectively put any data
protection policy in place
First, Furnituremart had only formalised its data
protection policy during the month of the data
breach and did not have an existing written policy
in place. In addition, there was a possibility that
the data protection policy was only conceived after
the data breach incident had occurred. Aside from
the fact that the policy was issued during the same
period of time of the data breach incident, the
PDPC had noted that the data protection policy
had only consisted of six bullet points, with half of
the six bullet points relating to the data breach
incident.
Second, Furnituremart did not adduce any
evidence to show that it had implemented the data
protection policy prior to the data breach. Such
evidence would include internal communications
of the policy to its staff, internal briefings to raise
staff awareness and staff training events. Although
Furnituremart claimed that it had an effective
supervisory check in place to implement its data
protection policy, it was no more than a bare
assertion that was unsubstantiated by the findings
of fact.
Third, Furnituremart did not provide any data
protection training to its employees.
(b) Lack of management oversight and
supervision
Separately, Furnituremart had relied on the
misconceived assumption that proper execution of
the job functions delegated to its staff per se was
sufficient as a data protection measure. As such,
the management had failed to craft data protection
policies and measures that were adapted to its
business, and failed to disseminate such policies
and measures to its staff. Moreover, the
management should have actively supervised and
monitored its employees to ensure that the data
protection procedures were correctly implemented.
The PDPC’s Actions
In assessing the breach and the directions to be
imposed on Furnituremart, the PDPC took into
account the following mitigating factors:
(a) The unauthorised disclosure was made to a
single person only.
(b) The personal data disclosed was not
sensitive.
(c) There was no evidence that any loss or
damage was caused by the unauthorised
disclosure.
The PDPC made the following directions to
Furnituremart:
(a) To review its policy for the protection of
personal data in relation to its order fulfilment
process.
(b) To develop procedures to ensure effective
implementation of its data protection policy.
(c) To conduct training to ensure that its staff are
aware of, and will comply with, the
requirements of the PDPA when handling
personal data.
Hazel Florist
Background
On 5 September 2016, the PDPC was informed
that Hazel Florist had delivered a gift hamper to
the complainant, which contained order forms
used as fillers at the bottom of the hamper. These
order form fillers contained the personal data of 24
other individuals, including their names, delivery
addresses, and telephone numbers.
7
The PDPC’s Decision
Upon the conclusion of the PDPC’s investigations,
it was found that Hazel Florist was in breach of
section 24 of the PDPA, as it had failed to
implement reasonable security measures to
protect the personal data in its possession or
under its control, for the reasons set out below:
(a) Failure to implement any measures to ensure
that only designated filler material was used
In its representations, Hazel Florist explained that
its employees had received clear instructions to
use designated filler material for its gift hamper
packing process. However, the PDPC took the
view that such instructions were not in itself a
reasonable security arrangement. Instead,
accompanying measures were required, pursuant
to section 24 of the PDPA, to reasonably ensure
that Hazel Florist’s instructions to its employees
were carried out.
(b) Failure to provide data protection training to
the employee
The PDPC noted that, in certain circumstances,
data protection training may serve as a security
arrangement, when it provides an employee with
an awareness of the organisation’s data protection
obligations and when it gives specific guidance on
the proper handling of personal data relevant to
the employee’s day-to-day tasks. In the present
case, the PDPC found that the said employee was
not adequately trained in data protection, as she
was only trained in the physical packing of the gift
hamper, and not on data protection measures
itself. Thus, the PDPC held that such on-the-job-
training did not constitute as a security
arrangement for the purposes of section 24 of the
PDPA.
(c) Failure to provide proper supervision to the
employee
The PDPC also held that Hazel Florist had failed
to address the employee’s lack of receptiveness to
the training and guidance provided by her
colleagues. With the said employee effectively
working unsupervised, Hazel Florist was unable to
ensure that the said employee followed its
instructions to use the designated filler material.
(d) Failure to provide specific practical guidance
on proper handling of personal data
Furthermore, the PDPC noted that Hazel Florist’s
data protection policy only restated the
organisation’s data protection obligations in
general terms, and did not provide specific
practical guidelines on the proper handling of
personal data. In addition, Hazel Florist had
expected the employees to read the data
protection policy, and did not explain nor ensure
that its employees understood what was required
of them under the data protection policy.
The PDPC’s Actions
In assessing the breach and the direction to be
imposed on Hazel Florist, the PDPC took into
account the following factors:
(a) The personal data was disclosed to only one
person.
(b) Save for the disclosure of one individual’s
NRIC, the breach involved personal data of
limited sensitivity.
(c) Hazel Florist had taken remedial actions to
help prevent the disclosure of personal data in
the future.
(d) Hazel Florist had been fully cooperative in the
investigation.
In view of the factors above, the PDPC issued a
warning to Hazel Florist for the breach of its
obligations under section 24 of the PDPA, and did
not impose further directions or a financial penalty.
DataPost
Background
DataPost had printed and mailed out financial
statements relating to the Overseas-Chinese
Banking Corporation Ltd’s (OCBC) Supplementary
Retirement Scheme (SRS) to OCBC’s customers.
Each SRS statement contained the name,
address, cash balance, and types, quantity, and
valuation of asset holdings of the customer. The
PDPC was informed by OCBC that, on or about 17
June 2016, a customer of OCBC discovered that
she had received two additional statements
belonging to two other OCBC customers in
addition to her own SRS statement.
At DataPost, the SRS statements are printed and
inserted into the customers’ respective mailer
envelopes by an enveloping machine. Due to an
8
operational peculiarity of the machine, the first
three statements printed would always be placed
in the same envelope. To remedy the operational
peculiarity, the machine was set to send the first
envelope into the reject bin for an operator to
manually sort the individual statements within the
first envelope into separate envelopes.
On 4 May 2016, the operator mistakenly assumed
that the first three statements belonged to the
same individual, and moved the envelope from the
reject bin to the main bin. The operator also
completed the quality control form in a manner
showing envelopes in the reject and main bins
tallied with the expected total from the run.
The PDPC’s Decision
For the reasons stated below, DataPost was found
to have breached section 24 of the PDPA, as it
had not put in adequate security arrangements to
protect the personal data in its possession or
under its control.
(a) Significant operational risk
The PDPC was of the opinion that the processes
created a significant risk of the first envelope
containing the statements of more than one
individual. The design and operation of the
enveloping machine ensured that the risk arose
with each print cycle. In the PDPC’s view, such
risks could be avoided, for example, by having the
first sheet printed blank by default. This would
lower the chance of an unauthorised disclosure of
customers’ personal information as the first
envelope would contain blank pages instead of the
actual statements of real customers.
(b) Inadequate quality control checks
The PDPC found that DataPost’s system of quality
control measures was inadequate and easily
bypassed. This was because the operator could
return the first envelope filled by the machine to
the main bin rather than the reject bin, which
would have otherwise been inspected by second
and third level checkers. Thus, the operator was
able to bypass both the second or third level
checks.
(c) Independent verification of accuracy
The PDPC also noted that there was no
independent verification of the accuracy of the
quality control form filled in by the operator. This
meant that the second and third level checkers
would not have been aware of the fact that the
operator had incorrectly moved an envelope from
the reject bin to the main bin, as the numbers in
the quality control form appeared to tally with the
expected total from the run. Thus, the second and
third level checkers were relying on the numbers
provided by the operator in the quality control form
in order to ascertain whether an error or failure
had occurred, and could not independently verify
that the numbers provided by the operator were
actually correct.
The PDPC’s Actions
In assessing the breach and the directions to be
imposed on DataPost, the PDPC took into account
the following aggravating and mitigating factors:
(a) The personal data disclosed contained
sensitive financial information of the
customers and was a significant aggravating
factor in warranting a financial penalty as a
matter of general deterrence.
(b) The scale of the breach was small as only
personal data belonging to two individuals
was disclosed to a single recipient.
(c) There was no evidence to suggest that the
data breach caused actual loss or damage to
any person.
Based on the above factors, the PDPC imposed a
S$3,000 fine on DataPost, and additionally
directed that DataPost:
(a) Conduct a review of its internal working
procedure relating to data printing and
enveloping operations, in particular, tightening
the application of quality control checks.
(b) Improve the training of all operators and
quality checkers involved in its printing and
enveloping operations.
(c) Review its personal data protection policy to
determine if it needs to be updated to suit its
current operations.
Property Managers
Background
Between 29 June 2016 and 27 July 2016, the
PDPC received complaints from several residents
9
of three condominiums, namely, Prive, The
Mornington and Seletaris, against their
condominiums’ respective Property Managers.
The complaints involved the posting of certain
documents, such as voter lists and draft minutes
of a council meeting, on the notice boards that
were located within the compound of the
condominiums. Amongst the information disclosed
in the voter lists and minutes of meeting was
personal information of the residents, including
their names, unit numbers and voting shares.
The PDPC’s Decision
Upon conclusion of its investigation, the PDPC
found that the Property Managers were not in
breach of their data protection obligations under
the PDPA.
Consent and Notification Obligations
First, the Property Managers had not breached
their PDPA obligations to:
(a) Obtain an individual’s consent before
collecting, using or disclosing his personal
data for a purpose, under sections 13 to 15,
and 17 of the PDPA (Consent Obligation).
(b) Notify the individual of the purpose(s) for
which it intends to collect, use or disclose
his/her personal data on or before such
collection, use or disclosure, under section 20
of the PDPA (Notification Obligation).
At the outset, the PDPC found that the Property
Managers had not notified their respective
residents of the purpose of the disclosure of the
voter lists or minutes of meeting, nor did the
Property Managers obtain the residents’ consent
to disclose their personal data for this purpose.
However, the PDPC found that the Property
Managers were not in breach of their Consent and
Notification Obligation, as they could rely on
certain exceptions to these obligations, as set out
below.
(a) Exemption 1: Disclosure was required or
authorised under other written law
Under section 13(b) of the PDPA, an organisation
is exempted from the Consent and Notification
Obligations if the disclosure of personal data is
required or authorised under the PDPA or any
other written law.
Under the Building Maintenance and Strata
Management Act (BMSMA), the Property
Managers were statutorily required to display the
list of eligible voters and a copy of the minutes of
the council meeting on the notice board of their
condominiums. Although the BMSMA does not
specify the information to be disclosed in the
display of the minutes of the board, the PDPC
found that it is implicit in the definition and
understanding of ‘minutes of meetings’ that it can
contain the personal data of individuals. In
addition, the display of the attendees’ unit number
was reasonable because it serves to establish the
basis for the proprietor’s attendance.
Hence, the disclosures of the residents’ names in
the voter lists, as well as the names and unit
numbers in the display of the minutes of the
council meetings, fell within an exception to the
Consent and Notification Obligations under the
PDPA.
(b) Exemption 2: Personal data was publicly
available
In addition, the PDPA also provides that personal
data that is generally available to the public
constitutes an exception to the Consent and
Notification Obligations under the PDPA. Under
the Advisory Guidelines on Key Concepts in the
PDPA, personal data is considered to be publicly
available for the purposes of the PDPA if “any
member of the public could obtain or access the
data with few or no restrictions.”
On the facts, the PDPC found that personal data
involved (i.e., the names, unit numbers and voting
shares of the residents) were generally available
to the public, as the information could be found in
the condominium’s strata roll and on the
Singapore Land Authority Registry, both of which
were accessible by the public with few or no
restrictions.
For example, a person may access the strata roll
by making an application to the Property Manager
and paying the prescribed fee. Even though the
BMSMA provides that the strata roll may only be
accessed by specified categories of persons,
these included “prospective” mortgagees or
purchasers as well as such persons authorised by
residents or mortgagees. Hence, the practical
reality was that some of the specified categories
were difficult to enforce.
10
Retention Obligation
Second, the PDPC found that the Property
Managers had not breached their obligation to
cease to retain the personal data as soon as the
personal data is no longer reasonably required for
the purposes for which it was collected, and for
legal or business purposes, pursuant to section 25
of the PDPA (Retention Obligation). In particular,
the PDPC considered whether the display of the
voting lists on the notice board for two months
amounted to an unreasonable period that
breached the Property Manager’s Retention
Obligation.
In the PDPC’s view, where the reasonableness of
a course of action is in issue, the PDPC would
only intervene if the action is so clearly
unreasonable to warrant sanctions under the
PDPA. In the present case, whilst the PDPC
refrained from dictating what is an unreasonable
period of time for the retention of personal data, it
concluded that a period of two months is not
unreasonably long that it ought to have attracted a
sanction under the PDPA.
Therefore, in view of the foregoing reasons, the
PDPC found that the Property Managers had not
breached their obligations under the PDPA.
MALAYSIA Malaysia publishes a public consultation paper on the transfer of personal data to places outside Malaysia and commences the enforcement of the Malaysia Personal Data Protection Act On 4 April 2017, Malaysia’s Personal Data
Protection Department issued a public
consultation paper on the draft Personal Data
Protection (Transfer Of Personal Data To Places
Outside Malaysia) Order 2017 (Draft Order),
which specifies the ‘whitelist’ places for the
transfer of personal data outside of Malaysia.
Under the Malaysia’s Personal Data Protection Act
2010 (Malaysia PDPA), an organisation has to
satisfy certain conditions set out under section
129(3) of the Malaysia PDPA prior to any cross-
border transfer of personal data, unless the
personal data is transferred to jurisdictions that
have been approved and published in the Official
Gazette by the Minister responsible for personal
data.
To date, no jurisdiction has been specified in the
Official Gazette. Accordingly, any cross-border
transfer of personal data outside of Malaysia must
rely on one of the exceptions under the PDPA,
which include the following:
(a) Where the data subject has consented to the
transfer.
(b) Where the transfer is necessary for the
performance of a contract between the data
subject and the data user.
(c) Where the transfer is necessary to protect the
vital interests of the data subject.
(d) Where the data user has taken all reasonable
precautions and exercised all due diligence to
ensure that the personal data will not be
processed in the recipient country in any
manner that would have been a contravention
of the Malaysia PDPA.
The Draft Order sets out a provisional list of
‘whitelist’ jurisdictions in which, as and when
required, additional places would be added to the
list. At present, the draft list of ‘whitelist
jurisdictions’ includes the European Economic
Area, the United Kingdom (UK) and other
jurisdictions that have been recognised by the
European Commission (EC) as adequate for
personal data cross-border transfers, such as
Andorra, Argentina, the Faroe Islands, Guernsey,
New Zealand and Uruguay. Within the region,
Singapore, Hong Kong, China and Japan have
also been included in the list.
Separately, on 3 May 2017, a local private college
operator was charged under the Malaysia PDPA
for the processing of personal data of an ex-
employee without a requisite certificate of
registration that is issued by the Malaysia
Personal Data Protection Commission, in
contravention of section 16(1) of the Malaysia
PDPA. This marks the first prosecution under the
Malaysia PDPA, and the commencement of the
enforcement phase of the Malaysia PDPA.
11
PHILIPPINES Philippines’s National Privacy Commission releases supplementary materials to Data Privacy Act The National Privacy Commission (NPC) recently
released new material and services on its website
(Services) which are intended to supplement the
Data Privacy Act (DPA).
The Services comprise three sections:
(a) “I Want to Know More”;
(b) “I Want to Comply”; and
(c) “I Want to Complain”.
“I Want to Know More”
This section provides guidance on the DPA
framework, including general information about the
rights of data subjects, the DPA and its
implementing rules and regulations , as well as
Memorandum Circulars and Advisories issued by
the NPC.
At present, there are four Memorandum Circulars,
in relation to each of the following:
(a) Security of Personal Data in Government
Agencies;
(b) Data Sharing Agreements Involving
Government Agencies;
(c) Personal Data Breach Management; and
(d) Rules of Procedure,
and one Advisory on the Designation of Data
Protection Officers.
The section also features a “Beginner’s Guide to
Personal Data Privacy”, which sets out tips for
individuals to safeguard their data privacy online,
as well as various other interactive resources such
as videos and presentations.
“I Want to Comply”
This section addresses the various measures that
organisations should take to comply with the DPA,
including:
(a) Registration with the DPA.
(b) Appointing a Data Protection Officer (DPO).
(c) Conducting a privacy impact assessment.
(d) Creating a Privacy Manual.
(e) Implementing privacy and data protection
measures.
(f) Exercising breach reporting procedures.
Each of the above subsections provides
organisations with detailed guidance on adopting
the various measures. For instance, under
“Appointing a DPO”, organisations may find
guidance on such matters as selecting an
appropriate individual to be appointed as the DPO,
the duties and responsibilities of a DPO, as well as
subcontracting the functions of the DPO.
“I Want to Complain”
This section sets out information on who may
complain about data privacy violations or personal
data breaches under the DPA, the complaint
process, and related matters.
Generally, individuals are able to make formal
complaints by:
(a) Filing a complaint-affidavit, together with
copies of supporting evidence and affidavits
of any witnesses, at any NPC office; or
(b) Electronic filing, attaching the relevant
documents in an email sent to
[email protected], or submitting a
portable electronic data storage device to any
NPC office.
Under this section, individuals are also able to
submit an “assisted” complaint, via a guided online
form, or submit queries regarding data privacy via
the “AskPriva” service.
Philippines’ Privacy Commission issues compliance order to COMELEC for 2nd major data breach On 13 February 2017, the NPC issued a
Compliance Order to the Commission on Elections
(COMELEC) to take serious measures to address
its data processing vulnerabilities following the
12
theft of a computer from the Office of the Election
Officer (OEO) in Wao, Lanao Del Sur, one month
earlier.
The theft was the second major data breach
suffered by COMELEC in less than a year; the first
was a website data breach.
The stolen OEO computer contained data from the
Voter Registration System (VRS) and Voter
Search applications, and the National List of
Registered Voters (NLRV), as well as biometric
records of registered voters in Wao, Lanao Del
Sur.
An initial probe into the breach also uncovered the
practice of COMELEC field offices across the
Philippines in maintaining their own soft copies of
the NLRV. The NLRV contains the personal data
of some 55 million voters in the country.
The Compliance Order directed the COMELEC to
erase all copies of NLRV stored in the computers
of each of its field offices in the country, if the
COMELEC is unable to secure the NLRV
database using appropriate organisational,
physical and technical measures.
The NPC also directed the COMELEC to notify all
affected data subjects within two weeks, either
individually (for those with records in the VRS in
Wao Lanao Del Sur), or through publication in two
newspapers of general circulation (for those with
records in the NLRV).
CHINA China’s Cyberspace Administration releases amended draft Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data On 11 April 2017, the Cyberspace Administration
of China (CAC) released the draft Measures on
Security Assessment of Cross-border Data
Transfer of Personal Information and Important
Data (Draft Measures), for public comments. The
public consultation ended on 11 May 2017.
The Draft Measures are intended to facilitate the
implementation of the recently enacted
Cybersecurity Law, which took effect on 1 June
2017. For commentary on the Cybersecurity Law,
please see our Data Protection Quarterly
Update published in January 2017.
Shortly after the public consultation closed, the
CAC on 19 May 2017 released a revised version
of the Draft Measures (Amended Draft
Measures).
The public consultation had attracted a
considerable amount of industry feedback, with
many resisting the measures proposed in the Draft
Measures. To some extent, the Amended Draft
Measures are less stringent than the original Draft
Measures.
Notable amendments include the following:
(a) Delayed implementation date
While the Amended Draft Measures is stated to
take effect at the same time as the Cybersecurity
Law, i.e., on 1 June 2017, its
implementation/enforcement will take place from
31 December 2018. Network operators covered
under the Amended Draft Measures will therefore
have a further grace period to comply with the
requirements thereunder.
(b) Consent requirements
Under the Amended Draft Measures, the
requirement for network operators to obtain
consent from data subjects to cross-border
transfers of their personal data has been relaxed
in certain circumstances.
For instance, an exemption has been introduced in
relation to cross-border transfers of personal data
which are necessary to respond to an emergency
threatening the life or property of citizens.
Under the Amended Draft Measures, consent may
also be implied where cross-border transfers of
personal data are initiated by the data subject
such as by making international calls and online
transactions, or sending emails and instant
messages to recipients overseas.
(c) Security self-assessments
The Amended Draft Measures retains the general
requirement for network operators to carry out
security self-assessments in respect of cross-
border data transfers. However, the obligation to
do so annually, as well as to report the outcome of
the self-assessments to the relevant authority (as
previously provided under the Draft Measures)
have been removed.
13
(d) Government security assessments
The Amended Draft Measures reduces the
number of circumstances in which cross-border
data transfers would be subject to a government-
administered security assessment. In particular,
government security assessments would now not
be required where personal data: (i) transferred
overseas exceeds 1000GB; or (ii) is transferred
overseas by an operator of CII.
The Amended Draft Measure continues to subject
cross-border data transfers to government security
assessment where: (a) the transfer involves
personal data of 500,000 individuals or more; (b)
the data relates to such matters as nuclear
facilities, biochemistry, national defence, public
health, large scale engineering activities, marine
environments, and sensitive geographical
information.
However, the Amended Draft Measures does not
provide for the process by which a government-
administered security assessment would be
conducted, and has further removed the
requirement previously under the Draft Measures
for such government security assessment to be
completed within 60 days.
(e) Definition of personal data
While the definition of personal data remains non-
exhaustive, the Amended Draft Measures now
expressly clarifies that location and behavioural
data are personal data for the purposes of the
Amended Draft Measures.
AUSTRALIA Australia’s Information Commissioner publishes new data protection guidance On 8 May 2017, the Office of the Australian
Information Commissioner (OAIC) published a
new guidance document, “What is personal
information?” (OAIC Guidance), to assist
businesses and agencies in applying the definition
of “personal information” under the Privacy Act
1988.
The OAIC Guidance is intended as a more
detailed resource on the matter, following the
recommendation of the Federal Court of Australia
in its decision in Privacy Commissioner v Telstra
Corporation Limited.
The OAIC Guidance recognises that in most
cases, whether information is “personal
information” within the meaning of the Privacy Act
would be straightforward. Where there is
uncertainty, however, the OAIC guidance
recommends that entities err on the side of caution
by treating the information as personal
information.
The OAIC Guidance sets out a checklist of factors
that entities may take into account in determining
whether information is “personal information” for
the purposes of the Privacy Act, and provides
illustrative examples, including hypothetical case
studies, to aid entities.
For instance, the OAIC Guidance addresses
common issues that could arise in determining
whether information constitutes “personal
information”, such as information having more
than one subject matter or relating to more than
one person, and the format of the information.
The OAIC Guidance also sets out certain types of
information which would not be regarded as
personal information for the purposes of the
Privacy Act, such as business information and de-
identified information.
For more information, the OAIC Guidance is
accessible here.
NEW ZEALAND New Zealand’s Privacy Commissioner recommends changes to Privacy Act On 3 February 2017, following a review of the
operability of the Privacy Act (Act), the New
Zealand Privacy Commissioner proposed six
recommendations to the Government for the
reform of the Act.
The Privacy Commissioner is required, pursuant to
section 26 of the Act, to conduct periodic reviews
of the operation of the Act, and to consider
whether amendments are necessary or desirable
to ensure that the Act is fit for purpose in the
current and future environment. The Privacy
Commissioner’s findings are then reported to the
Minister of Justice.
14
In its latest report, the Privacy Commissioner
made recommendations, in relation to the
following:
(a) right to data portability;
(b) controls on re-identification;
(c) new power to require demonstrations of
agency compliance;
(d) new civil penalty;
(e) adjustments to criminal offences; and
(f) proceeding with public register reform.
Right to data portability
Broadly, the right to data portability will allow
individuals to request that an agency transfer their
personal information, in an electronic format that
remains usable with another agency. Consumers,
in particular, would be able to rely on such right to
request the transfer their personal information
when switching providers, such as in relation to
banking, telecommunications and internet
services.
The proposed right to personal information (or
data) portability would support and strengthen the
fundamental right of access to information, and
enhance consumer choice. If adopted, the new
consumer right would mirror the right provided
under the European Union (EU) General Data
Protection Regulation (GDPR), which would come
into force in 2018.
Controls on re-identification
The Privacy Commissioner recommended that the
Act include protections against the risk that
individuals may be unexpectedly identified from
data that has purportedly been de-identified (or
anonymised).
The Privacy Commissioner suggested that the
protections could be introduced most effectively
and flexibly by way of a new privacy principle,
amongst several options considered. The new
privacy principle would limit the re-identification of
previously de-identified or anonymised personal
information, except in limited circumstances.
Additional power to require demonstrations of
compliance
Under this recommendation, the Privacy
Commissioner would be empowered to require an
agency to demonstrate ongoing compliance with
the Act, by:
(i) Establishing a privacy management
programme or plan that is adequate for their
purposes;
(ii) Requiring a report to the Privacy
Commissioner on steps taken to achieve
compliance; and/or
(iii) Publicly reporting on its position with regard to
its privacy management programme.
New civil penalty
The report also recommended that the Privacy
Commissioner be empowered under the Act to
apply to the High Court for a civil penalty to be
imposed in cases of serious breaches. The
proposed maximum penalty would be NZ$100,000
for individuals, or NZ$1 million in the case of a
body corporate.
The recommendation is intended to address a gap
in the regulatory sanctions presently available –
non-compensatory civil sanctions are not currently
provided for under the Act.
Adjustments to criminal offences
The Privacy Commissioner recommended that
defences currently available in respect of criminal
offences for obstructing the Privacy Commissioner
or a failure to comply with lawful requirement of
the Privacy Commissioner (under sections 127(a)
and (b) of the Act) be narrowed.
Three reform options were identified:
(i) Replacing the “reasonable excuse” defence,
which the Privacy Commissioner considered
has prevented the satisfactory operation of
the offences, with the defence of “lawful
justification or excuse”;
(ii) Recasting these offences as strict liability –
the Privacy Commissioner’s preferred option;
or
15
(iii) Providing the option for the Privacy
Commissioner to seek a pecuniary penalty
order in relation to these offences as an
alternative to prosecution.
Public register reform
The Privacy Commissioner took the view that the
public register privacy principles (PRPPs) (and
related provisions) in part 7 of the Act should be
repealed, and replaced by provisions for:
(i) The suppression of personal information in
public registers in appropriate circumstances,
where there is a safety risk, by way of
application to the Privacy Commissioner.
(ii) Complaints to the Privacy Commissioner in
relation to breaches of access conditions as
provided in each public register enactment.
Broadly, public registers are registers or
databases of information to which the public has
some specific statutory right of access. Public
registers are regulated by a number of legislation,
both specific to each register, and those of general
applicability (e.g., the PRPPs under the Act).
The Privacy Commissioner recommends the
repeal of the PRPPs, on the basis that the
minimum safeguards they provide for have
become unnecessary in the current digital
environment, and more relevant safeguards are
now provided for in laws regulating the specific
public registers.
RUSSIA Russia increases fines for violations of data protection laws On 7 February 2017, the Russian President
signed into law bill (Law) to amend the Russian
Code on Administrative Offences (Code).
With effect from 1 July 2017, the Law will enhance
the administrative penalties for data protection
violations under the Code, which currently
provides for low maximum fines.
In addition to increasing the fines for violations of
data protection laws, the new Law will also
distinguish various breaches of data protection
laws by organisations (and their officers):
(a) Processing personal data otherwise than in
accordance with data protection laws, and/or
processing which is incompatible with the
purposes for which the personal data was
collected.
(b) Processing personal data without the prior
written consent of a data subject as required
under data protection laws, and/or failure to
provide certain prescribed information in
obtaining consent.
(c) Failure to comply with the requirement to
provide a data subject with information
relating to the processing of the individual’s
personal data.
(d) Failure to comply with the requirement to
publish or make publicly available otherwise
the organisation’s privacy policy.
(e) Failure to comply with a data subject’s
request to update, block, or delete personal
data, if such data is incomplete, outdated,
incorrect, unlawfully obtained, or no longer
necessary for the purposes of processing the
data.
(f) Where the organisation carries out non-
automated processing of personal data, the
failure by such organisation to ensure the
security of, or to prevent unauthorised access
to, any material media containing the personal
data, resulting in: (i) unauthorised or
accidental access; (ii) destruction,
modification, blocking, copying, disclosure; or
(iii) any other unauthorised acts, in respect of
the personal data.
Russia blocks LinkedIn Since November last year, Russia has blocked
LinkedIn in the country, for violation of data
localisation requirement under local data
protection laws.
Pursuant to Federal Law No. 242, which
introduced amendments to several Russian laws,
including key data protection legislation, the
requirement for data localisation was extended to
all companies operating online which process the
personal data of Russian citizens, in addition to
internet companies providing services in Russia.
Companies which breach the data localisation
requirement would be subject to a financial
16
penalty. In addition, the Roskomnadzor, which
enforces data protection laws in the country, has
the power to petition the Russian Courts to block
websites for non-compliance with the data
localisation requirement.
Since the amendments to the data protection laws
came into force on 1 September 2015, the
Roskomnadzor has carried out ad hoc compliance
inspections on companies.
In the case of LinkedIn, the Roskomnadzor had
first brought the matter to the first instance court in
August 2016, where the Court ruled in favour of
the Roskomnadzor. In November 2016, LinkedIn
appealed the matter to the Moscow City Court, on
the bases that the company had no physical
presence in Russia, and did not target Russian
users specifically. LinkedIn also sought to argue
that as the Roskomnadzor had communicated with
the company’s United States (US) office, instead
of its Irish office, which processes the data of non-
US citizens, the company had not been given
proper notification.
However, the Moscow City Court denied the
appeal, and upheld the lower court’s order to block
access to LinkedIn in Russia for breach of the data
localisation requirement under Russian data
protection laws.
EUROPEAN UNION Article 29 Working Party (WP29) issues draft guidance on Data Protection Impact Assessments (DPIA) On 4 April 2017, the WP 29, which consists of a
representative from the data protection authority of
each EU Member State; a representative of the
authorities established for the EU institutions and
bodies; and a representative of the E C, adopted
the “Guidelines on Data Protection Impact
Assessment and determining whether processing
is likely to result in a high risk for the purposes of
the Regulation 2016/679” (Guidelines).
A DPIA is, in the context of processing of personal
data, a vehicle to process, assess the necessity
and proportionality of such processing and to
assist in managing the risks to the rights and
freedoms of natural persons resulting from such
processing.
The following paragraphs set out briefly, a non-
exhaustive summary of the Guidelines.
Interpretation of the circumstances in which a
DPIA is mandatory
Article 35(1) of the GDPR provides that a DPIA is
required to be conducted when the processing of
personal data is “likely to result in a high risk to the
rights and freedoms of natural persons”. Article
35(3) of the GDPR provides a non-exhaustive list
of circumstances where the processing is likely to
be high risk, including systematic evaluation and
profiling on which decisions are taken which have
legal effect or significantly affect individuals;
processing on a large scale of sensitive data; and
systematic monitoring of a publicly accessible area
on a large scale.
In addition, the Guidelines provide the following list
of 10 potentially high-risk processing activities:
(a) evaluation or scoring, including profiling and
predicting;
(b) automated decision making with legal or
similar significant effect;
(c) systematic monitoring;
(d) use of sensitive data;
(e) data processed on a large scale;
(f) datasets which have been matched or
combined;
(g) data concerning vulnerable data subjects;
(h) innovative use or applying technological or
organisational solutions;
(i) data transfers outside the EU; and
(j) where the processing in itself prevents data
subjects from exercising a right or using a
service or contract.
As a rule of thumb, the WP29 further suggests that
where the processing meets more than two of the
criteria, there is likely to be a high risk that a DPIA
should be carried out.
Generally, a DPIA is not required where the
processing:
17
(a) Is not “likely to result in a high risk to the
rights and freedoms of natural persons”.
(b) Has a legal basis in EU or EU Member State
Laws which set out that an initial DPIA does
not have to be carried out, where the law
regulates the processing operation and where
a DPIA has already been carried out as part
of the establishment of that legal basis,
according to the standards of the GDPR.
(c) Where the processing is included on the
optional list established by the supervisory
authority for which no DPIA is required.
An analysis of when and how organisations
should carry out a DPIA
Generally, a DPIA should be conducted before the
processing of personal data and should be started
as early as practical in the design of the
processing operation even if the DPIA has to be
reviewed as part of an on-going process as a
project develops. The data controller is ultimately
responsible for ensuring that the DPIA is
conducted, and if the processing is wholly or partly
performed by a data processor, the processor
should assist the controller in conducting the DPIA
and providing any necessary information.
The Guidelines provide that different
methodologies may be used to carry out a DPIA
provided that the following minimum requirements
set out pursuant to article 35(7) of the GDPR are
met:
(a) A description of the envisaged processing
operations and the purpose of the processing.
(b) An assessment of the necessity and
proportionality of the processing.
(c) An assessment of the risks to the rights and
freedoms of data subjects.
(d) The measures envisaged to address the risks
and demonstrate compliance with the GDPR.
Nevertheless, the following criteria should be used
to assess whether these different methodologies
are sufficiently comprehensive to comply with the
GDPR:
(a) A systematic description of the processing is
provided: amongst other criteria, the nature,
scope, context and purposes of the
processing are taken into account; and the
assets on which personal data rely (hardware,
software, networks, people, paper or paper
transmission channels) are identified.
(b) Necessity and proportionality are assessed:
amongst other criteria, the lawfulness of
processing; limited storage duration; right of
access and portability for data subjects; and
safeguards surrounding international transfers
for data subjects.
(c) Risks to the rights and freedoms of data
subjects are managed: amongst other criteria,
potential impacts to the rights and freedoms
of data subjects are identified in case of
illegitimate access, undesired modification
and disappearance of data.
(d) Interested parties are involved: the advice of
the Data Protection Officer is sought; and/or
the views of data subjects or their
representatives are sought.
Mid-Term review of the Digital Single Market Strategy
On 10 May 2017, the EC (EC) published, in the
form of a Communication, the mid-term review of
its Digital Single Market Strategy, which seeks to
open up digital opportunities for people and
businesses and enhance Europe’s position as a
world leader in the digital economy. Notably, the
Communication has identified, amongst three
areas where further EU action is required, the area
to develop the European Data Economy to its full
potential.
For the data economy to assist European
businesses to grow, modernise public services
and to empower citizens, data has to continuously
be accessible and be able to move freely within
the single market. In order to develop the
European Data Economy to its full potential, the
EC has set out that it aims to:
(a) Prepare a legislative initiative on the EU free
flow of data cooperation framework (which
considers the principle of free flow of data
within the EU and the principle of porting non-
personal data), to be completed by Autumn
2017.
(b) Prepare an initiative on accessibility and
reuse of public and publicly funded data as
well as to explore the issue of privately held
18
data which are of public interest, to be
completed by Spring 2018.
(c) Further analyse whether to define principles
to determine liability in cases of damage
caused by data-intensive products.
(d) Continue to assess the need for action
concerning emerging data issues such as
data access rights.
EU Member States’ initiatives to comply with the GDPR, which comes into force in May 2018 The EU’s GDPR, which is aimed at enabling
citizens in the EU to have better control of their
data, and in addition, to allow businesses to make
the most of opportunities in the Digital Single
Market by cutting red tape and benefiting from
reinforced consumer trust, will come into effect on
25 May 2018.
The following paragraphs sets out a non-
exhaustive list of initiatives undertaken by various
EU Member States thus far to prepare for the
implementation and enforceability of the GDPR.
Ireland
On 12 May 2017, the Irish Minister for Justice
published the General Scheme of the Data
Protection Bill 2017 (Scheme), which is a general
policy statement that may be considered by a
committee of the Irish Parliament. The Scheme
provides, amongst other things, the following:
(a) Modernisation of the role of the Irish Data
Protection Commissioner to form the Data
Protection Commission.
(b) Procedural safeguards and due process to
regulate the powers of the Data Protection
Commissioner.
(c) Significant changes to the investigative
processes of the Data Protection
Commissioner.
(d) The implementation of the new Data
Protection Directive, which deals with the
processing of personal data by competent
authorities or other entities that are engaged
in the prevention, investigation, detection or
prosecution of crime.
Spain
On 11 May 2017, the Spanish Data Protection
Authority (SDPA) issued a Code of Best Practices
in Data Protection for Big Data Projects (BDP
Code), which was jointly developed by the SPDA
and ISMS Forum Spain, a Spanish association for
the promotion of information security in
collaboration with companies and professionals.
The BDP Code provides an analysis of the current
legal framework as well as the implications
associated with the use of Big Data, in light of the
GDPR. Amongst other things, the BDP Code
provides the following:
(a) How privacy ought to be taken into
consideration from the outset of a big data
protection project: principles and procedures
to ensure compliance such as privacy by
design, accountability, data protection, impact
assessment and the use of dissociated data.
(b) Practical advice and measures to improve
privacy and security in big data projects:
amongst other measures, minimise the
amount of personal data in big data projects;
process personal data at the highest possible
level of aggregation and with the least amount
of detail; protect personal data and its
interrelationships in a way that makes it
invisible to users; inform data subjects
adequately on how data subjects can exercise
their rights and know the processing of their
data at all times; implement of a privacy policy
that is compatible with legal requirements;
and demonstrate compliance with the privacy
policy and any applicable legal requirements.
Germany
On 12 May 2017, the Federal Council adopted a
draft bill for a new Federal Data Protection Act in
light of the entry into force of the GDPR (Bill). The
Bill requires the signature of the President of
Germany before becoming law. Once this Bill is
signed, Germany will be the first EU Member State
to formally adopt legislation to implement the
GDPR.
Italy
On 28 April 2017, the Italian Data Protection
Authority issued guidance on the GDPR
(Guidance). This Guidance provides more insight
in relation to the following six areas:
19
(a) the legal grounds for data processing;
(b) information notices;
(c) data subjects’ rights;
(d) the relationship and responsibilities between
data controllers and data processors;
(e) the adoption of a risk-based approach and
accountability; and
(f) cross-border data transfers.
Bavaria
On 24 May 2017, the Bavarian Data Protection
Authority published a questionnaire, which seeks
to assist companies in assessing their level of
implementation of the GDPR. Amongst other
things, the questionnaire examines the following:
(a) procedures relating to the GDPR and the
DPO’s responsibilities;
(b) data processing activities, inventories and
privacy by design;
(c) issues surrounding external vendors and data
processing agreements;
(d) transparency, privacy notices and individuals’
rights;
(e) accountability, the risk-based approach and
security measures; and
(f) data breach notification.
United Kingdom
On 2 April 2017, the Information Commissioner’s
Office (ICO) released a consultation paper for UK
organisations to comment on how the new
profiling provisions under the GDPR could be
interpreted and applied. Profiling provisions under
the GDPR is the automated processing of
personal data to evaluate personal aspects of an
individual, particularly to analyse or predict
professional performance, economic situations,
personal references, reliability, behaviour, location
or movements. In particular, the GDPR regulates
profiling and introduces new obligations for data
controllers in relation to profile creation and
automated decision-making.
In addition, on 12 April 2017, the Department for
Culture, Media & Sport released a consultation
paper for organisations to comment on the
derogations (i.e., exemptions) within the GDPR.
These derogations relate to the following themes:
(a) supervisory authority;
(b) sanctions;
(c) demonstrating compliance;
(d) data protection officers;
(e) archiving and research;
(f) third country transfers;
(g) sensitive personal data and exceptions;
(h) criminal convictions;
(i) rights and remedies;
(j) processing of children’s personal data by
online services;
(k) freedom of expression in the media;
(l) processing of data;
(m) restrictions;
(n) rules surrounding churches and religious
associations; and
(o) the steps the UK Government should take to
minimise the cost or burden to businesses
due to the GDPR.
UNITED KINGDOM UK’s ICO fines lawyer who stored client files on home computer On 10 March 2017, the ICO issued a monetary
penalty of £1,000 to a senior barrister who
specialises in family law for a breach of the
seventh data protection principle set out in Part I
of Schedule 1 to the Data Protection Act 1998
(DPA 1998), which provides that appropriate
technical and organisational measures shall be
taken against unauthorised or unlawful processing
of personal data and against accidental loss or
destruction of, or damage to, personal data
(Seventh DP Principle).
20
Background
On 19 September 2015, the senior barrister’s
husband temporarily uploaded 725 unencrypted
files to an online directory as a backup during a
software upgrade of her desktop computer.
Notably, these unencrypted files were visible to an
internet search engine. Fifteen of these files were
cached and indexed and thus, were easily
accessible using a recognisable word.
Furthermore, 6 of the 15 documents contained
confidential and highly sensitive information
relating to lay clients who were involved in
proceedings in the Court of Protection and the
Family Court. In total, up to 250 people, including
vulnerable adults and children, were affected by
this incident.
ICO’s Findings
The ICO found that there was an ongoing
contravention of the Seventh DP Principle from
January 2013 until 5 January 2016 when remedial
action was taken.
The ICO was of the view that the contravention
was serious, due to the nature of the personal
data that was contained in the files, the number of
affected individuals and the potential
consequences. As to whether this contravention
would likely cause substantial distress to the
senior barrister’s clients, the ICO was of the view
that it was likely, due to the confidential and highly
sensitive nature of the information contained in the
files. As to whether this contravention was
deliberate or foreseeable, the ICO considered that
it was a serious oversight on the part of the senior
barrister rather than a deliberate intent to ignore or
bypass provisions of the DPA 1998. Furthermore,
the ICO noted that the senior barrister could have
taken reasonable steps to prevent the
contravention but did not, in particular, encrypt the
files on her home desktop computer,
notwithstanding the fact that in January 2013, the
Bar Council and the senior barrister’s employer
issued guidance to barristers that a shared
computer may require the encryption of specific
files in order to prevent the unauthorised access to
confidential information by shared users.
In considering the quantum of the penalty, the ICO
took into consideration the following two mitigating
factors:
(a) The senior barrister’s full-cooperation with the
ICO.
(b) That remedial action had been taken as of 5
January 2016.
ICO issues record fine of £400,000 for firm behind nearly 100 million nuisance calls
On 3 May 2017, the ICO issued a monetary
penalty of £400,000 to Keurboom
Communications Ltd (Keurboom), which utilised
an automated calling system for the purpose of
making recorded direct marketing calls, contrary to
regulation 19 of the Privacy and Electronic
Communications Regulations (PECR) which
provides that a person shall neither transmit, not
instigate the transmission of, communications
comprising recorded matter for direct marketing
purposes by means of an automated calling
system except in the circumstances where the
called line is that of a subscriber who has
previously notified the caller that for the time being
he/she consents to such communications being
sent by, or at the instigation of, the caller on that
line.
The quantum of the penalty has been the highest
fine ever issued by the ICO for nuisance calls.
Background
Amongst other services, Keurboom provides
telephony services including “voice broadcasting”
to companies in order to generate leads to
maximise potential sales. Between 29 April 2015
and 7 June 2016, the ICO received 1,036
complaints in relation to automated calls that were
made over an 18-month period. Some of these
complainants received repeat calls (sometimes on
the same day) and calls during unsocial hours.
Generally, these calls were mainly in relation to
road traffic accident claims and payment
protection insurance compensation; were
misleading as they gave the impression that the
calls were urgent; did not identify the sender; and
had an option of being connected to a person or
suppressing the number but was not always
effective.
ICO’s Findings
The ICO found that between 6 April 2015 and 31
March 2016, 91,497,411 outbound calls were
made using lines allocated to Keurboom, without
the prior consent of these subscribers.
21
The ICO was of the view that the contravention
was serious due to the number of calls, the nature
of the calls, the time that the calls were made and
the fact that repeat calls were made to
subscribers. As to whether this contravention was
deliberate or foreseeable, the ICO considered that
it was deliberate on the part of Keurboom to send
or instigate automated marketing calls on a
massive scale to subcribers. The ICO further
found that Keurboom had also contravened
regulation 24 of the PECR as Keurboom did not
identify the person who was sending the
automated marketing calls and provide the
address of the person to a telephone number on
which he/she can be reached free of charge.
In considering the quantum of the penalty, the ICO
further took into consideration the following two
aggravating factors:
(a) Keurboom’s lack of cooperation with the
ICO’s investigations.
(b) Keurboom may have obtained a commercial
advantage over its competitors by generating
leads from unlawful marketing practices.
ICO announces formal investigation into the use of data analytics for political purposes On 17 May 2017, the ICO announced the
commencement of a formal investigation into the
use of data analytics for political purposes.
The reasons driving this investigation include the
following:
(a) Engagement with the electorate is vital to the
democratic process.
(b) The public has the right to expect that political
campaigns are conducted in accordance with
the laws related to data protection and
electronic marketing.
(c) Data analytics have a significant potential
impact on individual’s privacy and so greater
transparency about the use of data analytics
is required to ensure that people have control
over their own data.
In terms of the methodology in carrying out this
formal investigation, the ICO intends to consider
the following:
(a) Practices deployed during the UK’s European
Union Referendum campaign.
(b) Potentially, practices deployed during other
campaigns.
(c) Given the transnational nature of data, the
practices of companies operating
internationally with impact or handling of data
in the UK.
The ICO envisions that an update with respect to
the formal investigation would be available later in
the year.
ICO issues fines against 11 charities totaling £138,000 for misusing information from past donors for the purpose of receiving further funds On 5 April 2017, the ICO announced that it has
fined 11 charities for breaches of their obligations
under the DPA 1998. These fines follow the fines
issued to two other charities (i.e., the Royal
Society for the Prevention of Cruelty to Animals
was issued with a £25,000 fine and the British
Heart Foundation was issued with a £18,000 fine)
in December 2016.
The ICO’s investigation between 2015 and 2017
revealed that the 11 charities have been:
(a) Ranking donors based on wealth: some
charities hire companies to investigate
income, lifestyle, property values, and a
person’s friendship circle in order to find the
most wealthy and valuable donors; and these
companies identify donors they believe
charities should target because they are most
likely to leave monies in their wills.
(b) Finding out information that donors did not
provide: some charities hire companies to
update information and/or find missing
information in their databases; and/or
(c) Sharing personal data with other charities for
any purpose and with no record: some
charities exchange donor information with
other charities through an external
organisation to get details of prospective
donors.
The charities and their breaches are as follows:
22
(a) Battersea Dogs’ and Cats’ Home: fine of
£9,000 issued for trying to find out information
that was not provided by donors a total of
740,181 times between 2011 and 2015.
(b) Cancer Research UK: fine of £16,000 issued
for ranking 3,523,566 donors based on wealth
between 2010 and 2016; and trying to find out
information that was not provided by donors
by matching 678,887 telephone numbers to
these donors between 2011 and 2016.
(c) Cancer Support UK (formerly Cancer
Recovery Foundation UK): fine of £16,000
issued for sharing of 3,075,550 records with
organisations including a health supplements
company, and lottery and prize promotion
companies between 2010 and 2016.
(d) Great Ormond Street Hospital Children’s
Charity: fine of £11,000 issued for sharing
910,283 records between 2011 and 2015;
sending an average of 795,000 records per
month to a wealth screen company between
2010 and 2016; and finding out information
that was not provided by donors by matching
103,500 email addresses and 208,000 dates
of birth to donors.
(e) Macmillan Cancer Support: fine of £14,000
issued for ranking 2,188,508 donors based on
wealth between 2009 and 2014; and finding
out information that was not provided by
several hundred thousand donors since 2009;
(f) Oxfam: fine of £6,000 issued for finding out
information that was not provided by sending
marketing text messages in response to text
messages making donations between 2013
and 2015.
(g) The Guide Dogs for the Blind Association: fine
of £15,000 issued for ranking 1,770,221
donors based on wealth between 2008 and
2015; finding out information that was not
provided by donors by matching 248,094
telephone numbers to donors between 2010
and 2016; and also used this approach to
identify supporters who had not agreed to gift
aid their donations to the charity but to other
charities between 2014 and 2015.
(h) The International Fund for Animal Welfare:
fine of £18,000 issued for sharing 4,948,633
records between 2011 and 2015; ranking
donors based on wealth between 2007 and
2009; ranking 466,206 donors based on
wealth between 2012 and 2013; finding out
information that was not provided by donors
by matching 220,286 telephone numbers to
donors between 2006 and 2016 and 50,282
email addresses to donors between 2012 and
2013; and emailing donors without their
consent.
(i) The National Society for the Prevention of
Cruelty to Children: fine of £12,000 issued for
not informing 22,608 donors between 2014
and 2015 that their personal data collected
would be used for marketing purposes by
telephone and mail; finding out information
that was not provided by donors by matching
246,751 telephone numbers to donors and
115,741 email addresses to donors between
2010 and 2016; and ranking 5,870,135
donors based on wealth in 2014.
(j) The Royal British Legion: fine of £12,000
issued for ranking 1,499,799, 1,478,279 and
2,455,670 donors based on wealth in 2010,
2012 and 2014 respectively; and finding out
information that was not provided by donors
by matching 900,000 telephone numbers to
donors and 52,966 email addresses to donors
between 2010 and 2016.
(k) WWF-UK: fine of £9,000 issued for sharing
174,512 donor records between 2012 and
2015; ranking 643,531 donors based on
wealth in 2006, 2011 and 2016; and finding
out information that was not provided by
55,684 donors.
Notably, these fines do not reflect the severity of
the offences committed by the charities as the ICO
is of the view that depriving charities of large sums
would only inflict further distress on donors and
thus, have significantly reduced the quantum of
the fines.
On a related note, the Charity Commission for
England and Wales is currently contemplating
whether further action should be taken against
individual trustees.
23
UK’s National Data Guardian (NDG) criticised the transfer of 1.6 million patient records from the Royal Free Hospital to Google’s artificial intelligence company, DeepMind Health (DeepMind), as having an “inappropriate legal basis” DeepMind has received 1.6 million identifiable
personal medical records pursuant to a data
sharing agreement between the Royal Free
National Health Service Trust in London (Trust)
and DeepMind. On 16 May 2017, the NDG, Dame
Fiona Caldicott, who advises and challenges the
UK health and social care system to help ensure
that confidential information of citizens are used
properly and safeguarded securely, has criticised
that this transfer was conducted on an
“inappropriate legal basis”.
The Trust informed NDG that it had implied
consent to share the data with DeepMind as the
initial legal basis for the transfer of these records
was for the data to be used for the purposes of
“direct care” of the patients. However, during the
pilot test of an app called Streams that could
potentially assist to diagnose acute kidney injuries
in National Health Service patients, it appears that
the main goal was to ensure that the app was
functioning well and not to assist in the direct care
of patients. As such, NDG is of the view that, given
that Streams was going through testing, any role
that Streams might have played in supporting the
provision of direct care would have been limited
and secondary to the purpose of the data transfer.
While the NDG is not an independent regulator,
Caldicott’s opinion has informed an investigation
into this matter conducted by the ICO. In May
2017, the ICO has expressed that the investigation
is close to its conclusion.
UNITED STATES Trump signs repeal of broadband privacy rules
On 3 April 2017, US president Donald Trump has
signed into law a bill that reverses the Federal
Communications Commission (FCC) broadband
privacy rules (FCC Rules), which were adopted
during the previous Obama administration. The
repealed privacy rules required Internet Service
Providers (ISPs) in the United States, such as
Verizon, Comcast and AT&T, to obtain its
customers’ consent prior to the collection, use and
sharing of their customer personal information,
amongst other data-related rules.
Opponents to the repealed FCC Rules argued that
the privacy rules created an uneven regulatory
landscape that applied differently to ISPs and
other website operators, where website operators
were only required to comply with the less strict
regulatory regime under the oversight of the
Federal Trade Commission’s (FTC), which was
enforced on an ex post case-by-case basis.
Under the repealed FCC rules, ISPs were required
to obtain customer consent prior to using their
customer data for targeted advertising practices,
which were widely used by advertising giants such
as Google and Facebook without the need for
additional consumer consent. In addition, the
requirement for customer consent expands to
categories of information such as web browsing
history, communications content and application
usage history, which are not regulated under the
FTC framework. Moreover, the use of customer
consent as a condition for the offer of broadband
services was previously prohibited under the FCC
regulations, which is permitted under the FTC
guidelines. With the repeal of the FCC regulations,
the regulation of privacy issues in the offer of
broadband access would be regulated under the
general FTC regulatory regime.
Copyright in this publication is owned by Drew & Napier LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval. Drew & Napier LLC accepts no liability for, and does not guarantee the accuracy of information or opinion contained in this publication. This publication covers a wide range of topics and is not intended to be a comprehensive study of the subjects covered nor is it intended to provide legal advice. It should not be treated as a substitute for specific advice on specific situations.
24
The Drew & Napier Telecommunications, Media and Technology Team
For more information on the TMT Practice Group, please click here.
Lim Chong Kin Director and Head of TMT Practice Group
Chong Kin practices corporate and commercial law with strong emphasis in the
specialist areas of TMT law and competition law. He regularly advises on regulatory,
licensing, competition and market access issues. Apart from his expertise in drafting
“first-of-its-kind” competition legislation, Chong Kin also has broad experience in
corporate and commercial transactions including mergers and acquisitions. He is
widely regarded as a pioneer in competition practice in Singapore and the leading
practitioner on TMT and regulatory work. Chong Kin has won plaudits for his
“excellent legal knowledge and in-depth understanding of the regulator” (Asia
Pacific Legal 500 2017); has been recognised as “incisive, insightful and
knowledgeable” (Chambers Asia Pacific 2017: Band 1 for TMT); and has been endorsed for his
excellence in regulatory work and competition matters: Practical Law Company’s Which Lawyer Survey
2011/2012; Who’s Who Legal: TMT 2016 and Who’s Who Legal: Competition 2016. Asialaw Profiles
2017 notes: “'He’s provided excellent client service and demonstrated depth of knowledge.”
Tel: +65 6531 4110 Fax: +65 6535 4864 Email: [email protected]
Charmian Aw Director
Charmian is a Director in Drew & Napier’s TMT Practice Group. She is frequently
involved in advising companies on a wide range of corporate, commercial and
regulatory issues in Singapore. Charmian has also been actively involved in
assisting companies on Singapore data protection law compliance, including
reviewing contractual agreements and policies, conducting trainings and audits, as
well as advising on enforcement issues relating to security, access, monitoring, and
data breaches. Charmian is “recommended for corporate-related TMT and data
privacy work” by The Asia Pacific Legal 500 2016, and a Leading Lawyer in Who’s
Who Legal TMT 2016. In 2015, she was listed as one of 40 bright legal minds and
influential lawyers under the age of 40 by Asian Legal Business and Singapore Business Review
respectively. Charmian is a Certified Information Privacy Professional for Europe, the United States, and
Asia (CIPP/E, CIPP/US, CIPP/A), and is currently a co-chair of the International Association of Privacy
Professionals (IAPP) KnowledgeNet chapter in Singapore.
Tel: +65 6531 2235 Fax: +65 6535 4864 Email: [email protected]