June 2018: Regulatory Update

GDPR – Legal Footprint of Data Protection Laws

GDPR has been one of the most widely talked about regulations in recent times. Contested and examined for hours amongst business owners, lawyers and consumers alike. Interpretations have differed widely but what is now undisputable, is the legal requirement to comply.

As of May 25, GDPR became a requirement within the European Union. Yet as a global business this has raised a much wider question. Will the rest of the world follow suit? Are people aware of the existing regulations in other regions and jurisdictions?

The asset management industry requires cross-jurisdictional collaboration on a daily basis. As a global business we must have a full understanding of all data regulations and laws impacting both our own business, and that of our clients’, on a  global basis.

We’ve taken a lense to some of the other jurisdictions where data protection laws have had a substantial impact or there have been recent updates. In some instances there are synergies with GDPR and in others differences. Does your fund market into these jurisdictions? Take a look:

 

Americas

1. Bermuda

Regulation	Click here for the full regulation
Data Protection Authority	Privacy Commissioner (yet to be appointed)

Founded in Bermuda in 2003, we have a good understanding of local data protection regulation. In 2016, Bermuda issued the Personal Information Protection Act  (“PIPA”), however this will enter into force on in December this year. PIPA will regulate the future processing of all personal data in Bermuda under the supervision of a dedicated Privacy Commissioner (‘The Commissioner”). In addition to PIPA, Bermuda still recognises a duty of confidentiality in certain circumstances under its common law.

Synergies with GDPR:

• Minimisation principle, individuals rights, ‘need to know’ and ‘right to be forgotten’ are similar to the GDPR standards
• Data breach notification standards are match GDPR in terms of timeframe and process
• Under PIPA, the transfer of data is also defined and allowed whereby appropriate technical and organisational measures are taken to prevent unauthorised or unlawful processing of personal data.
• ‘sensitive personal data’ is defined
• Data subject (’individuals’) rights

Differences from GDPR:

• The common law will still apply in parallel with PIPA, in contact to the EU where GDPR is replacing the current Directive.
• PIPA does not clearly define ‘accountability principles’, therefore the concept of ’misuse of personal data’ will still remain wide.
• Definition of the “data controller”, “data subject” or the “data processor” → these are instead referred to as “organisaitons[1]”, “individuals” and “third parties”.
• PIPA does not contain the concept of liability for processors
• Currently there is no requirement to appoint a dedicated Data Protection Officer (“DPO”), however once fully in force, there will be a requirement to appoint a “privacy officer”
• Data Breach Notification: once in force, PIPA will require notification of a breach, however there is no mention of time and/or turnaround requirements. (e.g. 72h)
• Fines: will be defined by the Bermuda Court on a case by case basis

 

2. Canada

Regulation	Personal Information Protection and Electronic Documents Act   Canada’s Anti-Spam Legislation
Data Protection Authority	Office of the Privacy Commissioner of Canada (‘OPC’) – administers PIPEDA Office of the Information and Privacy Commissioner of Alberta (‘PIPA Alberta’) Office of the Information and Privacy Commissioner for British Columbia (‘PIPA BC’), and Commission d’accès à l’information du Québec (‘Quebec Privacy Act’) Canadian Radio-Telecommunications Commission (‘CRTC’) – administers the CASL

Data protection law in Canada is composed of a set of federal and provincial statutes. These laws include data protection statutes of general application, as well as sector-specific statutes. PIPEDA has the widest application for the private sector in Canada but does not apply in the provinces of Alberta, British Columbia or Quebec(which have their own laws).

Recent Updates:

In March 2018, the Canadian Government announced that data breach notification provisions (under the Digital Privacy Act 2015), amending the Personal Information Protection and Electronic Documents Act 2000 (‘PIPEDA’), were to enter into force on 1 November 2018. Under this Act, an organisation must report any breach in security around personal information safeguards , to the Office of the Privacy Commissioner (‘OPC’) as soon as feasible, where there is a reasonable risk of significant harm to an individual.

Synergies with GDPR:

• PIPEDA requires organisations to comply with a set of legal obligations that are based on similar principles as defined in GDPR (e.g. Accountability, Identifying purposes, Consent, Limiting collection/use/disclosure, and Retention, Accuracy, individual access, etc.) The provincial statutes contain similar requirements.
• A Data subject’s right to access persona information
• Destruction of personal data

Differences from GDPR:

• Business contact information is excluded from the application of PIPEDA where the information is used in relation to the business.
• Collection, use or disclosure of employee personal information are not in the scope of PIPEDA, unless the organisation in question is a federal organisation.
• Breach Notification: no specific timeframe provided by the law, it only mentions “as soon as feasible”
• Canada has a dedicated anti-spam legislation (“CASL”), which prohibits the sending of commercial electronic messages unless express consent,implied consent, or an applicable exception, is appropriate and prescribed requirements are met
• Consent: despite the fact that explicit consent is generally the default, organisations still have the option to use implied consent.
• Canadian laws do not include the concept of data portability.

 

3. Uruguay

Regulation	Click here for more
Data Protection Authority	Uruguayan data protection authority (‘URCDP’) Digital Government and Information Society Agency (‘AGESIC’) – this depends from the Presidency of the Republic

In August 2008, the Uruguayan government issued the Data Protection Act Law No. 18.331, followed by the Decree No. 414/009 (31 August 2009) (the ‘Act’). Later in 2012 the European Commission issued an adequacy decision stating that Uruguay does in fact already ensure an adequate level of protection of individuals with regard to the processing of personal data and the free movement of such data, as defined in the Article 25(6) of Directive 95/46/EC of the European Parliament.

In 2017, the URCDP and AGESIC issued guidelines defining the concept of de-identification, anonymisation, re-identification and pseudonymisation.

Recent Updates:On 12^th April 2018the AGESIC released a revised version of the cybersecurity framework (‘the Revised Framework’), to assist organisations in strengthening their data security practices, while also extending its applicability to any public or private organisation.

Synergies with GDPR:

• Definition of data controller, data processor, personal data and sensitive data
• Scope of the regulation: the Uruguayan data protection regime applies to personal data, registered in any form, likely to be collected, processed, or subsequently used in any way, within public or private domains (Article 3 of the Law)
• Data subject rights
• Transfer of personal data process and principles (with some exception highlighted below)
• Extra territorial transfer of personal data – The Act forbids the transfer of personal data to countries or international entities which do not provide adequate levels of protection (according to European standards).

Differences from GDPR:

• Mandatory registration of all databases containing personal data, whether are private or public, and regular update of the same (every 3 months)
• Transfer of certain personal data (e.g. name, surname, identity card number, nationality, address, and date of birth) do not require previous consent of the data subject
• A DPO is not mandatory
• Data Breach notification: there is no specific deadline mentioned in the law
• Marketing: the law doesn’t prohibit the use of personal data (e.g. email address) for the purposes of electronic marketing, but grants personal data owners/ data subjects (individuals or legal entities) the right to demand the deletion or suppression of their data from the marketing database.

 

4. USA

The United States does not have a single Data Protection Federal law, instead has approximately 20 sector specific national privacy or data security laws per state and territory.

For the purpose of this high level review,, we will focus on the two key federal laws which prevent “unfair and deceptive practices” highlighting the differences of data protection principles, versus GDPR.

• Definition of Personal data and Sensitive personal data: varies by local regulation, however the Federal Trade Commission (‘FTC’) considers personal data only the information  that can reasonably be used to contact or distinguish a person, including IP addresses and device identifiers. Data that needs to be protected is classed as “Personally Identifiable Information” (PII) – this includes things like names, addresses, telephone numbers etc. Any information used for marketing purposes works on an ‘opt-out’ basis for privacy.
• Data Breach definition is limited to the security breach in the majority of the States; limited amount of personal data, like the social a security number, other government ID number, or credit card or financial account number
• DPO: with the exception of entities regulated by HIPAA, there is no requirement to appoint a data protection officer

Asia Pacific

1. Hong Kong

Regulation	Personal Data (Privacy) Ordinance (“PDPO”) last amended in 2013
Data Protection Authority	The Office of the Privacy Commissioner for Personal Data (‘PCPD’)

Latest News:

Very forward thinking, in April 2018 the PCPD issued an EU General Data Protection Regulationbooklet (‘GDPR Booklet’) to raise awareness of the regulation and assist businesses with data protection compliance abroad. The GDPR Booklet highlights the key features of the GDPR and compares them with local requirements under the Personal Data (Privacy Ordinance) 1997 (‘the Ordinance’) as amended in 2013.

Synergies with GDPR:

• Personal data definition is similar to GDPR
• Collection and processing of personal data purposes and principles are similar to GDPR in the meaning of “need to know basis”, adequacy, processing for the purpose only
• Data subject rights for access and amendment of personal data

Differences from GDPR:

• Sensitive personal Data not defined by the Ordinance
• Data meaning also include the expression of opinion in any document of any form
• Data Breach: breach of a data protection principle is not in itself an offence in Hong Kong, however a complaint may be made to the PCPD
• DPO: currently there is no legal requirement for data users to appoint a data protection officer in Hong Kong.

 2. Singapore

Regulation	Personal Data Protection Act 2012 (“PDPA”)
Data Protection Authority	Personal Data Protection Commission (‘PDPC’)   Data Protection Advisory Committee

Singapore has a robust Data Protection framework in place which was reinforced by the Personal Data Protection Act 2012 (‘PDPA’), implemented in three phases.

• The first phase of general provisions (January 2013), relate to the scope and interpretation of the PDPA, the establishment of the Personal Data Protection Commission (‘PDPC’) and the Data Protection Advisory Committee, the establishment of Do-Not-Call (‘DNC’) Registers by the PDPC.
• The second phase came into force a year later and was related to the provisions of the DNC Registry
• The third and final phase involved the main provisions relating to the protection of personal data (Data Protection Provisions) – this came into effect on  July 2014.

Recent UpdatesNew data protection management programme (“DPMP”) and data protection impact assessment (“DPIA”) guides were published by the Commission in November 2017.

Synergies with GDPR:

• Definition of personal data: reflects GDPR in the meaning that ‘personal data’ under the PDPA refers to all “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access”.
• Collection, use or disclose of personal data reflects the GDPR standards, as well as in the consent given and the possibility of withdrawn it.
• Transfer of Data: requires express consent to be received by the data subject

Differences from GDPR:

• DPO: while GDPR states the conditions under which the appointment of a DPO is mandatory, in Singapore each organisation must appoint one or more data protection officers to be responsible for ensuring the organisation’s compliance with the Act.
• Data Breaches: there is not a specific requirements in the Act concerning the notification of data breaches, however the Commission issued in 2015 a guideline to help organisation in managing the data breaches more efficiently and recommending to notify the Commission in case the breach involves disclosure of personal data.

 

3. Australia

Regulation	Privacy Act 1988  (‘Privacy Act’) as amended   Australian Privacy Principles (‘APPs’)
Data Protection Authority	Privacy Commissioner – this operates under and through the Office of the Australian Information Commissioner (“OAIC”)

 

The key legislation in Australia related to Data Privacy is the Federal Privacy Act 1988  (‘Privacy Act’) and its Australian Privacy Principles (‘APPs’), however likewise in the USA, each Australian States and Territories (except for Western Australia and South Australia) also have their own data protection legislation applying to State Government agencies.

Synergies with GDPR:

• Definition of ‘Personal information’ in the meaning of an information or an opinion about an identified individual or an individual who is reasonably identifiable,  whether the information or opinion is true or not and  whether is recorded in a material form or not.
• Sensitive Personal Data: definition is also mentioned in the Australian legislation reflecting GDPR.
• Consent: Australian legislation also defines the need to collect data subject consent prior collecting their personal information; typically this is done through privacy policies, where also the scope of the collection is specified.
• Breach Notification: the regime requires organisations to notify the OAIC and affected individuals of “eligible data breaches”

Differences from GDPR:

• Unlike the European law, there is no definition of ‘data controller’ and ‘data processor’ under Australian privacy law. Each APP entity that obtains/receives personal information will be considered a ‘data controller’ under Australian law, and has its own separate and primary privacy obligations under the Privacy Act/APPs.
• DPO: there is no requirement for organisations to appoint a DPO, however the Privacy Commissioner strongly recommends it
• Data Breach Notification timeframe: it is not specified in the Law, however the OAIC has released guidelines inviting the organisation to investigate any instance that might have lead or has lead to a data breach and report the feedback within 30 days.
• Transfer of Personal data and Consent: no mention in the law of the necessity to obtain explicit consent from the data subject prior transferring personal data.

 

Middle East and Africas

1. Mauritius

Regulation	Data Protection Act 2017 (“DPA 2017”)
Data Protection Authority	Data Protection Office

Mauritius issued the Data Protection Act 2004 (“Act”) in 2004 which entered into force only in February 2009. The Act was predominantly based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

On July 2017 the 2004 Act was amended to ensure compliance with the provisions of the Regulation (EU) 2016/679 (‘GDPR’). The Data Protection Act 2017 came into force on January 2018 and represents now the main legislation in terms of data protection.

Synergies with GDPR:

• Definition of personal data and sensitive personal data reflects GDPR standards.
• Processing of personal data: DPA 2017 includes the concept of lawfulness, legitimate purpose, adequacy, accuracy and necessity of the collection and processing of the personal data, likewise GDPR.
• Consent: DPA 2017 has strengthen the concept of consent, which now reflects the EU standards
• Data protection impact assessment (DPIA)
• Data breach notification timeframe: same as per GDPR

Differences from GDPR:

• Data provision from the data subject is defined by the law as voluntary or mandatory
• Data controllers and data processors have a mandatory requirement to register with the Data Protection Office (DPO). Registration lasts for 1 year and is not automatically renewed.
• The appointment of a DPO is not mandatory, however from the point of registration, the data controller or processor must appoint a person that supervise the compliancy of the organisation with the Act.
• Data transfer also requires written permission from the Commission.

 

2. Dubai (DIFC)

Regulation	DIFC: Data Protection Law DIFC Law No.1 of 2007 as amended by the Data protection Law Amendment Law (“DPL”) DIFC: Data Protection Regulations 2012 (“DPR”) Consolidated Version N.3 of 2018
Data Protection Authority	The Commissioner of Data Protection (‘CDP’)

 

The DIFC implemented DIFC Law No. 1 of 2007 Data Protection Law in 2007 which was subsequently amended by DIFC Law No. 5 of 2012 Data Protection Law Amendment Law (‘DPL’).

Recent Updates In January 2018 the Dubai International Financial Centre (‘DIFC’) Authority announced that some amendment to the existing legislation have been enacted, in order to bring clarity on the DPL and ensure they are in  line with the Regulation (EU) 2016/679 (‘GDPR’).

Synergies with GDPR:

• Consent: The current legislation already defines the concept of obtaining written consent prior to the processing of a data subject’s personal data. It also defines the scope of the processing which must remain within the contractual agreement between parties as well as the location the task is carried out in the interest of the DIFC, the Court or Registrar.
• Definition of Personal data and Sensitive personal data are also in the law
• Collection and Processing of personal data: principles listed in the law are mainly reflecting the GDPR standards.

Differences from GDPR:

• Notification or registration is not required before processing data, provided the collection and processing of any personal data relating to an individual’s private or family life has been made with the individual’s consent or is authorised by law.
• Data subject rights are not well defined in the law.
• The data controller and data processor are not defined
• There are no provisions giving data subjects a right to request the deletion of their data.
• DPO – there is no requirement to appoint a DPO

3. Abu Dhabi (ADGM)

Regulation	The Data Protection Regulations 2015 (the ‘Regulations’) as amended by   Data Protection Regulation (Amendments) 2018
Data Protection Authority	The Registrar   The Board of Directors of the ADGM (‘Board’)

Recent UpdatesOn December 2017, the Abu Dhabi Global Market (‘ADGM’) Registration Authority announced the establishment of the Office of Data Protection (‘the Office’), with the intention of providing guidance on data protection, administering the register of data controllers, monitoring and enforcing compliance and assisting individuals with enquiries and complaints.

Synergies with GDPR:

• Definitions: the Data Protection Regulations 2015 (the ‘Regulations’) provide concepts of ‘personal data’, ‘sensitive personal data’, ‘data controller’, ‘data processor’ and ‘data subject’ which are consistent with the EU Data Protection Directive 95/46/EC.
• Data subject rights: similar to the EU standards, giving the right to require data controllers to provide information about how personal data relating to them are processed and as to the purposes of the Processing. Data subjects may require the rectification, erasure or blocking of personal data where processing does not comply with the Regulations.

Differences from GDPR:

• Data processor activities are not governed through the applicable Regulation
• DPO: there is not a definition in the applicable Regulation
• DPO: the appointment of a DPO is not mandatory
• Data Breach: is not defined in the Regulations, however there is a mention of “ unauthorized intrusion to any personal data”
• Data Breach notification timeframe: not specified in the law, just mentioning as soon as reasonably practicable only.

 

Russia

Regulation	Federal Law of 27 July 2006 No. 152-FZ on Personal Data (As amended by Federal Law of 25 July 2011 No. 261-FZ) (21 June 2013)   Federal Law of 21 July 2014 No. 242-FZ on Amending Some Legislative Acts of the Russian Federation in Concerns Updating the Procedure for Personal Data Processing in Information and Telecommunication Networks (23 May 2016)
Data Protection Authority	Federal Service for Supervision of Communications, Information Technologies and Mass Media or, in short, Roscomnadzor (‘Agency’)

 

Recent Updates:

On April 2018, the Ministry of Telecommunications and Mass Communications of the Russian Federation (‘Minsvyaz’) issued a draft to amendment the Federal Law of 27 July 2006 No. 152-FZ On Personal Data (‘the Draft Law’). The intention of this draft was to regulate consent for the processing of personal data, as well as to introduce a requirement to obtain consent for the processing of biometric data.

In addition, the Draft Law grants data subjects the ability to amend their consent to the processing of personal data.

Synergies with GDPR:

• The definitions of personal data, sensitive data, data controller and personal data processing are similar to EU standards
• Data subject’s rights are similar to GDPR standards

Differences:

• Data processor is not defined in the applicable laws.
• Data breach notification is not compulsory as per Russian law

Europe:

For Europe and any other country being directly affected by GDPR, please refer to our GDPR Fundamentals to learn more about the new regulatory requirements.

Click Here to sign up to our Regulatory Mailing list and be the first to receive notification on global regulatory changes.

 

[1] PIPA defines “organisations” as any individual, entity or public authority that uses personal informations.