Security and Privacy: A View from Asia and the Middle East
As 2018 picks up steam from its start, we are beginning to see traction in relation to various new regional data privacy and cybersecurity laws. Many of the provisions seem designed to enable countries to seek an EU Adequacy Finding, which is akin to the Privacy Shield provisions between the EU and the US. This would allow the easier transfer of EU data between the countries.
It is important for organizations to understand that being based in a country which is granted an EU Adequacy Finding does not absolve the company of complying with the GDPR’s requirements in that country. To be clear, Adequacy Findings and the EU/US Privacy Shield are just data transfer mechanisms. They do not indicate that the company’s branch complies with the greater obligations that the GDPR imposes. With Europe so ar away, it seems hard for some to believe the far-reaching cross-border effect the GDPR will have on its May 25, 2018 implementation of penalties.
To discuss developments in just a few places in the region:
Since May ’17, Japan has increased consent requirements for the collection of certain types of personal information. It also requires data holders to respond to an individual’s request to provide and alter the individual’s personal information. Like the EU’s General Data Protection Regulations (GDPR), it applies to data collected from consumers and/or employees in Japan, even if it is gathered outside of Japan. Japan is hoping it can obtain an Adequacy Finding from the EU, but it appears at least several months away.
Japan was the first country in Asia to sign the US-led Cross-Border Privacy Rules System (CBPRs), which has a similar role in easing the transfer of data between signator countries (currently US, Canada, Mexico, Japan and South Korea).
South Korea has had its stringent data privacy laws in place since 2011, with many of the same provisions as adopted by the GDPR. Korea is hoping to receive an Adequacy Finding from the EU in the next month or two. As mentioned above, they recently signed on to the CBPR framework.
China: In June ’17, China’s Cybersecurity Law became effective to require ‘personal information and other important data’ relating to its ‘Critical Information Infrastructure’ (CII) to remain in China and on equipment certified by the Chinese government to be secure. The definition of CII is rather broad, including data relating to the financial, transportation, health, energy and food industries.
In addition, a draft provision has been working its way toward implementation since April ’17, which would require that all personal information collected in China, stay in China, unless certain clearances are met. I call this China’s version of the ‘Vegas Rule’ (that is, ‘what happens in China, stays in China’). We are monitoring this far-reaching law quite closely.
Qatar: Qatar passed its Protection of Personal Data Privacy laws in late 2016. Originally due to be implemented in July’17, a long-expected extension was issued this January 2nd, giving it an implementation date of January 29th, 2018. Our colleagues in Qatar expect an additional extension to be announced soon. Until that extension is formally issued, the obligations will be in place within a week, with fines of over US$1.3M for violations. Additional consent for the collection, processing or transfer of personal information applies, except in certain carve-out situations. In addition, individuals have the right to query/alter their data. Perhaps of most concern are the provisions requiring governmental approval before the collection of any ‘personal data of a special nature’ (including ethnic origin, health, religious beliefs, marital/child status, etc). This is important, as this information is often collected by an employer in order to determine applicable payroll and social benefits.
Abu Dhabi Global Market (ADGM): ADGM is an international financial center located on Al Maryah Island in the United Arab Emirates (UAE). ADGM provides companies a place to operate under an international regulatory framework, with its own judicial and legislative infrastructure based on Common Law. As such, it governs activity for only the companies created within the ADGM, as opposed to the broader UAE. However, given the number of companies established in the ADGM, its regional impact may be broad.
Its Data Protection Regulations were passed in 2015 and cover a broad range of obligations, including the collection, processing and maintenance of personal data, as well as its transfer out of the ADGM. The Office of Data Protection was established in December of 2017 and a new Amendment to the Regulations was just issued on January 17th. Among other things, this amendment now requires breach notifications to be made ‘without undue delay, and where feasible, not later than 72 hours after becoming aware of it’. It further increases the penalties applicable to data controllers whom fail to follow the Regulations.
In dealing with these new and cross-border obligations, it is essential to analyze the personal data you have and where it is from. Though technology allows the easy transfer of data across country lines, you must now analyze what laws apply to that data, and implement a program that will allow you to comply. As can be seen above, this is now NOT just an EU or US data issue, as countries around the globe increasingly weigh-in on protecting their constituent’s data.