As business continues to globalise, companies now find a myriad of local and regional data frameworks to observe. What this means in practice is that today's global corporation needs detailed advice on what it can and cannot do with data in each country, and the extent it can be transferred around.
Data privacy in China is governed by a series of laws and regulations, which can be called "Data Privacy Regime", although there is not a special personal information protection law. The most notable laws and regulations under the Data Privacy Regime may include the Decision on Strengthening the Protection of Online Information issued by China's top legislature in 2012; the Provisions on the Protection of Personal Information of Telecommunications and Internet Users issued by the Ministry of Industry and Information Technology (MIIT) in 2013 and the 2014 Revised Law on the Protection of Consumer Rights and Interests.
According to the Data Privacy Regime, "personal information" is rather broadly defined as any information that relates to a person and that separately or in combination with any other information may be used to identify the person, and expressly includes specific data such as the time at which and the location from which services are used or received, an important point given the explosion of location based services.
The collection and use of personal information is allowed subject to certain requirements, including without limitation:
- Collection and use of any personal information should be in a lawful and proper manner by following the principle of necessity;
- Full disclosure is given of the purpose, method and scope of the collection and use;
- Prior consent should be obtained where the personal information is collected or used;
- Personal information must be kept secure and confidential; and
- Remedial measures must be taken where personal information may be leaked or lost.
Liabilities that businesses can accrue for infringing consumers’ rights generally, include ceasing the infringement, eliminating any ill-effects, issuing an apology and compensating the consumer for their losses. Where the reputation of the consumer has been damages, the business can be ordered to restore that reputation. Businesses can also be administratively liable for infringement of consumers’ rights. Cases will be handled by the Administration for Industry & Commerce (AIC) and in terms of penalties include fines up to ten times illegal gains or up to CNY500,000 (about US$78,000).
Although the Chinese data privacy regime is increasingly comprehensive, there are notable areas of absence from regulations. These include an individual’s right to access and correction of the personal data held by another; explicit provisions regarding the deletion of data (beyond the requirement that collection and use of data must be ‘necessary’); provisions regarding the transfer or processing of data overseas; and validity and effect of user agreement.
The absence of regulations should not stop international businesses from considering these issues, though. Adopting international best practice in China as elsewhere is something international business should seriously consider as we can only expect more regulation to come given the continued development of the issues driven by the progress of technology and the accompanying keen interest from the PRC Government.
The legislation on data privacy in Hong Kong is the Personal Data (Privacy) Ordinance (Chapter 486, the Laws of Hong Kong) (“Ordinance”). The Ordinance protects the privacy rights of a living person (“data subject”) in relation to his/her personal data. Personal data is data which exists in a form in which accessing or processing is practicable ("personal data"). There are 6 data protection principles which must guide those handling personal data (“data users”). These relate to:
1. Data collection methods and purposes, along with notification rules and transferee rules.
2. Data accuracy and retention
3. Data use purposes and consent guidelines
4. Data security steps that must be taken
5. Data user's policies and practices
6. Data access and correction systems
Data privacy is enforced by the Privacy Commissioner for Personal Data ("Commissioner") and cases against those breaching the Ordinance are brought regularly. Non-compliance is not a criminal offence directly but the Commissioner may serve an enforcement notice to direct the data user to correct any contravention. Breach of an enforcement notice is an offence with criminal penalties. Individuals have remedies for breaches of the Ordinance too.
The transfer of personal data outside of Hong Kong is however in an uncertain position and data users are recommended to seek consent from data subjects to transfer their personal data outside of Hong Kong.
Personal data protection in Indonesia is covered by the broader electronic transaction law regime. Law no. 11 of 2008 concerning Electronic Transactions and Information ("ITE Law") contains a total of three paragraphs on personal data protection. The ITE Law was meant to be a comprehensive legislation to govern electronic/digital activity and dealings but is now well out of date. This has led to a perception that the protection of personal privacy is still somewhat uncertain.
The law was given more flesh with government regulation passed in 2012 - Government Regulation 82 of 2012 concerning Electronic System and Transaction Operation (Government Regulation).
The ITE Law read with the Government Regulation provides a number of concepts to regulate electronic transactions and Information. The ITE Law's definition of electronic system operator for the public means that public websites are likely to be caught by the term electronic system operator. There are rules on the location of data centers and a variety of certificates are required, many of which have not yet had implementing regulations to establish the issuing regime.
Provisions on the protection of personal privacy are found in Article 26 of ITE Law. Article 26 provides that use of personal data must be with consent of the person in question. Article 26 is thought to be rather general and so unclear. The consequences of breach of Article 26 give the aggrieved individual a right to damages. There is no mention of administrative sanction.
Some other points to note:
a. The regulations require Indonesian language to be used for online terms and conditions.
b. The status of agreements made online is still uncertain because the ITE Law still requires further implementing regulations.
The net result is a very uncertain regime. We recommend clients undertake a careful review and ensure compliance with the Indonesian rules such as they are, especially as to local language, and take a balanced approach that is likely to work elsewhere for privacy policies. Keep up to date on changes such as the issuing of implementing regulations too.
Data privacy in the Philippines is governed by Republic Act No. 10173 or the Data Privacy Act of 2012.
Under the Data Privacy Act, the processing of "personal information", or any information from which the identity of an individual can be ascertained, is allowed subject to certain requirements, such as:
- obtaining prior consent of the person whose personal information is processed;
- collection for specified legitimate purposes, which must be declared in specific ways; and
- such personal information is retained only for specific purposes.
"Processing” can refer to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
However, the processing of "sensitive personal information", such as personal information about an individual's race, ethnic origin, marital status or age, is prohibited unless it falls under the certain specified exceptions in the Data Privacy Act. This includes collection by consent and under the protection of other laws.
The Data Privacy Act requires the person or organization controlling the processing of personal information to provide measures to protect the information against destruction, alteration, disclosure, unlawful access, and fraudulent misuse. Otherwise, penalties of imprisonment and/or fine may be imposed.
The Data Privacy Act also mandates the National Privacy Commission, (which is yet to be created as at the date of this note), to monitor and ensure compliance with the law and international standards set for data protection.
Data privacy in Russia is regulated by Federal Law No. 152-FZ of 2006 on Personal Data (the Personal Data Law).
Under the Personal Data Law "personal data" is any data that is directly or indirectly connected with an identified or identifiable private person ("personal data subject") while "an operator" is a legal entity or a private person that is "processing" the personal data. Processing is determined as any operation or a number of operations, with or without use of the automatized methods, to personal data including collecting, recording, systematising, accumulating, storing, specifying (updating, amending), extracting, using, transferring (sharing, providing, accessing), depersonalising, blocking, deleting and destroying personal data.
Under the Personal Data Law one of the key personal data protection principles is that the personal data processing shall be limited to archiving precise, beforehand determined and lawful aims.
As a general rule personal data may be processed provided that the personal data subject has consented to it. However the Personal Data Law contains an exhaustive list of exceptions when it may be processed without consent. Among such exceptions are situations when processing such a personal data is necessary for archiving specific aims stipulated in the international treaties or in the Russian Law; exercising justice or enforcing a court act; performing a contract which a personal data subject is a party to; or protecting life, health or other personal data subject's essential interests.
Processing special categories of personal data (which concerns person's race, nationality, political views, religious or philosophical beliefs, health condition, intimate life) and biometrical personal data generally requires personal data subject's written consent.
Generally, an operator is obliged to notify Roskomnadzor (Russian Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications) of its intention to process personal data before it actually commence doing so. On the basis of such a notification Roskomnadzor includes an operator into the Personal Data Operators Register which is publicly available at the official Roskomnadzor website (http://rkn.gov.ru/personal-data/register/).
In a few number of cases an operator is not obliged to notify Roskomnadzor and is not supposed to be added to the Register, for instance if it processes personal data in accordance with the Russian Labour Law; processes the personal data made publicly available by its subjects or processes the personal data that includes only the subjects' names and surnames.
Operators shall also guarantee that personal data is secure from unauthorised or accidental access of the third parties by following the security requirements set up by the Personal Data Law and a number of sub-laws.
It should also be mentioned that starting from 1 September 2015 operators, as a general rule, may record, systematise, accumulate, store, specify (update, amend) or extract personal data of the citizens of Russian Federation only with the use of the databases/servers located in Russia.
Operators that do not follow the Personal Data Law requirements may bear civil, administrative or even criminal responsibility. Online platforms and web-sites that do not follow the rule regarding Russian citizens can be blocked for access on the territory of Russia by Roskomnadzor.
In June 2016, new regulations, connected with personal data and privacy issue, were adopted by the Federal Law "On Changes to the Federal Law 'On Counter-terrorism' and Related Laws of the Russian Federation Establishing Additional Counter-terrorism and Public Security Measures". This has significantly affected the data privacy and technology sectors.
This law will also introduce changes to regulations in telecommunications and the internet. Particularly, the Federal Law No 126-FZ "On Telecommunications" and Federal Law No 149-FZ "On Information, Informational Technologies and Protection of Information".
