Monthly Archive: June 2017

UK: Commitment to introduce new Data Protection Bill in line with GDPR principles

Yesterday the UK Government set out its legislative programme for the next Parliamentary term, through the Queen’s Speech. Whilst Brexit will dominate the legislative agenda, data protection received special mention with a commitment to introduce a new Data Protection Bill.

The Bill will reiterate the UK’s commitment to implementation of the principles of privacy enshrined in the GDPR, regardless of Brexit. It will also add further clarity on how the UK intends to apply statutory controls to those areas of the GDPR where Member States have flexibility to develop complementary legal requirements or derogations.

The speech is an important message for anyone who may have had doubt about the UKs commitment to the GDPR after Brexit. It is a clear steer to UK business to get ready for the new privacy regime and a strong sign to any detractors, whether in Europe or the wider global community, that the UK remains focussed on maintaining a robustly regulated digital environment, at the forefront of emerging global standards.

Whilst we await with interest details of the specific regulatory controls within the Bill itself, this is a welcome message of clarity in otherwise uncertain political times.

Permanent link to this article:

CHINA: PRC Cybersecurity Law – take action and monitor developments to avoid losing your China business

The PRC Cybersecurity Law is three weeks old, and non-compliant international businesses are already facing severe consequences. Since 1 June, twenty-two people engaged by a global technology giant have been arrested, and sixty online entertainment news sites have been shut down.

The law continues to evolve. The latest guidance provides practical answers to previous areas of uncertainty. Whilst some questions remain, the key message is: do not ignore the PRC Cybersecurity Law. It is now in force and organisations must comply with it.

Read on if you:

  • Transfer personal information and important data out of China
  • Are concerned your organisation may be a key information infrastructure operator
  • Supply network and cybersecurity products and services to China
  • Are unsure if you handle “important data” in or from China

Five key developments that you need to know

1. What is now in force?

2. Are the new overseas data transfer rules in force?

Not yet. The draft measures proposing conditions/restrictions on overseas transfers of personal data and important data by network operators including KIIOs (Draft Measures) did not come into force on 1 June 2017, surprising commentators. Unofficial sources indicate the lead regulator (CAC) discussed a revised draft of the Draft Measures with key stakeholders and proposed toning down some of the more onerous obligations. For now, we await official announcements from CAC.

If and when the Draft Measures come into force, organisations should follow the newly-published Draft Guidelines for Data Cross-Border Transfer Security Assessment (Draft Guidelines). These set out detailed guidance on the security self-assessments for cross-border transfers. They include practical tips on how and when to conduct a self-assessment, including key factors to consider (legality, legitimacy, control of risks, technical and management skills, the recipient’s capability to protect data, and the recipient countries’ political and legal environment), and a rating system to apply. Practical examples are also given on how to assess the sensitivity and level of influence of personal/important data, and solutions to minimise the risks.

3. Am I a KIIO?

We still don’t have a definitive answer, but previously unofficial guidance has now been formally published. The National Internet Security Check Operational Guideline is primarily a guideline for Government agencies. A key infrastructure protection regulation is being prepared by the Chinese authorities (which may or may not refer to this guideline) and (according to CAC) is expected to be published for public comment soon. It is hoped this regulation will provide greater certainty. For now, who does the guideline indicate will be deemed a KIIO?

  • Websites: operators of:
    • Party/Government websites
    • Key news websites
    • Websites with more than one million visits per day
    • Websites where a network security incident would have a significant impact (i.e. on work/lives of over one million individuals or 30% of a district; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (relating to resources, mapping); or damage to/endanger government image, social order or national security)
  • Platforms: operators of platforms:
    • With registered users over ten million, or with over one million active users (with a login frequency of at least once a day)
    • With average daily orders or transactions over RMB 10 million
    • Where a network security incident would have a significant impact (i.e. direct economic loss of RMB 10 million or above; on work/lives of over ten million individuals; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (see above); or damage to/endanger government image, social order or national security)
  • Production Businesses:
    • Operators of systems for public/government/cities such as healthcare, security, fire service, emergency management, production scheduling, traffic control
    • Operators of data centres with over 1,500 standard servers
    • Businesses where a network security incident would have a significant impact (i.e. on work/lives of 30% of a district; affect the utilities or transport of at least 100,000 individuals; death of five or more individuals, or serious injuries to fifty or more individuals; direct economic loss of RMB 50 million or above; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (see above); or damage to/endanger government image, social order or national security)

4. Can I still sell my technology products in China?

Yes, but you now need to consider the supervisory assessment/certification scheme for suppliers of critical network and cybersecurity products and services to KIIOs or to be used for other networks and information systems that relate to national security. We now have an initial catalogue of those caught by the new scheme:

Critical network equipment Specialised cybersecurity products
Routers All-In-One data backup
Switches Firewall (hardware)
Servers (rack-mounted) Web application firewall
Programmable logic controllers Intrusion detection system
Intrusion defence system
Security isolation and information exchange products (gatekeeper)
Anti-spam mail products
Network integrated audit system
Network vulnerability scanning product
Security data system
Website recovery products (hardware)

The new Trial Measures for Security Review of Network Products and Services (Trial Measures) provide practical guidance on how the scheme will be implemented. Whilst uncertainties remain, the Trial Measures clarify that:

  • Reviews will focus on “security and controllability” risks of products and key components, from manufacture through to sale, implementation and maintenance/support. Initially TC260 standards have been released for evaluating security and controllability of central processing units, operating systems and office software
  • Competition impact is a lesser concern, but reviews will look at dependence on certain providers
  • Reviews will also consider risks of providers accessing data and user information through their products/services
  • Reviews may be conducted in a lab, onsite, remotely or through background investigations. While some technical documentation must be provided, it is not yet clear whether source code must be disclosed; and what sort of test environment providers may need to make available to the authorities

5. What is “important data”?

“Important data” is broadly defined to include information that relates to national security, economic development, or social or public interest. Appendix A of the Draft Guidelines sets out an 11-page list of examples in key sectors such as utilities, telecommunications, geographical information, finance and e-commerce. The coverage is very broad, and is a useful reminder to organisations that the PRC Cybersecurity Law does not just affect personal data and has a very wide reach.

What other developments are anticipated?

Issue Development Impact
General personal data protection Draft Information Security TechniquesPersonal Information Security Specifications, published for public consultation and, according to reports, expected to be implemented soon.

This is in effect an update to the 2013 general data protection guidelines governing personal data, which is the current persuasive best practice, and practical guidance, on how to handle personal data in China

High: first statement of key data protection principles in China; significant changes to key terms such as “sensitive personal data” and “data controller”; greater clarity on privacy notices and terms to be included; additional security measures; and new DPO requirements
Minors’ data Draft Regulations on the Protection of the Use of Internet by Minors, published for public consultation in January 2017 Medium: additional protections for minors’ online, including safeguards for collection, use and disclosure of minors’ personal data by “network information service providers”
Encryption Draft PRC Encryption Law, published for public consultation in April 2017 High: more standardised approach to encryption and IT security in China (including mandatory national standards); use of encryption would be mandatory for some networks and data; encryption will remain heavily regulated; requirement for suppliers to provide decryption support
Consumer data Draft Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers, published in Summer 2016 High: strengthening of consumer personal data protection, including consent, mandatory data breach notification and record retention requirements
E-commerce data Draft E-commerce Law High: new data protection obligations including prior notice consent; explicit consent for subsequent changes of scope/purpose; data retention, use and security obligations: immediate data breach notifications: and irretrievable anonymisation of e-commerce data before disclosure

Permanent link to this article:

AUSTRALIA: Increased focus on global privacy and data protection for Australian organisations

Authors: Sinead Lynch and Jessica Noakesmith

Regulators around the world are, and will be, taking a much closer look at rules on the protection of individual personal data and the security of their citizen’s information. The onslaught of the new and arduous General Data Protection Regulation (GDPR) regime in Europe, the recent ‘protectionist’ changes to the PRC Cybersecurity Laws in China on 1 June 2017, anticipated changes in Singapore’s data privacy regime, as well as rumblings from other Asia-Pac countries in this area, all confirm that these are issues where national regulators are sitting up and taking action. Recent cyber events, including the much-reported ‘Wannacry’ cyber-attack, add to global unrest in this area.

Traditionally to date, Australia has adopted a more transparent and conciliatory approach to privacy and security. However, this is a position that is likely to face challenge now in light of international developments in this area. The introduction in Australia of the long awaited new mandatory Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) in February 2017 commencing from, at the latest, February 2018, as well as the Government’s budget confirmation of the Productivity Commission’s new law on personal data sharing and release go some way to support Australia’s renewed focus in this area.

The Office of the Australian Information Commissioner (OAIC) has also just released their updated resource, General Data Protection Regulation Guidance for Australian Businesses (the Guide) to confirm that Australian businesses should, as a matter of priority, review the extent of their compliance obligations under the GDPR and take steps now to ensure their handling practices comply, prior to its commencement from 25 May 2018. At a conference hosted last month by the OAIC, the Privacy Commissioner, Timothy Pilgrim, expressly underlined the importance of GDPR for Australian businesses, and advised that the OAIC will be taking a closer look at compliance in this area.

