In the past year, cybersecurity and data privacy have been topics of focus around the world as countries continue to implement new laws and regulations to address these issues. These new developments are likely to impact business agreements as the world economy becomes more interconnected. This article describes some of these recent developments in the European and Asia-Pacific regions.
Developments in the European Union
GDPR Became Effective
The European Union’s General Data Privacy Regulation (GDPR) replaced the EU Data Protection Directive 95/46/EC (EU Directive) on May 25, 2018, requiring businesses with operations in Europe that handle personal data to update their practices and procedures. Of particular importance are new requirements on data breach notifications and increased transparency to data subjects regarding the processing of their personal data.
More Businesses Subject to EU Privacy Laws
The implementation of the GDPR increased the number of businesses that are now subject to the regulation even though they have no physical connection to the EU. On November 23, 2018, the European Data Protection Board (EDPB) issued new draft guidelines relating to the territorial scope of the GDPR. These guidelines affirmed that a business merely needs to have an “establishment,” or “target” data subjects within the EU, to be subject to the GDPR. According to these guidelines, an Asian bank offering banking services to Asian expatriates living in Europe, but otherwise having no connection with the EU, and an American airline with a website accepting bookings from EU residents, may both be subject to the GDPR for some of their operations, even if they have no physical connection with the EU.
Fines Imposed in GDPR Enforcement Actions
The initial level of GDPR administrative fines imposed in Germany and Spain seemed proportionate to the nature of the activity that had taken place and were in line with the level of fines imposed under the previous EU Directive. This trend was broken in January 2019, when the French Information Commissioner’s office (CNIL) issued a fine of 50 million euros against Google in relation to Google’s systems and processes being used for collecting personal data, even though there was no catastrophic event, such as a data breach. While the circumstances of the Google case are unique, it is a clear sign that large fines are a real possibility under the GDPR.
EU Cybersecurity Act Approved
The EU Cybersecurity Act was approved by the European Parliament in March 2019 and is, as of this writing, pending approval by the European Council. Proposed in 2017, the EU Cybersecurity Act is part of a wide-ranging set of measures to deal with cyber-attacks and to build stronger cybersecurity in the EU. If approved, that act will set EU cybersecurity certification schemes for products, services and processes related to information communication technology. The certification schemes may specify assurance levels based on aspects such as resilience to accidental or malicious data loss or alteration, which, in turn, will determine the requirements and evaluations to which the products, services or processes are subject.
Developments in the Asia-Pacific Region
Developments over the past year have evidenced a focus on cybersecurity and data privacy in the Asia-Pacific region. In particular, a number of new cybersecurity and data localization laws have come into play, along with new concerns regarding the potential intrusion on data privacy by government authorities.
China and the CSL Update
China has been active in enforcing its Cybersecurity Law that came into force in June 2017. Along with its supplemental measures and regulations, the China Cybersecurity Law provides guidance on the collection, storage, use, transfer and disclosure of personal information and organizational standards and data breach responses for personal data controllers. It also requires that data collected or generated in China during business operations will not be transferred outside of China unless it is necessary to do so due to business requirements and passing a security assessment showing that the data transfer would not pose a security risk to the national interests of China.
China has, in particular, focused enforcement efforts on platform operators, mobile applications and Internet service providers. The Chinese police stated that they have been focusing on regulating the online environment, protecting citizens’ personal information, clamping down on illicit online activities and urging network operators to fulfill their cybersecurity-related obligations. The police cited cybersecurity cases involving (i) inadequate implementation of network security and lack of management system, and technical protection measures; (ii) weak administrator passwords, which made a website vulnerable to data leaks; (iii) unlawful collection of data; (iv) the sale of tools that facilitate online hacking; and (v) the illicit download of a virtual private network (VPN) and modification of the related source code of the VPN.
On November 1, 2018, the new Regulation on Internet Security Supervision and Inspection by Public Security Bureaus (Regulation) issued by China’s Ministry of Public Security came into effect. Under the Regulation, the Public Security Bureaus (PSB) are granted broad powers to conduct on-site and remote inspections of Internet service providers and network users to ensure their compliance with the China Cybersecurity Law. Companies failing to comply with the Regulation will be subject to penalties ranging from remedial orders, warnings, fines and imprisonment.
On January 3, 2019, China’s Cyberspace Administration Authority (CAC) announced a six-month cyberspace clean-up campaign aimed at policing any information the CAC deems “negative and harmful,” including those relating to pornography, violence, gambling, online rumors and the incitement of hatred.
Also in January 2019, the CAC, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation issued a joint notice on illegal data collection by mobile apps. That notice stipulates, among other things, that mobile app operators must not collect personal information unrelated to their services, must obtain users’ consent before collecting the data and must protect the data in compliance with the China Cybersecurity Law.
Data Localization in the Asia-Pacific Region
Vietnam’s Cybersecurity Law came into effect on January 1, 2019. It notably also includes a data localization requirement in relation to user data collected by foreign and domestic companies that provide services over telecommunication networks or the Internet (such as email, social media, messaging, banking and e-commerce services) to users in Vietnam.
India and Japan are also moving to include data localization as part of its efforts to protect certain data from cyber threats. For example, the Reserve Bank of India issued a circular on the “Storage of Payment System Data” in April 2018 that imposes a data localization requirement on providers of payment services to store all data relating to their payment systems solely in India. Japan also introduced data localization guidelines to protect the data on their critical infrastructures. Operators of critical infrastructures in Japan will be advised to store data on servers located in Japan. The guidelines identified 14 initial sectors as critical, including aviation, finance, railways, airports, information and communication, and utilities.
Although the jurisdictions are, of course, also concerned with protecting data and ensuring sufficient safeguards are in place (i.e., by keeping them subject to local laws), it has been argued that this is not the main purpose behind the push for data localization. The main drive for data localization is arguably the desire to protect data from perceived foreign surveillance, to protect local companies and to better facilitate access to data by local governments.
Other Developments in the Asia-Pacific Region
Other countries across the Asia-Pacific region are continuing to move towards tighter regulations regarding cybersecurity and data privacy. India’s DNA Technology (Use and Application) Regulation Bill (DNA Bill) was passed on January 9, 2019, which will set up DNA profiling banks to create a database to help identify victims, offenders, suspects, missing persons and unidentified human remains. Major concerns have been raised with regards to DNA profiling, issues of consent and violations of principles of data protection and the right to privacy.
Thailand passed its new Cybersecurity Law and its Personal Data Protection Act in February 2019. Concerns have already been raised regarding the new Cybersecurity Law, which allows the Thai government to seize computers or other devices without a court warrant when there is reasonable suspicion that there are “critical threats” to cybersecurity.
Singapore’s new Cybersecurity Law came into operation on August 31, 2018, which created obligations on critical information infrastructure operators and granted powers to the commissioner of cybersecurity to investigate cybersecurity threats and incidents. Singapore’s Cybersecurity Law has received a more positive reception than other cybersecurity legislation introduced in the region, likely because of its clear application to protect identified critical information infrastructures without being overly burdensome.
In New Zealand, a new Privacy Bill (Bill) was introduced in March 2018 to replace the existing Privacy Act of 1993. If approved, the Bill will introduce changes to keep privacy protections up to date, including mandatory requirements on agencies to notify the privacy commissioner and affected individuals when a privacy breach is discovered.