On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time. Continue reading
Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the Council of State.
Thailand currently does not have any specific law regulating data protection. The Office of the Prime Minister first published the Draft Act in 2014. The Draft Act has undergone several rounds of changes and this article aims to give a high level overview of the recently approved version of the Draft Act.
The Draft Act has been revised to replicate many of the concepts and obligations which are common across global data protection laws and in particular the GDPR. We have highlighted some of those key obligations below.
The new law has some key definitions which are similar to data protection laws elsewhere:
- “Personal data” is broadly defined as information that is able to directly or indirectly identify a living individual.
- “Data controller” is a person (whether a natural or legal person) who has authority to make decisions on collection, usage or disclosure of Personal Data.
- “Data processor” is a person (whether a natural or legal person) who collects, uses or discloses Personal Data in compliance with the orders of data controller.
The Draft Act regulates both data controllers and data processors, whether or not they are in Thailand, who collect, use or disclose Personal Data collected from individuals in Thailand (whether or not those individuals are Thai citizens). This means that organizations outside of Thailand may be subject to the Draft Act.
Specific consent is required from the data subject, in writing or via electronic means, prior to or at the time of collection, use or disclosure of personal data, unless one of the prescribed exceptions applies. A data subject may at any time revoke his/her consent, unless there is a restriction under the law or contract on revoking such consent.
Collection of personal data
Collection of personal data must be for a lawful purpose and be directly relevant to, and necessary for, the activities of the data controller. The data controller must inform the data subject of the following, prior to or at the time personal data is collected:
- the purpose of the collection;
- the personal data to be collected;
- to whom the personal data might be disclosed;
- contact information of the data controller; and
- the rights of the data subject.
This information would usually be provided by way of a collection notice.
Except under limited circumstances prescribed under the Draft Act, personal data must be collected directly from the data subject. Also, the collection of sensitive personal data, such as religious belief, political preference, sexual behaviour or medical records, is prohibited except under limited circumstances prescribed under the Draft Act or ministerial regulation. Examples of the permitted circumstances for collection of sensitive data include where sensitive data is collected to protect or prevent harm to a person’s life, body or health, or to comply with any legal requirement on the data controller.
Cross-border transfer of personal data
Personal data can only be transferred to a country with rigorous data protection measures and in accordance with guidelines to be prescribed by the Personal Data Protection Committee, unless:
- the transfer is made pursuant to any applicable law;
- consent is obtained from the data subject;
- the transfer is in compliance with the contract entered into between the data subject and the data controller;
- the transfer is in the interests of a data subject who is incapable of giving consent; or
- as otherwise prescribed by ministerial regulation.
Rights of data subject
A data subject is entitled to access his/her own personal data which is held by the data controller, or to request the data controller to disclose the sources of information where such personal data is collected without his/her consent. In the event that the data controller fails to comply with any provision of the Draft Act, a data subject is entitled to request the data controller to delete, destroy, temporarily suspend the use of or anonymize personal data.
Fines and penalties
Both civil and criminal penalties can be imposed on the data controller for violation of the provisions of the Draft Act.
The data controller may continue to use personal data collected prior to the date that the Draft Act comes into force, provided that:
- such personal data is only used for the purpose for which it was originally collected; and
- a mechanism is made available and publicised by the data controller for the data subject easily to request deletion of his/her personal data.
If the council of state approves the Draft Act, the Draft Act will be forwarded to the Thai cabinet and subsequently to the national legislative assembly for approval before coming into force. No official time frame for this process has been announced so it is difficult at this stage to anticipate the enactment date of the Draft Act.
The Draft Act means that companies doing business in Thailand or handling the data of Thai citizens will need to reconsider their policies and procedures for handling personal data in accordance with the new law once passed. Fortunately, it seems that the approach taken under the Draft Act is not inconsistent with many major data protection laws around the world, so companies with a robust data protection regime in place may not have to make too many changes to accommodate the new law.
On July 5, the European Parliament passed a non-binding resolution, asking the European Commission, the EU’s executive body, to suspend the Privacy Shield framework. The EU-US Privacy Shield, designed by the US Department of Commerce and the European Commission, provides a mechanism for companies to transfer personal data between the EU and the US while remaining compliant with EU data protection laws.
The European Commission passed the data-sharing privacy framework on July 12, 2016, after its precursor, Safe Harbor, was struck down by the European Court of Justice on October 6, 2015.
Since the European Parliament’s resolution is non-binding, the European Commission could choose to ignore it. However, the Commission will no doubt take the Parliament members’ concerns into consideration in its annual review of the Shield which is due in September.
Further discussions on whether to renegotiate the Privacy Shield is also on the table since the Shield is based on the now defunct EU directive 95/46, which the European Union General Data Protection Regulation replaced when it went into effect on May 25, 2018.
Several U.S. states have recently introduced and passed legislation to expand data breach notification rules and to mirror some of the protections provided by Europe’s newly enacted General Data Protection Regulation (“GDPR”). See our previous blog posts on GDPR here and here. Like their European counterparts, these state laws are intended to provide consumers with greater transparency and control over their personal data. The California and Vermont laws, in particular, go beyond breach notification and require companies to make significant changes in their data processing operations. See our earlier post on the California Consumer Privacy Act (“CCPA”) here. Continue reading
On June 28, 2018, California lawmakers enacted the California Consumer Privacy Act of 2018 (the “CCPA”) a sweeping, GDPR-like privacy law which is intended to give California consumers more control over how businesses collect and use their data.
The new law is set to take effect on January 1, 2020 which means the California legislature may still consider changes to the new law in the coming months and years. Lawmakers moved swiftly to pass the bill to preempt a November ballot initiative that would have codified more stringent rules.
Many industry players preferred this legislative approach over the now-abandoned ballot initiative because, under California law, approved ballot initiatives can only be changed through another ballot initiative. Now that the law has passed—some critics argue, without adequate public debate because of this rush to avoid a costly and contentious battle over the ballot initiative in November—we can expect a fuller review of the law’s impact and more conversations about consumer protection and privacy rights in the US.
For companies that have implemented a compliance plan for European Union data subjects under the EU General Data Protection Regulation (“GDPR”), this law means many of the similar protections will now need to be extended to California residents. Read more below for a summary of what was included in the law that was passed yesterday.
On June 22, 2018, the US Supreme Court issued a 5-4 decision in Carpenter v. United States, holding that the federal government needs a warrant to access cellphone location records.
In the decision, the Court agreed that there should be a higher standard for accessing location records due to their intrusive nature. Continue reading
By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments. Continue reading
Websites go dark, complaints are filed within an hour, European Commission suffers an embarrassing data leak, and the US Commerce Secretary warns about the unintended trade impact of the law – all in the first week of the GDPR
The European Union’s far-reaching General Data Protection Regulation (GDPR) went into effect on 25 May amid much anticipation. Although the date itself was seen as a watershed moment, what comes after will reveal the full impact of the law. Even for those businesses that have declared that their GDPR compliance efforts have completed, the work of maintaining and updating their privacy and data protection framework will need to continue well after 25 May. We have also yet to see how 28 EU member states and the Court of Justice of the European Union will interpret the law.
In the days leading up to 25 May, millions of inboxes were filled with updated privacy notices and requests for marketing consent and pop-up notices for cookies were added to websites across the globe, as many businesses contemplated if and how the new law applies to them. Just in the first week, we are seeing glimpses of what lays ahead. Certain American news publications decided to shut themselves off to European users on their websites, a first series of complaints were filed against US tech giants and their subsidiaries, and the European Commission, in an embarrassing turn of events, was found to have had a data leak on one of its websites, Europa.eu. Just five days after the law has gone into effect, Wilbur Ross, the US Commerce Secretary, published an opinion piece in the Financial Times, that warns: “EU data privacy laws are likely to create barriers to trade.”
We take a look at the initial reactions and events that occurred in the first week following the implementation of the GDPR, provide some insight into the GDPR’s impact on the digital economy and trade and provide, as we always do, some practical tips for how to manage privacy and cybersecurity risks in this ‘new era’.
The wait is finally over—this Friday the European Union General Data Protection Regulation (GDPR) will come into force. For many readers of this post, a huge amount of work will have been done in recent months in building up to compliance with the new regime. However, the challenges of GDPR certainly don’t end on the date this law goes into implementation. We have shared below some interesting points that we’ve seen arising recently, all of which relate to how things are likely to develop from today onwards, including enforcement predictions, challenges related to operationalizing data subject access procedures, and how the GDPR may change the data privacy litigation landscape in Europe.
For many organizations that are based outside the EU and took the “wait and see” approach, our checklist may come in handy, which gives an illustrative overview of the requirements likely to impact most types of businesses and the practical steps that organizations need to take to meet those requirements. We also have a chatbot powered by artificial intelligence that helps clients to determine whether the GDPR applies to their business.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) plans to issue an advance notice of proposed rulemaking this November on potentially sharing HIPAA breach settlements with victims.