Therefore, to the extent that an Australian company handles or processes EU individual data in the course of its operations and this processing falls within the scope of the extra-territorial reach of the GDPR (as described further below), this company will be required to comply with the onerous requirements of GDPR and may be subject to its sanctions.

The Guide

The Guide confirms that Australian businesses “of any size” may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The guide helpfully compares the GDPR and Privacy Act 1988 (Cth) principles in an easy to read comparison table. Certain similarities are highlighted and both laws contain a shared focus on fostering transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.

However, there are notable differences in the GDPR. In addition to the myriad of broadly defined terms and wide scope of personal data, there are enhanced rights for individuals to their data, data portability obligations, a right “to be forgotten”, enhanced consent requirements and a 72 hour mandatory data breach requirement in certain cases, not to mention the unwieldly fines and sanctions.

While some Australian businesses may already have certain measures in place that will be required under the GDPR, the Guide recommends that all organisations should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes well before commencement of the GDPR.

We take a closer look here at the GDPR and its implication for Australian businesses processing EU personal data / global organisations operating in Australia with the required relationship to the EU, who handle personal information of EU/UK citizens.

So, what is GDPR?

You will no doubt have read multitudes of reports and analysis on this new legislation and what it may mean for both European and global organisations. In brief, the GDPR is a wide-ranging piece of (directly applicable) privacy legislation recently adopted by the EU institutions, which mandates a significant rise in personal data protection compliance obligations for all organisations coming within its reach – both inside and outside the EU.

Notably, due to its new extra-territorial effect, a large number of global organisations operating across borders who were not previously caught by the existing regime will be affected. This will also be directly applicable in the UK for a period, despite Brexit considerations. It is widely accepted that the same / a similar regime will apply in the UK post-separation.

The GDPR was adopted on 26 April 2016 and is due to come into effect on 25 May 2018. As the legislation took over five years of intense lobbying and debate (inside & outside the EU) prior to its adoption, there are a number of interpretative issues and unanswered questions (including extra-territorial issues). Although only less than a year to go, guidance to date has been relatively sporadic from the EU.

Why is GDPR so important?

There are some key reasons:

  • The significantly increased fines for personal data breach for all organisations caught by GDPR (of up to €10-20mil or 2-4% of global annual group turnover) means that it is a group board-level issue for many organisations. Non-compliance in even smaller companies in a group may lead to significant ramifications where GDPR applies to that group / company within the group
  • A host of new obligations on data controllers and data processors (for the first time) are introduced, which include enhanced rights for individuals to their data, data portability obligations, the right to be forgotten, enhanced consent requirements to name but a few
  • Underpinning the GDPR are ‘accountability’ and ‘transparency’ obligations which require a holistic approach to be taken to privacy compliance – around the world. Getting prepared may require internal re-organisation of each group member business activities and procedures – on a wholesale group basis
  • Even where a group / company may not currently fall within the scope of GDPR, continuous review and re-organisation may still be required so as to avoid company activities falling under its scope in the future
  • A group / company’s partners and third party suppliers and customers may be caught by the GDPR and additional compliance requirements / contractual obligations on companies may be forthcoming from such organisations
  • Fundamentally, protecting the reputation and brand of the wider group where any breach or suspected data breach / security / information governance issues arise remains an ever-present and key driver

Why does GDPR concern Australian operations?

In determining whether activities fall within its geographical reach, the GDPR considers not only the location of where information is being processed (as was the case under the old EU Data Protection Directive), but now also the location of the individual whose data is being processed.

Under the existing regime, non-EU businesses only fall within the scope of the Directive if processing took place using equipment in the EU (e.g. using servers/ employees located in the EU). This will no longer be the test and the ambit of the GDPR seeks to capture all processing of EU individual data, regardless of where such processing takes place.

The GDPR will apply to any Australian business who processes personal data:

  • “In the context of the activities of an establishment of any organisation in the EU”
  • “Of EU individuals where the processing activities relate to the:
    • Offering or goods or services to individuals in the EU (including where no payment is required); or
    • Monitoring the behaviour of individuals in the EU (where such behaviour takes place in the EU)”

Both “personal data” and “processing” under GDPR are broadly interpreted and go much further than the analogous definitions of “personal information” and “handling” under the Privacy Act /APPs in Australia.

A review of your existing use, handling and processing of EU individual personal data and the targeting of services outside of Australia to the EU is recommended. Reviewing both existing and anticipated data flows (e.g. which may arise as a result of group company acquisitions, disposals or new third party contracts) is also recommended.