New regulations require Russian communications service providers and internet telecommunication operators to store in Russia all information on their customers' and internet users' communications and messages for specified periods. This covers operators of information systems and/or computer software designed or used for receiving, transmitting, delivering and/or processing of Internet users' electronic messages and includes messaging service providers, public email service providers, social media, blogging, news and other platforms, and IP-telephony providers and the like.
The scope of data to be stored for three years is all metadata information on customers' communications and messages (information on receipt, transmittance, delivery and/or processing of voice data, texts, pictures, sounds, video- or other types of messages). Internet telecommunication operators have to maintain an archive data of internet users and their communications and messages for one year. There is also a general obligation for communications service providers to disclose any data to Russian law enforcement authorities upon request.
The new changes put additional obligations on communications service providers and internet telecommunication operators to keep and store the content of customers' and internet users' communications and messages (in addition to metadata) for up to six months. However, the full process and details of the regulation will need to be determined by the Russian government.
The new law imposes on those internet telecommunication operators that use encryption for electronic messaging services and/or provide encryption functionality to internet users to disclose relevant decryption tools to the Russian Federal Security Service. Failure to comply with these requirements may lead to administrative fines of up to 1 million rubles (approx. USD 15,500). It is not clear however, at this stage, how this can be applied to the systems with open encryption key.
New requirements and amendments come into the force on 1 July 2018. So the operators will have time to prepare to be compliant with the new regulations.
There is no general federal data protection law in the United Arab Emirates (UAE) comparable to those applicable in Europe. There is also no single national data protection regulator. There is a general right to privacy for citizens under the Constitution of the UAE. This right is limited to citizens of the UAE. Further, the Penal Code (Federal Law 3 of 1987) provides that the publication of any personal data which relates to an individual's private or family life is an offence.
Data privacy is regulated in Vietnam by multiple different Laws. This has created a patchwork of rights, which may overlap or duplicate each other. This is not unusual in Vietnam and makes data privacy a complex area.
The core right is in the 2005 Civil Code which states that the ‘’right of privacy’’ is an essential human right and all activities of collection, publication and access to personal data can only be made with the consent of its owner or legal guardian. However, the Civil Code does not provide a definition of private information; it does not either clearly state how the consent should be formally given, in which circumstance privacy information can be disclosed, or even how to evaluate the loss and damages in case the privacy information was illegally accessed. Normally additional regulations specify such matters but none were enacted - not surprising given how long ago this was.
The earlier 1999 Penal Code has a little relevance. But it does not set out privacy infringement acts. One case is envisaged for instance, detaining someone’s personal correspondence without consent is punishable by a prison sentence of 2 years maximum.
The Law on E-transactions of 2005 requires the customers give consent for the use of private information. The Law merely encourages e-customers to reinforce their caution in protecting their personal data. In 2013, Vietnam Government enacted Decree No. 52/2013/ND-CP for further guidance on e-commerce activities. The decree brought many useful definitions such as the interpretation on personal data and the collection of such data. For example, this decree defines personal data as “the information contributing to identify a specific individual, including his/her name, age, home address, phone number, medical information, account number, information on personal payment transactions and other information that the individual would like to keep confidential” and the collection of such data as “the collection of information to put it into a database, including personal information of many consumers as customers or potential customers of the traders, organizations or individuals engaged in e-commerce”.
The Law on Information Technology (IT Law) dated 2006 also contains extensive regulations concerning the collection, processing, use, storage and provision of personal information. This Law particularly sets out obligations in relation to consent (exceptions for processing without consent), use, retention/deletion, security, correction, disclosure and compensation. However, this Law only applies to Vietnamese and foreign organizations and individuals engaged in information technology applications and development activities across Vietnam.
Finally, the 2010 Law on Consumer Protection (“LCP”) prescribes that a consumer’s prior consent must be obtained before collecting, using or transferring personal data. It also specifies a number of conditions to be fulfilled:
- Clearly inform the consumer on the purpose of the use of his personal data;
- Ensure safety, accuracy, completeness during the collection, use and transfer processes;
- Enable the update and correction of information automatically or at the request of the customer;
- Allow the transfer the consumer’s personal data to third-parties upon its express consent
Since data privacy is regulated by different laws, there are different enforcement agencies responsible to ensure compliance. In practice, acts contrary to regulations set out in the IT Law and LCP in respect of data privacy will be handled by administrative agencies such as the Inspectorate of the Ministry of Information and Telecommunication (MIT), People’s Committee (at district or provincial level) or the Police.
Financial damages over disputes arising from data privacy infringement are settled by Civil or Economic Courts. Criminal cases only arise when the infringement falls into the Penal Code’s scope of governance.
Because of the fact that so many different regimes exist in parallel great care must be taken before using personal data in Vietnam.