Chapter 10
International Cybersecurity Law

CHAPTER MENU

  1. European Union
  2. Canada
  3. China
  4. Mexico
  5. Japan

 

The preceding chapters focused primarily on the cybersecurity obligations that U.S. companies face within the United States. However, many U.S. companies must worry not only about U.S. laws and regulations but about the laws and regulations of other nations. In this chapter, we review the primary cybersecurity laws of the five largest U.S. trading partners: the European Union, Canada, China, Mexico, and Japan.

As this chapter demonstrates, other jurisdictions have more clearly articulated a comprehensive data security and privacy legal framework than the United States has done. The U.S. cybersecurity and privacy laws often vary by sector (and, in some cases, by state), while other large countries have adopted across-the-board laws that severely restrict the collection, storage, use, and disclosure of personal information.

At the outset, many of the other jurisdictions' laws, unlike many of those in the United States, focus on the terms “data controller” and “data processor.” This is a key distinction that, under many of these laws, affects the legal responsibilities of companies. The definitions vary by jurisdiction, but the easiest way to generally view this distinction is that data controllers help determine precisely how data is used, distributed, shared, collected, or otherwise processed, while data processors merely follow instructions from the data controllers. For instance, an employer that collects tax information from its employees is a data controller. The third-party payroll company that issues the employer's paychecks likely is a data processor. In many countries, the data controller is responsible for the practices of the data processor.

This chapter is intended to be a high-level overview of the cybersecurity legal frameworks in these countries, to provide U.S. businesses with a general understanding of their obligations. In some cases, the chapter is based on English translations of laws and regulations that are published primarily in foreign languages. Moreover, there may be additional local and regional laws that alter a particular company's responsibilities. Accordingly, companies should consult with local counsel about the legal requirements.

10.1 European Union

In 2016, the European Union replaced its 1995 privacy law, Directive 95/46/EC of the European Parliament, and replaced it with the General Data Protection Regulation (GDPR). The GDPR, like the 1995 Directive, sets the general framework for privacy and data security laws that member states must eventually adopt.

Europe views privacy as a fundamental human right, and therefore its requirements for privacy and data security generally are more stringent than those in the United States. This section first will outline the key components of the GDPR, and then it will examine the methods by which U.S. companies can obtain legal approval to process the data of EU residents.

GDPR applies to the processing (i.e., collecting, using, storing, or disclosing) of “personal data” of EU residents, regardless of whether that processing occurs in the European Union or another jurisdiction. GDPR broadly defines “personal data” as “any information that is relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[.]”1 In other words, information may be personal data even if it does not contain the individual's name, provided that the individual could be identified by that data. For instance, information about the income of an individual who lives at a particular address likely would be considered personal data, even if the individual's name was not used, because that information could be traced to the individual who lives at that address.

The GDPR applies to two general types of companies: controllers (the entity that “determines the purposes and means of the processing of personal data”) and processors (the entity that “processes personal data on behalf of the controller.”). Controllers are responsible for ensuring that their processors provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements” of the GDPR.2

GDPR imposes the following general principles for the processing of personal data:

  • Lawfulness, fairness, and transparency. Companies must employ lawful, fair, and transparent processing of personal data.
  • Purpose limitation. Companies must collect personal information for legitimate and specific purposes. Companies must explicitly state the purposes for which they are collecting personal data, and may not expand upon those uses.
  • Data minimization. Companies must collect only what is necessary for the stated purposes.
  • Accuracy. Companies must take “every reasonable step” to ensure accurate and updated personal data.
  • Storage limitation. Companies must allow only identification of data subjects as long as necessary to achieve the stated purposes.
  • Integrity and confidentiality. Companies must protect data from unauthorized access, loss, or destruction via “appropriate technical or organizational measures.”3

Processing of personal data is lawful only if one of the following conditions is satisfied:

