Archive for the ‘Regulations’ Category

China proposes draft privacy legislation with significant potential implications

ChinaOn July 6, 2015, China’s legislature, the National People’s Congress (NPC), circulated for comment two pieces of draft legislation with significant potential implications for data privacy and data security in China. The key provisions of these two draft laws are summarized below.


Coming closely on the heels of the July 1, 2015 promulgation of a new national security law, the draft Cyber Security Law (网络安全法) has as its stated goal the protection of “cyber sovereignty” and the preservation of cyber security. It includes provisions governing data localization, protection of personal information and other data, and network security.

  • Definition of personal information. Many Chinese regulations that include provisions governing the protection of personal information are unclear on the scope of the term “personal information”. The draft law includes a relatively detailed definition of “citizens’ personal information”, meaning personal information such as a citizen’s name, birth date, ID number, biometric data, profession, residence, or telephone number, recorded electronically or through another method, as well as other kinds of information that, alone or combined with other information, may be used to determine a citizen’s identity.
  • Data localization. Article 31 of the draft law would require an operator of “key information infrastructure” to store personal information and other “significant data” collected and produced in the course of its business operations inside China. It would also require that, before any of that data can be shared with parties overseas or stored overseas, the Chinese company complete a security evaluation in order to evaluate the security risk associated with the data export. The term “key information infrastructure” refers to, among other things, public communications infrastructure and information systems used by public utilities, government at the municipal or higher level; the military, or used in transportation systems, health care, or the financial sector. Notably the term also includes networks and systems owned or managed by network services providers that provide services to “large groups of users”, potentially giving the data localization requirements of the draft law a very broad application. Frustratingly, the term “significant data” is not defined in the draft law. We anticipate the intention is to reinforce exisiting restrictions on the export of state secrets, as well as address other information whose export may have an impact on national security, but further guidance will be needed on this issue, as well as on the nature of the security evaluation required in connection with data exports.
  • Data protection. Chapter 4 of the draft law includes broad provisions governing the protection of network data, including personal information. The term “network data” refers to all kinds of electronic data collected, stored, transmitted, processed, and produced through networks. The personal information protection provisions take a similar approach to personal information protection in sector-specific data privacy rules already in place with respect to the telecommunications sector. The provisions apply to all “network operators”. “Network operator” and the term “network” are both defined broadly so that the obligations apply to the owner of any computer information network, as well as to any party who administers a computer information network or provides services over it. As such, the data protection provisions of the draft law apply broadly to a very wide range of parties who either own or use a computer information network (and effectively to all personal information in electronic form), and not only within the limited sectors covered by current rules. The principal requirements include the following:
    • Collection and use of personal information must comply with the principles of legality, legitimacy, and necessity.
    • The purpose, method, and scope of the collection and use of personal information must be expressly disclosed, and the collection and use of personal information must be based on the individual’s consent.
    • Network operators may collect and use personal information only in connection with their provision of services and should not collect or use personal information outside the scope agreed by the individual.
    • Network operators should disclose to individuals their policies for the collection and use of personal information.
    • Individuals can demand that personal information collected unlawfully be deleted, and they have the right to demand correction of personal information that is inaccurate.
    • No entity or individual may steal or acquire personal information by other unlawful means, or sell or unlawfully provide personal information to others; language that corresponds to language in the Ninth Amendment to the Criminal Law is also discussed in this update.
  • Security certification/inspection. Article 19 of the draft law would require that key network equipment and special- purpose network security products comply with applicable security standards and be subject to a security certification or security inspection before being sold in the market. The security certification/inspection requirement builds on a similar requirement contemplated in regard to equipment used in the telecommunications and Internet sectors in the Guiding Opinions on Strengthening Network Security in the Telecommunications and Internet Sectors. Article 19 makes clear that its implementation is subject to the issuance of a catalogue of key network equipment and special-purpose network security products by the “State network information department”, a reference to the Cyber Administration of China (CAC).
  • National security review. Article 30 of the draft law contemplates a vague national security review requirement, requiring the operator of “key information infrastructure” procuring network products or services to undergo a security review process led by the CAC if the procurement “might have an effect on national security”. This brief provision does not provide further details but states that the implementing measures for this process will be issued by the State Council. This requirement echoes the announcement made by the State Internet Information Office on May 22, 2014, which stated for the first time that all important technology products and services affecting national security or the public interest will be subject to a “cyber security” review. This provision of the draft law would establish the formal statutory basis for implementing such a national security review process for the procurement of IT equipment and services for important IT infrastructure.

It is difficult to predict how long it will take for the NPC’s legislation process to be completed after the period for comments closes on August 5, 2015. The draft law is still subject to two readings before the full NPC or its Standing Committee, and we anticipate that a significant amount of debate within government circles has yet to take place on various aspects of the draft law before the law is formally promulgated. Some commentators are predicting that the draft law will be promulgated before the end of 2015.

In the meantime, various other regulatory efforts continue as part of the Chinese government’s campaign to enhance network security, many of which are likely to have an adverse impact on market access by foreign IT companies.


As we reported previously, the NPC’s circulation for public comment Amendment 9 to the Criminal Law of the People’s Republic of China (Draft) (中华人民共和国刑法修正案(九)(草案)), which contemplated a significant broadening of the scope of criminal liability under Article 253 of the Criminal Law for misuse of personal information.

The NPC has circulated a second draft of Amendment 9 (刑法修正案(九)(草案二次审议稿), which while reworking the drafting of the data privacy provisions of the first draft, preserves the scope of criminal liability contemplated in the first draft while increasing related penalties. Now any breach of Article 253 is subject to a prison term of up to three years, with a longer prison term of between three and seven years if the circumstances are especially serious. Under the previous draft, the maximum penalty was three years (two for the new offense of unlawfully “selling or providing personal information to another party” introduced in the first draft).

It is likewise difficult to predict how long it will take for the NPC to complete its legislation process in respect of the Criminal Law amendment completed after the period for comments closes on August 5, 2015. The draft is still subject to one reading before the full NPC or its Standing Committee.

Source: Morrison & Foerster LLPPaul D. McKenzie and Wei Zhang


Compliance Update – Law Finally Outlaws ‘Back Door’ Criminal Records

March 12, 2015 Leave a comment

litigation%20As of March 10, 2015 United Kingdom’s Ministry of Justice finally passed a law formally outlawing employers and third-parties from carrying out ‘back-door’ criminal record checks on candidates in the United Kingdom. Violators could face criminal charges to include unlimited fines. Buyers of background screening services need to ensure screening providers are acquiring their criminal information in accordance with local legal provisions or could face criminal as well as civil sanctions by local authorities.

For years some third-party background screening providers as well as employers both within the UK and outside have tried to bypass a well-established lawful process for vetting criminal records for employment as well as other nefarious purposes in the UK whether by demanding a potential employee to use their rights under the DPA to see criminal information held about them (also known as ‘Enforced Subject Access’) or by other back-door routes of criminal court records.

Aletheia Consulting Group is the leading Global Background Check Consulting firm. We focus solely on providing industry leading independent third-party best practice advice to global organizations no matter where in the world your organization may operate from. Helping you make the right decisions.

Violations of Proposed EU Privacy Rules Could Cost Companies Up to Two Percent of Global Revenues

April 24, 2012 Leave a comment

A BEERG-HR Policy Association policy paper describes how a proposed new regulation in the European Union replacing the myriad national laws governing individual data protection with a single set of EU-wide rules would have significant consequences for employment data.  Most significantly, a violation of the regulation could subject a company to a fine of up to two percent of its annual global revenues.  The policy paper, prepared by international law specialist, Malcolm Mason, describes several areas where the proposed regulation would impact the collection of HR data, including:

  • A requirement of a “valid consent” by an employee before her/his data can be processed, and such consent may not be made a condition of employment;
  • Stricter controls on transfers of personal data from within the EU to countries outside the EU;
  • A “right to be forgotten” requiring data controllers to delete personal data relating to a data subject where the individual withdraws consent, objects to that controller’s processing of their information, or where their personal data is no longer needed; and
  • A requirement to appoint a “data protection officer” for a two-year term with enhanced job protections.

While the proposed regulation is mainly targeted at social media and Internet trading, it fails to recognize that the nature of the relationship between an employer and an employee is fundamentally different from that between a user and Twitter or Facebook.  As the proposal moves forward, our European ally BEERG will be making the case that employment data should be treated differently from social media data or client/consumer data and subjected to a separate set of rules.


European Companies Preparing for Data Protection Overhaul

April 21, 2012 Leave a comment

The recently unveiled European Union (EU) data protection proposals call for hefty fines, new rules for reporting data breaches, large companies to appoint a data protection officer and several other regulations. Although the legislation has yet to be put into effect, many European enterprises are already planning ahead, making changes to their IT security strategies and policies.

The data protection proposal would enable the EU to fine companies in violation of the laws up to 2 percent of their global annual turnover. Combined with the increasing prevalence of cyberattacks and data breaches, the threat of severe financial punishment has prompted many businesses among EU member states to make continuous compliance an organizational priority.

According to a recent study by Tufin Technologies, 42 percent of network security managers believe the EU proposal has led to heightened risk awareness in their organization. Additionally, 34 percent of respondents said their attitude toward continuous compliance has changed due to the data protection legislation, and 54 percent said automating compliance audits would help reduce the risk of violating the regulations, potentially saving the company from being fined.

“While 29 percent of respondents have partially automated compliance audits, those processes that are not automated run the risk falling out of compliance the moment after the auditor signs off on the audit,” said Shaul Efraim, vice president of marketing and business development for Tufin.

The report said respondents provided vastly different answers regarding best practices in reducing the risk of noncompliance. According to Tufin, some IT security professionals said a strict regulatory compliance strategy that includes a comprehensive data security awareness program would help organizations meet EU compliance standards.

While the proposed legislation may cause headaches for enterprise compliance officers and other IT professionals, the EU and Justice Commissioner Viviane Reding are confident the laws will facilitate stronger data protection standards for government organizations, businesses and consumers.

“Seventeen years ago less than 1 percent of Europeans used the internet,” Reding said. “Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds. The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data.”

Reding said the presented changes to the existing policy will save businesses around €2.3 billion per year by providing them with a single set of rules and one data protection authority to report to, reducing costs related to paperwork and other compliance expenses. Meanwhile, enterprises will be required to notify authorities about data breaches as quickly as possible – within 24 hours if feasible. Also, companies with more than 250 employees will have to appoint an independent data protection officer.

With the new regulations requiring organizations to quickly report data breaches, and large fines for companies that fail to do so, it’s essential for IT decision-makers to consider implementing security solutions capable of detecting and eliminating advanced threats before a major breach occurs. Some IT security providers offer integrated, state-of-the-art systems that can analyze security events in real time, giving enterprises the ability reduce costs, efficiently detect threats and decrease risk. These advanced solutions can also help organizations meet regulatory compliance standards by encrypting critical data, controlling access and constantly monitoring company networks, systems and endpoints.

The importance of data protection legislation, organizational policies and awareness is at an all-time high, as cyberattacks are more sophisticated and widespread adoption of mobile devices has opened the door for new threats. According to a recent global survey, 86 percent of IT professionals believe their job would be at risk if a data breach occurred, revealing yet another reason enterprises must develop better security and data protection plans.

Security News from by Trend Micro

China Adopts Internet Regulations

April 19, 2012 Leave a comment

China’s Ministry of Industry and Information Technology has promulgated regulations governing the collection, storage and use of personal information by parties providing information services over the Internet.  Coverage by the regulations includes not only entities known in the West as Internet Service Providers, but also Chinese companies whose principal business is online as well as Chinese companies with more limited online activities.  The new rules, Several Regulations on Standardizing Market Order for Internet Information Service, adopts the European definition of personal information; requires user consent for collection and disclosure; imposes obligations to secure data and take immediate remedial measures in case of breaches; requires expressly informing users of the method, content and purpose of collection and limiting use to such purpose; and makes violators subject to sanctions that include rectification orders, warnings and modest financial penalties.  The regulations come into effect on March 15, 2012.

Categories: Compliance, Regulations

Ghanaian Parliament Passes Data Protection Bill

April 19, 2012 1 comment

After reports last July that the Data Protection Bill had been withdrawn from Ghana’s Parliament for adjustments, the bill was re-introduced and Parliament has passed the bill on February 10.  The Act, said to be awaiting presidential assent to be fully operational, is modeled upon European precedents and will set out the rights and responsibilities of data controllers, data processors and data subjects in relation to personal data, under the supervisory authority of a Data Protection Commission.  Ghana swore in a new President, John Atta Mills, a 64-year-old law professor, on January 8.

International personal privacy compliance for global staffing directors

January 17, 2012 Leave a comment

The responsibilities and obligations of employers under European Data Protection Directives and the UK Data Protection Act. Terry Corley, Aletheia Consulting Group, reviews the issues that a Director of Human Resources for a multinational organization can expect to face in the Global marketplace.

Susan Lane is a newly appointed Staffing Director at a large professional services firm, Abacus Accounting, Inc (ABACUS) based in the United States. ABACUS also maintains offices in over 50 countries, including Asia, Europe and Latin America. Today, the majority of all HR-related activities are maintained by ABACUS’s corporate headquarters in the US.

In addition to requiring her to assume her daily human resources responsibilities, the Vice President of Human Resources tasked Ann to determine if ABACUS is compliant with data privacy (data protection) requirements in relation to how they handle employee data abroad. There was concern in Management that they might be at risk of liability for non-compliance. They were also conscious that the company had not given sufficient consideration to many of the emerging international data privacy issues in the past and that a number of its normal processes and policies may have to change as a result. The Vice President therefore asked Ann to report to the Board with her recommendations.

ABACUS recruits new candidate
As ABACUS’s Finance Director for European operations, based in London, recently accepted a position with another firm, Ann’s first major task was to oversee the recruitment of a replacement. At the same time, management took the view that it could also improve the level of customer service for select Asia Pacific locations it provides and thus asked Human Resources to recruit three new client services representatives for their Singapore and India offices.

To find a new Finance Director, Ann decided to use the services of an executive search firm as well as the staffing firm normally used by ABACUS to fill vacancies. She then further instructs both agencies to locate qualified candidates from the countries for which the positions will be filled.

US executive search firms recruiting from abroad
The very nature of the efforts of an executive search firm, head-hunter or staffing firm means that personal information is inevitably collected without an individual’s knowledge or consent, at least during the initial stages of recruitment. It may, however, be a little challenging when a US-based employer plans to employ local nationals in a foreign country when the employer may not be familiar with the differences in employment and privacy legislation prevalent in a given country. Fortunately, this is currently of little concern for Ann, at least until the recruiter provides her with the names of candidates that meet ABACUS’s initial recruitment requirements.

Complying with local data processing guidelines
It is at this point that lane would normally begin processing personal information about a US-based candidate. However, after talking with corporate counsel and the company’s Chief Privacy Officer, she learns that based on the UK’s Employment Practices Data Protection Code it is better if she is provided with applicant information in a manner that doesn’t constitute the processing of ‘data’. She will otherwise be obligated to notify the candidate that she is processing their personal data ‘as soon as practicable’ after receiving information from the search firm.

Company adequacy determination
Transferring personal data back to the US at this point would also require ABACUS to determine if the company meets adequacy protection requirements as dictated by the European Union Data Protection Directive (95/46/EC). These laws limit the transfer of human resource data from the EU to third countries, such as the US, unless the third country or entity is found to provide an adequate level of protection. Accordingly, any employer such as ABACUS processing applicant data in the EU must first revise its HR data practices to the Directive and member state laws while the data is still in the EU.

These laws impose substantial requirements on the collection, transfer, processing and use of virtually all employee data. Member states such as the United Kingdom have further enacted laws such the UK Data Protection Act 1998 to implement the Directive that also apply to employee and consumer personal information.

In the short term, Ann determined that until ABACUS is capable of meeting adequacy requirements, she should not request personal information to be sent to her from the UK electronically back in the US. This thereby reduces the risk of it constituting ‘personal data’, although it is unlikely that a paper-based record of an executive recruiter’s notes would be caught by the Directives or the DPA due to the restrictive definition of ‘relevant filing system’. If the suggested names are not considered suitable then Ann will immediately destroy the information.

Legal basis for transfers
When transferring employee data from the EU to third countries such as the US, companies such as ABACUS are required to identify and implement a legal basis for such transfers. Employers operating in the EU that collect or process personal information in the EU without adhering to member state laws or that transfer personal information from the EU to a country without adequate protection or a relevant exception may incur substantial legal liability.

A growing challenge
Organizations are facing a growing challenge in managing the collection, use, processing and transfer of mass amounts of HR personal information, especially in light of the myriad of international personal privacy laws that exist today as well as emerging technologies designed to manage HR data in a global environment.

Effective management of overseas data privacy, HR policies related to international applicants, and security involves a multi-disciplinary approach involving policy development, legislation, technology and business processes in order to fully understand data protection and privacy issues. It also requires recognition that effective HR data management is a process that must include a comprehensive Human Resource, Data Privacy Management Plan for responding to constant changes in both internal and external factors effecting global employee data use in multinational organizations.

%d bloggers like this: