International businesses have to comply with increasingly divergent, complex and sometimes conflicting cybersecurity and data privacy requirements around the world. As the collection and use of data increases across a variety of sectors, so do the threats of cyber attacks from hackers and malware systems. As a result, data protection regulation is rapidly evolving worldwide to cope with the increasing demand to protect personal data from misuse. There are also key changes in the political climate, such as the UK's decision to leave the European Union, that may affect data protection regulation and change the way in which organizations transfer personal data. This article explores five data privacy and cybersecurity questions that a general counsel should ask to ensure that their organization is prepared for the changes ahead in Asia and Europe.
What effect will the NIS Directive have on cybersecurity requirements in Europe?
Once implemented in each European member state, the NIS Directive will require businesses that are identified as "essential service" providers (i.e., banking, energy, health and transport organizations) as well as digital service (e.g., cloud computing) providers to adopt minimum security standards and report incidents of cybersecurity breaches promptly. Member states will implement these requirements through a designated national NIS authority and a Computer Security Incident Response Team. Each member state must implement the NIS Directive by May 2018 and must identify those organizations that it considers to operate "essential services" by November 2018.
What do we need to know about the General Data Protection Regulation (GDPR)?
From May 2018, the GDPR will strengthen existing data protection laws throughout Europe The GDPR will apply to data controllers and processors across all sectors in the European Union. Even organizations established outside the European Union will now have to comply with the GDPR if they are offering goods or services or monitoring individuals inside the European Union. The GDPR introduces a 72-hour data breach notification requirement, increased rights for data subjects (such as the right to be forgotten) and increased fines of up to four percent of worldwide turnover for noncompliance. Organizations that process personal data on a large scale may be required to appoint a data protection officer to advise on, implement and monitor compliance.
How will Brexit affect data protection and cybersecurity?
If the United Kingdom remains part of the EEA, it is likely that the United Kingdom will retain the GDPR and the NIS Directive requirements. Even if the United Kingdom does not remain part of the EEA, the United Kingdom will have to implement equivalent laws to the GDPR to be considered as offering an "adequate" data protection regime to continue to receive personal data from the remaining EU countries. If it is not determined that the United Kingdom offers adequate data protection, then organizations should consider putting into place alternative arrangements to transfer personal data from Europe to the United Kingdom and beyond to continue.
What effect will China's pending Draft Cybersecurity Law (CSL) have on crossborder data transfer?
The draft CSL requires that operators of "critical information infrastructure" (CII) store "personal information and important transaction data collected and generated" in China. If, for legitimate business reasons, the data must be provided to a foreign entity outside China, the operators must complete a "security evaluation" jointly formulated by the National Cyberspace Administration and State Council. (The draft CSL does not provide definitions of "CII" and "security evaluation." The CSL has gone through two drafts and may be finalized soon.)
Five Questions General Counsels Should Ask About Cybersecurity and Data Privacy in Asia and Europe
The Administrative Provisions on Mobile Internet Applications Information Services ("Mobile Provisions") came into effect on August 1, 2016 in China. The Mobile Provisions govern "application software obtained through pre-installation or downloads and which is used in mobile smart terminals to provide information services to users" and apply to both mobile app providers and mobile app stores. Mobile app providers need to satisfy six requirements when operating in China, including the need to verify a new app user's identity, to report users whose published content violates laws to the relevant government agencies and to record user logs and keep them for at least 60 days.