  • The individual has provided consent to processing the personal data. If the data subject provides consent via a written declaration, that consent must be “clearly distinguishable” from other issues, intelligible, and easily accessible. Individuals must be able to revoke their consent at any time. Parents must provide consent for children under 16.
  • The individual is subject to a contract for which processing is necessary.
  • Processing is necessary for the controller of the data to comply with a legal obligation.
  • Processing is necessary to protect “the vital interests of the data subject or of another natural person.”
  • Processing is necessary to perform a task in the public interest or under the data controller's official authority.
  • Processing is necessary for the legitimate interests of the data controller or a third party, provided that those interests do not override the fundamental rights and freedoms of the data subject.4

GDPR imposes additional restrictions on the processing of “special categories” of particularly sensitive data, which it defines as data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation[.]”5 Typically, the data may be processed only if the individual has provided explicit consent for the processing of that sensitive data, or if another narrow exception applies.6

The processing of personal data must further be “transparent.” If the personal data is collected from the data subject, the company must clearly and intelligibly provide the data subject with the following information:

  • The contact information for the data controller and, if applicable, its data protection officer.
  • The purposes for the processing and legal basis, and, if applicable, the legitimate interests that the controller or a third party is pursuing.
  • The recipients or categories of recipients of the personal data.
  • If the data controller plans to transfer the personal data to another jurisdiction.
  • The length of time the personal data will be stored.
  • The right to request access to and erasure of personal data.
  • The right to withdraw consent under certain circumstances.
  • The right to complain to a supervisory authority.
  • Whether the provision of the personal data is required by statute or contract and the consequences of the data subject's failure to provide the personal data.
  • Existence of automated decision-making, such as profiling.7

Among the most discussed provisions of the GDPR is Article 17, which provides a “right to be forgotten.” Under this provision, data subjects have a qualified right to request that data controllers erase personal data if they can demonstrate that one of the following circumstances exists:

  • The personal data is no longer necessary to serve the purposes for which it was collected or processed.
  • The data subject has withdrawn the consent that allowed the personal data to be collected and there are no other grounds for processing.
  • The data subject objects and the controller fails to demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”
  • The personal data was processed unlawfully.
  • The EU or member state requires erasure under a different law.
  • The personal data was collected from a child under 16 for information services.8

The GDPR states that controllers are not required to delete data if processing is necessary “for exercising the right of freedom of expression and information.”9 This reflects the EU belief that the right to be forgotten request must balance, on one hand, the right of individual privacy and, on the other hand, the right to free speech.

The GDPR does not explicitly state the specific data security measures that companies must implement for personal data. Rather, it instructs controllers and processors to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” Among the considerations that the GDPR suggests that companies apply when making these determinations are:

  • pseudonymization and encryption of personal data;
  • safeguarding the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • guaranteeing to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • regularly testing of technical and organizational security measures.10

Significant among the additions in the GDPR is a data breach notification requirement (long a feature of U.S. law, as discussed in Chapter 1). If a company experiences a breach of personal data, the controller must without undue delay, and, if feasible, within seventy-two hours, notify government regulators.11 If the controller fails to notify the government within seventy-two hours, it must provide a reason for the delay.

The notification to regulators must contain the following information:

  • Nature of the data breach.
  • Categories and number of data subjects.
  • Categories and number of personal data records involved.
  • Name and contact details of the controller's data protection officer and other contact points.
  • Likely consequences of the breach.
  • Measures taken to mitigate the adverse effects of the breach.12

Controllers also are required to notify individuals of data breaches if they determine that the breach “is likely to result in a high risk to the rights and freedoms of the individuals.”13 The GDPR does not require the notices to be sent within a specified time period, but rather states that individuals should be notified “without undue delay.” The individual notices must contain all of the information that must be sent to regulators, except for the description of the nature of the breach and categories and number of data subjects and personal data records.14

Notification to individuals is not required under one of the following circumstances:

  • The controller had implemented encryption or other safeguards that render the personal data unintelligible.
  • The controller took subsequent measures that “ensure that the high risk to the rights and freedoms of data subjects” likely will not materialize.
  • The individual notices would “involve disproportionate effort.” In this case, the controller must provide the notice via a public communication.15

For U.S. companies, perhaps the biggest concern in the GDPR (as in the earlier 1995 Directive) is the restriction of transfers of Europeans' personal data to third countries. Europeans' personal information may only be transferred to a company outside of the United States if one of the following circumstances exists:

  • The nation to which the data is being transferred has been deemed by the European Commission to have “adequate” protection for personal data. The Commission makes this determination based on its evaluation of the nation's rule of law, respect for human rights, data protection regulation, and international commitments regarding personal data. The European Commission has set a very high bar for adequacy and, as of 2016, has only found the following jurisdictions to be adequate: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.
  • The foreign company has adopted binding corporate rules that impose significant restrictions (similar to those in the GDPR) on personal data processing.
  • The foreign company agrees to handle the Europeans' data pursuant to standard contractual clauses that have been adopted by the European Commission.
  • The foreign company agrees to “binding and enforceable commitments” regarding safeguards and data subjects' rights via an approved code of conduct or certification mechanism.

Many U.S. companies had long used a certification program known as “Safe Harbor” to process data of European residents. The Safe Harbor framework, which was negotiated by U.S. and EU officials, required U.S. companies to self-certify that they complied with specified data protection principles. However, in October 2015, the Court of Justice of the European Union struck down the Safe Harbor program,16 concluding that U.S. government foreign intelligence surveillance programs revealed by Edward Snowden rendered the Safe Harbor's protections inadequate.

Because so many U.S. companies relied on the Safe Harbor framework to conduct business with Europe, government officials throughout the United States and European Union quickly began negotiating a new certification framework to replace Safe Harbor. The result is a new arrangement known as the Privacy Shield, which the European Commission approved in July 2016.

The Privacy Shield requires participating U.S. companies to adhere to the following privacy principles:

  • Notice. Companies must inform data subjects about the type of data collected, purposes, right of access, choice, and other elements regarding the processing.17
  • Data integrity and purpose limitation. Companies must limit their processing of personal data to the stated purpose.
  • Choice. Individuals must have an opportunity to opt out of processing that is materially different from the original purpose. Individuals must be provided opt-in choices for sensitive information.
  • Data integrity and purpose limitation. Companies may not maintain information that identifies an individual once the data no longer serves the stated purpose.
  • Security. Companies must implement “reasonable and appropriate” security measures and contractually require service providers to do the same.
  • Access. Data subjects have the right to access their personal information, though this access may be limited “in exceptional circumstances.” Individuals may correct, amend or delete inaccurate information.
  • Recourse, enforcement, and liability. Companies must ensure compliance with the Privacy Shield and annually certify their compliance. Companies also must implement redress procedures to handle complaints about their personal data processing. This compliance is subject to investigation and enforcement by U.S. regulators.
  • Accountability for onward transfer. Before transferring Europeans' data to another country, the U.S. company must ensure that adequate protections are in place to guarantee the same level of protection as the Privacy Shield.18

To address the concerns about U.S. government surveillance that led to the invalidation of the Safe Harbor agreement, the United States agreed to limits on and oversight of its surveillance programs, and to a redress mechanism for EU residents.

10.2 Canada

Canada's primary privacy and data security law is the Personal Information and Electronic Documents Act (PIPEDA). Unlike the U.S. patchwork of industry-specific privacy and data security laws, PIPEDA sets a national standard for the use, disclosure, and protection of identifiable information about a Canadian resident.

PIPEDA's requirements are divided into ten principles:

  • Accountability. Companies must designate privacy and data security compliance with specified employees (e.g., chief privacy officers and chief information security officers), and provide the identity of these employees upon request. Companies must contractually require that their service providers protect Canadians' personal information. Companies also are required to develop procedures to protect personal information and respond to complaints and inquiries, train staff regarding these procedures, and explain the company's personal information policies and procedures.19
  • Identifying purposes. Companies must identify the purposes for which they collect personal information at or before the time of collection. PIPEDA allows companies to communicate the purpose orally or in writing. To use information for a new purpose that was not identified at collection, companies must obtain the individual's consent for the new purpose.20
  • Consent. With some exceptions, companies must obtain knowing consent of individuals before collecting, using, or disclosing their personal information. Companies generally should obtain consent at the time of data collection. The law allows companies to obtain consent via a number of methods, including an application form, a checkoff box, orally, or at the time that the individuals use the company's product or service. PIPEDA allows limited exceptions to the consent requirement, including legal, medical, and security reasons.21
  • Limiting collection. Companies may only collect personal information that is “necessary for the purposes identified by the organization.” This applies both to the volume and types of information that companies collect. For instance, if a company collects personal information in order to provide telecommunications services, it likely cannot justify collecting customers' health information. Companies also must collect information by “fair and lawful means.” In other words, they cannot deceive customers to obtain the information, and they must comply with all other legal requirements.22
  • Limiting use, disclosure, and retention. Companies may only disclose and use personal information for the stated purposes. For example, if a retailer obtains a customer's address in order to process a purchase, it may not sell that information to a third-party marketing firm unless that purpose was explicitly stated (and consent was obtained). Companies also must dispose of personal information once it is no longer necessary.23
  • Accuracy. Companies must ensure that the personal information that they maintain is updated, complete, and accurate. This principle is intended to reduce the likelihood that a decision about an individual (e.g., an employment offer or credit approval) is made based on inaccurate information.24
  • Safeguards. While many of the principles focus more on privacy concerns with personal information, this principle is more directly targeted toward data security. The principle generally requires companies to protect personal information with security safeguards that are “appropriate to the sensitivity of the information.” Companies should implement three types of safeguards: (1) physical measures (e.g., limiting access to offices where personal information is stored), (2) organizational measures (e.g., requiring background checks for employees who have access to particularly sensitive personal information), and (3) technological measures (e.g., encryption). The statute requires companies to ensure that employees understand that they must protect the confidentiality of all personal information.25

The Privacy Commissioner of Canada, which oversees PIPEDA's implementation, stated that the following are examples of “reasonable” safeguards:

  • Risk management
  • Security policies
  • Human resources security
  • Physical security
  • Technical security
  • Incident management
  • Business continuity planning.26

The Privacy Commissioner suggests that companies consider the following factors when assessing the reasonableness of security safeguards:

  • Sensitivity of the personal information
  • Foreseeable risks
  • Likelihood of damage occurring
  • Medium and format of the record containing the personal information
  • Potential harm that could be caused by an incident
  • Cost of preventative measures.27
  • Openness. Companies must openly tell individuals how they handle personal information. The statute encourages companies to use a “generally understandable” form that includes: the contact information for the employee who is responsible for personal information policies and practices and receives complaints; how to access personal information; a description of the categories of personal information that the company maintains, and how it uses that information; any brochures or other documents that describe personal information policies at the company; and the personal information that is provided to related organizations. The notice about its privacy practices may be made online, provided over the phone, communicated via a brochure, or other methods.28
  • Individual access. If a Canadian resident requests the personal information that a company has maintained, used, or disclosed about that resident, the company must provide that information to the individual, providing the individual to challenge the information's accuracy and completeness. The statute allows some exception to this requirement, such as instances in which it would be “prohibitively costly” to provide the personal information to the individual, if there are legal restrictions on the disclosure, or if the information contains personal information about other individuals. The individual has the opportunity to challenge the completeness and accuracy of the data, and if the company fails to satisfactorily resolve the individual's concerns, the company must document those concerns and transmit them to any third parties that have access to the personal information.29
  • Challenging compliance. Canada provides individuals with the rights to challenge companies' compliance with PIPEDA. This is a marked difference from many U.S. federal privacy laws, such as Section 5 of the FTC Act and HIPAA, which are enforceable only by federal agencies. In Canada, companies must implement a complaint process and make those procedures easily available to individuals. Companies are required to investigate all complaints and take appropriate measures to rectify any valid concerns.30

In 2015, Canada amended PIPEDA to require data breach notifications. If a company determines that a data breach “creates a real risk of significant harm to an individual,” it must file a report with the Privacy Commissioner and notify the individual.31 PIPEDA defines “significant harm” as including “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”32 In determining whether a real risk of significant harm arose from a data breach, PIPEDA instructs companies to consider the sensitivity of the breached personal information, the probability that the information has been or will be misused, and any other prescribed factors.33

The breach notice must “contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm.”34 Notice must be provided “as soon as feasible” after the company determines that a breach has occurred.

Three provinces – Alberta, Quebec, and British Columbia – are not covered by PIPEDA because they have passed separate privacy and data security laws. These laws are substantially similar to PIPEDA and rely on the same basic concepts such as purpose limitation, consent, and openness.35

10.3 China

Although China has enacted some privacy and data security laws, it is unclear how aggressively the government or courts will enforce those laws, as China does not have the government regulators that are as dedicated to data protection and privacy as those in the European Union and Canada. Indeed, China has long faced criticism for the restrictions that it places on individuals' use of the Internet.36 Nonetheless, there are a number of privacy and data security laws that apply to companies doing business in China, and the government has proposed further restrictions.

In 2012, a significant statement about privacy from the Chinese government came from the Standing Committee of the National People's Congress. The Standing Committee issued the Decision on Strengthening Network Information Protection, which imposed new privacy obligations on certain companies.37 It is unclear precisely how broadly the decision is intended to apply. According to an unofficial English translation, the Decision applies to “internet service providers and other enterprises and institutions that collect or use citizens' personal electronic information in the course of their business.”38 The Decision requires these companies to “abide by the principles of legality, legitimacy, and necessity,” and to “clearly indicate the objective, methods, and scope of collection and use of information, and obtain agreement from the person whose data is collected[.]”39 The Decision also requires covered companies to “strictly preserve the secrecy of citizens' individual electronic information they collect in their business activities,” and states that companies may not “divulge, distort, or damage” the data or “sell or illegally provide” the data to other persons. Covered companies are required to “adopt technological measures and other necessary measures to ensure information security and prevent […] citizens' individual electronic information collected during business activities [from being] divulged, damaged, or lost.”40

In a 2015 report, European privacy experts criticized the “easily evident” shortcomings of the 2012 China decision, as compared with the EU data protection regime: “[I]t is lacking in scope (Internet only), in enforcement mechanism (none whatsoever), in basic data subject rights (none whatsoever), as well as, in its principle-setting (their list does not include all of the principles in the EU data protection approach).”41 The EU report did, however, concede that if the China Decision is seen as a “first attempt” at data protection, “then the Decision does present certain merits, mostly in the form of basic data protection elements that may be found in its text.”42

In 2013, China amended its Consumer Protection Law to reiterate the privacy principles of the Standing Committee's 2012 Decision restrictions on companies that collect and use the personal information of Chinese residents. According to an unofficial translation, the amendment states, in relevant part:

Proprietors collecting and using consumers' personal information shall abide by principles of legality, propriety and necessity, explicitly stating the purposes, means and scope for collecting or using information, and obtaining the consumers' consent. Proprietors collecting or using consumers' personal information shall disclose their rules for their collection or use of this information, and must not collect or use information in violation of laws, regulations or agreements between the parties.

Proprietors and their employees must keep consumers' personal information they collect strictly confidential and must not disclose, sell, or illegally provide it to others. Proprietors shall employ technical measures and other necessary measures to ensure information security, and to prevent consumers' personal information from being disclosed or lost. In situations where information has been or might be disclosed or lost, proprietors shall immediately adopt remedial measures.

Proprietors must not send commercial information to consumers without their consent or upon their request of consumers, or where they have clearly refused it.43

These amendments to the Consumer Protection Law impose fairly stringent general restrictions on companies that handle personal information, similar to the principles in the European Union's GDPR. However, some commentators have questioned how aggressively this law can be enforced, as China does not have data protection authorities similar to those in the European Union.44

In 2013, China expanded on its expectations for Internet and telecommunications companies' handling of personal information when China's Ministry of Industry and Information Technology released the Information Security Technology Guidelines for Personal Information Protection on Public and Commercial Service Information Systems.45 According to an unofficial English translation, the Guidelines define “personal information” as “[c]omputer data that is handled in computer systems that are related to a specific natural person, and that can be used independently or in combination with other information to distinguish that specific natural person.”46 The voluntary guidelines present eight principles that also look similar to those of the European Union:

  • Clear purpose. Companies must have a “specific, clear, and reasonable purpose” to handle personal information, and they may not alter that purpose unless the data subject is first made aware of the change.
  • Least sufficient use. Companies may only use “the smallest amount of information related to the purpose” that is necessary to accomplish the purpose, and must delete personal information “in the shortest time.”
  • Open notification. Companies must properly notify data subjects of their handling of personal information in “clear, easily understandable, and appropriate ways.”
  • Individual consent. Companies must obtain consent from data subjects before handling their personal information.
  • Quality guarantee. Companies must guarantee that they will keep personal information “secret, intact, and usable.”
  • Security guarantee. Companies must implement sufficient administrative and technical safeguards “that are suited to the possibility and gravity of harm to personal information, protecting personal information security, preventing retrieval or disclosure of information without the authorization of the personal information, and the loss, leakage, destruction, and alteration of personal information.”
  • Honest implementation. Companies must abide by the promises that they made regarding the handling of personal information.
  • Clear responsibilities. Companies must clarify the responsibilities for handling personal information and record handling processes so that they can be easily traced.47

Because these guidelines are voluntary, it is unclear what effect, if any, it will have at moving China toward an EU-style data protection regime.

Recently, the Standing Committee of the National People's Congress has proposed a more comprehensive cybersecurity law. A development at the time of publication of this book was a June 2016 release of a Second Reading Draft of the law. The Standing Committee was still taking public comments, and therefore the legislation is subject to further change.

According to an unofficial English translation of the Second Draft of the Cybersecurity Law,48 the Standing Committee intends to “ensure network security, to preserve cyberspace sovereignty, national security and the societal public interest, to protect the lawful rights and interests of citizens, legal persons and other organizations, and to promote the healthy development of economic and social information.”49 The most pertinent requirement of the draft proposal is for the personal information of Chinese citizens, along with “other important business data gathered or produced by critical infrastructure operators,” to be stored within mainland China.50 The draft law also would require companies to take a number of general steps after a data breach, including an assessment, adoption of safeguards, and public notification, though the draft law does not specify details of those requirements.

10.4 Mexico

In 2010, Mexico enacted the Federal Law on the Protection of Personal Data Possessed by Private Persons. Many of the laws restrictions and rights are similar to those in the EU data protection regime, though they are not identical. A key difference is that unlike the European Union, Mexico does not restrict the export of personal information only to countries with “adequate” privacy protections. Additionally, Mexico's law places a greater responsibility on data controllers, even when the data is in the hands of a third party.

Mexico's privacy law broadly applies to all privacy companies' processing and handling of Mexican residents' “personal data,” which the statute defines as “[a]ny information concerning an identified or identifiable individual.”51 Mexico's law requires data controllers to adhere to the following principles:

  • Legality/legitimacy. Controllers may not violate any legal restrictions on the collection and processing of personal data.52
  • Consent. In general, controllers must obtain consent from data subjects before their personal data is collected or processed. Consent may be inferred if the individual receives a privacy notice disclosing the processing and does not object. Otherwise, Mexico's law requires express consent, and it allows consent to be provided verbally, in writing, electronically, via other technology, or “by unmistakable indications.” Consent for financial or asset data processing must be provided expressly. Individuals may revoke consent at any time.53
    • Consent for sensitive personal data. The statute imposes more stringent consent requirements for the processing of “sensitive personal data,” which is defined as personal data “touching on the most private areas of the data owner's life, or whose misuse might lead to discrimination or involve a serious risk for said data owner.” Among the categories of personal data that the statute categorizes as sensitive are those that reveal race, ethnicity, health status, genetic information, religious beliefs, union membership, political views, and sexual preferences. For such sensitive personal data, controllers must obtain express written consent from the data owner via a signature, electronic signature, “or any authentication mechanism established for such purpose.”54
    • Exceptions to consent. The statute does not require consent in the following circumstances: (1) any law allows processing without consent, (2) the personal data is publicly available, (3) the data is subject to a “prior dissociation procedure,” (4) the processing fulfills a legal relationship between the data owner and controller, (5) an emergency situation that could harm an individual's person or property, (6) the processing is necessary for health treatment, or (7) a competent authority issues a resolution.
  • Notice/information. Controllers must provide a privacy notice that informs individuals “what information is collected on them and why.”55 Notices must contain (1) identity and domicile of the controller; (2) purposes for the processing of personal information; (3) options for data subjects to limit use or disclosure of the data; (4) procedures for individuals to exercise rights of access, rectification, cancellation, or objection; (5) if applicable, where the data will be transferred; and (6) how individuals will be notified of changes to the privacy notice.56
  • Quality. The controller is responsible for ensuring that the personal data is correct, up-to-date, and relevant. Once the data is no longer necessary for the purposes stated in the privacy notice, it must be deleted.57
  • Purpose. Personal data may only be processed for the purposes articulated in the privacy notice.58
  • Fidelity/loyalty. The law presumes a “reasonable expectation of privacy” in all instances in which personal data is processed, recognizing “the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by this Law.”59 The law prohibits companies from obtaining data deceptively or fraudulently.60
  • Proportionality. Personal data may only be processed “as necessary, appropriate and relevant with relation to the purposes set out in the privacy notice.” The statute explicitly requires controllers to “make reasonable efforts to limit the processing period” of sensitive personal data to the minimum required.61
  • Accountability. Data controllers are responsible for ensuring compliance with Mexico's privacy laws, even if the data is processed by a third party at the controller's request. The statue requires the controller to take “all necessary and sufficient action” to ensure that all third parties respect the privacy notice that has been provided to the individual.62

In addition to these general privacy-related principles, Mexico's privacy law requires all processors of personal data to implement physical, technical, and administrative data security safeguards.63 Although Mexico's privacy statute does not specify the necessary safeguards, the Ministry of the Economy has elaborated on the security requirements in regulations that implemented the statute.64

According to the regulations, data controllers must consider the following factors when determining security measures for personal data:

  • “Inherent risk” for the type of data
  • Sensitivity of the data
  • Technological development
  • Potential consequences for the individuals if the security is violated65

Controllers also should attempt to account for the number of data subjects whose personal information is stored, previous vulnerabilities that the controllers have encountered, the risk based on the value that the personal data might have to an unauthorized third party, and other factors that impact risk or result from other laws or regulations.66

The regulations state that controllers must take the following actions, at minimum, to secure personal data:

  • Inventory all processing systems and personal data.
  • Determine duties of personal data processors.
  • Conduct a risk analysis for personal data.
  • Establish security measures for personal data evaluate the implementation of these measures.
  • Conduct a gap analysis to determine the necessary security measures that are missing.
  • Develop plan to fill the gaps identified in the gap analysis.
  • Conduct security reviews and audits.
  • Provide data security training for all personnel who process personal data.
  • Maintain records of personal data storage media.67

Controllers are required to document all of these security measures, and to update them.68

If a breach occurs, the controller must undertake an “exhaustive review of the magnitude of the breach[.]”69 If the review concludes that the breach significantly prejudices the data subjects' property or rights, the controller is required to issue a breach notification to the data subject “without delay[.]”70 The notice must include, at minimum, (1) a description of the breach, (2) an inventory of the types of personal data that potentially were compromised, (3) recommendations for the data subject to protect his or her interests, (4) corrective actions that the data controller implemented immediately, and (5) instructions to obtain more information about the breach.71 The controller also is required to conduct a thorough analysis of the cause of the breach and implement “corrective, preventative, and improvement steps” to avoid another breach in the future.72

10.5 Japan

In Japan, privacy and data security law largely is governed by a 2003 statute, the Act on the Protection of Personal Information (APPI).73 The statute is more similar to the comprehensive EU approach to data regulation, and certainly is more stringent than the U.S. sectoral approach. Indeed, Japan's privacy and data security protections are among the most comprehensive in Asia.

However, Japan's privacy law also lacks some of the features of Europe's. For instance, Japan does not impose additional restrictions on “sensitive” personal information. Moreover, unlike the European data protection regime, the APPI does not distinguish between controllers and processors. Japan's law also does not require other countries' data protection laws to be “adequate” before allowing a foreign data transfer.

Among the notable features of APPI is its relatively broad definition of “personal information” that is protected by the statute. APPI defines “personal information” as “information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will enable the identification of the specific individual.”74 In other words, Japan considers personal information not only to be data that could help identify an individual, but it also includes data that could lead to other data that could help identify an individual. The restrictions apply to all “business operators” that handle personal information.75

In 2015, Japan's legislature amended APPI, with the goal of implementing the new provisions by the end of 2017. Because some of the details of the implementation of the amended law have yet to be finalized and the English language translation of the amendments are not yet available, below is a summary of the 2003 law, followed by an overview of reported changes.

Japan's privacy and data security laws, like those of Europe, suggest that personal information protection is a human right. APPI sets for a general “basic principle” that companies should cautiously handle Japanese residents' personal information “under the philosophy of respecting the personalities of individuals[.]”76

The following are among the key duties that 2003 APPI imposes on business operators that handle Japanese residents' personal information:

  • Purpose of utilization. Business operators must specify the “purpose of utilization” when they handle personal information, and they may not unreasonably change the scope of that purpose. Business operators must obtain prior consent to handle personal information beyond the initial scope stated in the purpose of utilization.77
  • Proper acquisition. Business operators may not use “deception or other wrongful means” to acquire personal information.78
  • Notice. At the time that a business operator obtains personal information, it must “promptly notify” the individual of the purpose of utilization (either directly or via a public announcement). The notice requirement does not apply if the notice could harm individuals or property or the rights or legitimate interests of the business operator. The notice requirement also does not apply when it is necessary to comply with law enforcement or if the purpose “is clear in consideration of the circumstances of the acquisition.”79
  • Accuracy. Business operators must “endeavor to maintain” accurate and up-to-date personal information that is necessary to achieve the purpose of utilization.80
  • Security controls. The statute requires business operators to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the personal data.”81 The statute does not specify the particular safeguards that businesses must implement to satisfy this requirement.
  • Employee supervision. Business operators must “exercise necessary and appropriate supervision” to ensure that employees properly handle personal information.82
  • Transfers to third parties. Business operators generally may not provide personal information to third parties without prior consent from the data subjects. This prohibition does not apply in a few exceptional cases: (1) if the transfer is based on laws or regulations, (2) if the transfer is necessary to protect individuals or property and consent is difficult to obtain, (3) if public health or child welfare and consent is difficult to obtain, and (4) if it is necessary to cooperate with government.83
  • Public privacy notice. Business operators must post a publicly accessible document that contains the following information: (1) the name of the business operator who is handling the personal information, (2) the purpose of utilization for retained personal data, (3) procedures for handling requests regarding personal information from data subjects, and (4) any other information required by Cabinet Order.84
  • Correction of data. Business operators generally must correct, add, or delete personal data at the request of the data subject.85

In September 2015, the Japanese Diet passed a bill that contained the first significant amendments to APPI since its passage more than a decade earlier. The changes will go into effect by the end of 2017. Below are some of the significant changes:86

  • Allowing companies to share certain data with third parties unless the data subject “opts out” (a more lenient standard than the 2003 law's “opt in” requirement.
  • Under certain circumstances, disclosure of anonymized or pseudonymous data will not require individual consent.
  • Restrictions on the transfer of personal data outside of Japan.
  • Additional protection for “sensitive information,” similar to the European Union.
  • The Creation of a Privacy Protection Commission, which will enforce Japan's privacy law. The Commission, which was formed in August 2016, will determine many of the details of the implementation of the amended law.

 

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.107.1