Referencing specific GDPR recitals, the OAIC provides some examples of GDPR application on Australian businesses that may fall under this test in its recently published Guide .

To determine if GDPR impacts your business, the fundamental question to ask at the outset is “Do you target EU individuals or organisations and if so, what percentage of personal information is processed related to such activities?” If you are likely to be at risk, the time to act to ensure compliance is now.


This extra-territorial effect of GDPR has been well publicised (and criticised) and organisations outside of the EU are now taking stock to review their privacy compliance obligations.

While there are still question marks over the practical enforceability of the GDPR regime and its sanctions outside of the EU (with ongoing discussion of extra-territorial co-operation agreements with EU supervisory authorities), the OAIC has confirmed that it will continue to use its enforcement powers under the Australian Privacy Principles (APPs) where a privacy breach arises.

It has also recently confirmed that it is committed to internationally coordinated approaches to privacy regulation, recognising that APP entities carry on their business globally and that personal information is regularly disclosed, handled and stored overseas. The OAIC also participates in several international forums and arrangements to promote best privacy practice internationally, address emerging privacy issues in Australia and cooperate on cross-border privacy regulation and enforcement matters.

As such, if an Australian business is found to contravene the GDPR in respect of data / security breach (for example) this may be sufficient to bring it to the attention of the OAIC, who may take action under the APPs in respect of that data / security breach (without prejudice to any EU enforcement capability).

While we have yet to see the full impact that GDPR will have on non-EU businesses, for market-leading organisations operating in Australia, reviewing your privacy compliance obligations with the GDPR will be crucial to ensure the protection of your reputation and brand and to minimise any risks of exposure to exponential fines and sanctions for breach.

As the Privacy Commissioner has confirmed, privacy and data protection is an area that is likely to see further change in the coming years for Australian companies. This is one area where organisations can get ahead of the game by applying additional measures under the GDPR (even where not mandatory / required) to enhance privacy practices, engage consumer trust and ensure consistent internal privacy practices, procedures and systems across all businesses.

We are currently completing GDPR gap analysis, data flow mapping and risk compliance audits for our clients and would be delighted to answer any questions you may have on this area and on whether GDPR is likely to impact your business in Australia.

Please see our resources which include key requirements and some practical tasks for implementation which can assist you to understand and comply with this new and significant impending legislation.

Permanent link to this article:

AUSTRALIA: OAIC call out for comments – draft resources for businesses and agencies regarding the Notifiable Data Breach Scheme

Authors: Sinead Lynch, Jessica Noakesmith

On 2 June 2017, the Office of the Australian Information Commissioner (OAIC) released 4 draft resources for businesses and agencies regarding the Notifiable Data Breach scheme (NDB) scheme. Direct links to the draft resources are below:

These draft resources provide guidance to the NDB scheme with examples of how to prevent serious harm and avoid notification requirements with remedial action, examples of data breaches, definitions of unique terms and a practical approach to the requirements. The OAIC has noted that any information provided by entities can be requested to be confidential (and the OAIC will liaise with entities in case of an Freedom of Information (FOI) request).

The draft resources note ‘serious harm’ may include serious physical, psychological, emotional, financial or reputational harm. Unfortunately, the resources do not address some of the concerns around assessing when “suspected data breaches arises. The OAIC has confirmed however its plans to release a further guideline – “Assessing a suspected data breach – which it confirms will ” provide guidance about the process to follow when carrying out an assessment of ‘whether there are reasonable grounds to suspect that there may have been an eligible data breach of the entity’”.

Please see our key points below for further details on these 4 resources.

The OAIC is asking for any comments by 14 July 2017. You can make a submission here.

We are advising a number of our clients in this area. If you / your organisation would like any support or assistance in commenting on the draft resources, please do let us know.

The OAIC has posed some key questions to consider:

  • Are the draft resources clear, relevant and practical?
  • Do the draft resources meet the needs of agencies and organisations in understanding the new requirements under the NDB scheme?
  • Are there any topics that you believe the draft resources should cover that have not been covered, or should be covered in greater detail?
  • Are there any practical examples you could share to help illustrate the operation of the NDB scheme?
  • Are there any other ways in which the draft resources could be enhanced?

Key points

Entities covered by the NDB scheme

  • Notes that generally, agencies and entities that are covered by the Privacy Act 1988 (Cth) (the Privacy Act) must comply with the NDB scheme.
  • Outlines the applicability of the NDB scheme to Australian Privacy Principles (APP) entities, credit reporting bodies, credit providers and TFN recipients, and outlines the exceptions for the NDB scheme to apply to small business operators.
  • Defines ‘holding’ personal information disclosed overseas for the purposes of assessing an eligible data breach.

Identifying eligible data breaches

  • Notes that the NDB scheme requires entities to notify particular individuals and the OAIC about ‘eligible data breaches’.
  • Gives examples of how to prevent serious harm with remedial action and examples of data breaches.
  • Includes definitions of unauthorised access, unauthorised disclosure, loss and:
    • ‘Eligible data breach’ (objectively, from the viewpoint of a reasonable person in the entity’s position) is:
      • the unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds (including internal, independent contractors, hackers etc.);
      • that is likely to result in serious harm to one or more individuals; and
      • the entity has not been able to prevent the likely risk of serious harm with remedial action.
    • ‘Serious harm’ may include serious physical, psychological, emotional, financial or reputational harm. Section 26WG lists ‘relevant matters’ that entities may use in an assessment of the likelihood of serious harm. Entities should consider the types of personal information, the circumstances of the data breach and the nature of the harm (the resource expands these) when making this assessment. The resource does not define serious harm.
    • ‘Reasonable person’ means a person in the entity’s position who is properly informed, based on information immediately available or following reasonable inquiries or an assessment of the data breach. This definition can be influenced by relevant standards and practices and is also discussed in general terms in the APPs.
    • ‘Likely to occur’ means more probable than not (rather than possible).

Notifying individuals about an eligible data breach

  • Notes that when an entity experiences an eligible data breach it must provide a statement to the Commissioner and notify individuals at risk of serious harm of the contents of the statement as soon as practicable after completing the statement prepared for notifying the Commissioner. If the breach applies to multiple entities only one entity needs to comply, and the entities decide who. The Commissioner suggests the entity with the most direct relationship with the individuals at risk of serious harm should undertake the notification. If none of the entities do, each may have breached.
  • Defines ‘as soon as practicable’ to include considerations of cost, time and effort. The Commissioner expects expeditious notification.
  • Explores the three options to ‘notify’ individuals (notify all individuals affected, notify those at risk of serious harm or publish notification to website). An entity can use any reasonable method to notify individuals (call, SMS, mail, social media, in-person etc.). If it’s not practical to notify individuals, the entity must publish a copy of the statement on their website and take reasonable steps to bring this to the attention of the individuals at risk of serious harm. ‘Reasonable steps’ might include:
    • ‘ensuring that the webpage on which the notice is placed can be located and indexed by search engines’
    • ‘publishing an announcement on the entity’s social media channels’
    • ‘ taking out a print or online advertisement in a publication or on a website the entity considers reasonably likely to reach individuals at risk of serious harm’

Australian Information Commissioner’s role in the NDB scheme

  • The Commissioner acknowledges it will take time to become familiar with the NDB scheme and during the first 12 months operation of the NDB scheme the primary focus will be on working with entities to ensure they understand, and are working in good faith to implement, the NDB scheme. The priority is to offer advice and guidance to entities and provide assistance to individuals at risk of serious harm, however the Commissioner may make inquiries or take regulatory action.
  • Notes that entities may request that the information provided be confidential, and if an FOI request is made, the Commissioner will consult with the entity (or transfer the request if it is an agency).
  • Describes the content included in a notification statement. The OAIC comments that although the Privacy Act does not require it, entities may provide additional information to the Commissioner e.g. circumstances and further detail about the entity’s response.
  • Outlines the powers of the Commissioner under to NDB scheme to:
    • accept an enforceable undertaking (section 33E) and bring proceedings to enforce an enforceable undertaking (section 33F)
    • make a direction to notify
    • declare that notification need not be made or that it can be delayed (in exceptional cases) after a detailed application by an entity
    • make a determination (section 52) and bring proceedings to enforce a determination (sections 55A and 62)
    • seek an injunction to prevent ongoing activity or a recurrence (section 98)
    • apply to court for a civil penalty order for a breach of a civil penalty provision (section 80W), which includes any serious or repeated interference with privacy
  • Notes that the requirement under section 36 of the Privacy Act to investigate a complaint made by an individual about an interference with that individual’s privacy includes a failure to notify an individual under the NDB scheme.

For further information and commentary on the Notifiable Data Breach scheme generally see our post here.

Permanent link to this article:

Top 5 takeaways on how to get ready for the European Privacy Regulation

How to get ready for the GDPR right now? This was the topic of the seminar arranged to celebrate the one year deadline from the effective date of the EU Privacy Regulation.  Read the rest of this entry »

Permanent link to this article: