Data protection is not only a current topic in Germany but also in numerous countries worldwide, within and outside Europe. Looking beyond our own backyard can help to sharpen the focus of our own discussions, be they legislative, on data breaches, or on the monitoring by governmental authorities. Let’s take the leap into the foreign data protection waters.
Costa Rica: In 2011, Costa Rica enacted a data protection act which has now entered into force. Because this legislation is similar in content to the European rules, it is expected that Costa Rica will endeavour to be determined as having an adequate standard of data protection by the European Commission. The act introduces the concept of consent to data processing and grants specific rights to the data subjects if their data are published. Data breaches must be reported within five days of becoming aware of them. Data controllers are required to report databases containing personal data to Prodhab, the newly founded Costa Rican data protection authority. Prodhab must be given a “super-user” account. Unusually, the Costa Rican law introduces a fee for the sale of databases: for each individual datum, an amount between 25 U.S. cents and one U.S. dollar has to be paid, with the exact amount determined by Prodhab. The maximum fee is limited to 10% of the contract value. Fines for data breaches range from US$670 to US$ 20,000, contradictory to the European trend of providing for material fines.
India: The Indian government currently employs a central monitoring system intended to grant the authorities extensive access to citizens’ telephone calls and internet use – in the name of national security. Initially created as a response to the terror attacks of 2008, the system may become the perfect means for keeping its citizens under surveillance for the enforcement authorities – in line with Big Brother – and also the tax authorities, which can also access the information. The legal grounds for the system are found in the Information Technology Act 2000, which permits the government to intercept, monitor and decrypt all information generated, transmitted, received or stored on a computer if security or public order are at risk. The system seems to be yet another step by the Indian government in a line of events which restrict the citizens’ (communication) freedoms in the name of security, such as, for instance, the blocking of mass text messages following turmoil last year.
Japan: In May, Yahoo announced the potential compromise of 22 million log-in details of Yahoo Japan users which may have been obtained by hackers. The attack on Yahoo’s network could only be stopped by interrupting the servers’ Internet access. It is currently (at the date of publication) unclear whether the hackers have obtained the data or not. While apparently the data does not contain passwords, Yahoo Japan nevertheless recommends that its users change their log-in credentials. In contrast to Sony, which fell victim to a massive scandal in 2011 and took about a week to inform its users, Yahoo announced the potential loss of data promptly and started the process of contacting its users shortly after. A straight-forward approach as demonstrated by Yahoo can help in minimizing the damage to a company’s reputation.
Canada: Canadian companies and public authorities are not immune to dataprotection mishaps either. The Human Resources and Skills Development Canada Department lost an external hard drive that contained personal, in particular financial, information of more than 500,000 Canadians who had, at some stage, applied for student loans. This hard drive was not encrypted.
Similar is the case of the Investment Industry Regulatory Organization of Canada (IIROC), which lost a laptop. This laptop contained financial information of more than 50,000 Canadian brokerage customers – also not encrypted. What is peculiar about this case is that the encryption of such information is highly recommended as part of the rules on treating information issued by the IIROC.
Both cases, symbolic of a multitude of data breaches across the globe, clearly show that the best laws, regulations and internal guidelines will not bear fruit if the most basic measure is not implemented: training and educating the people that handle personal data day to day.
Mexico: Since 2010 Mexico has had a data protection act, protecting the privacy of the data subject. In April, the guidelines for “notice” came into force (“Lineamientos del Aviso de Privacidad”). According to these guidelines, data controllers and processors are required to provide detailed information to the data subjects, and have to give them the possibility to opt-out, before they collect, process or transfer personal data automated by electronic means such as cookies or web beacons. The guidelines provide in-depth guidance on the information to be provided in the notice (e.g., on the identity of the data controller that collects the data, which data are collected and for which purposes), and in which form the notice must be given. The guidelines introduce three different types of guidelines: the “full notice” (“Aviso de Privacidad Integral”), the “simplified notice” (“Aviso de Privacidad Simplificado”) and the “short notice” (“Aviso de Privacidad Corto”). Each of these applies to different situations, and they must also contain general information on how the data subjects can assert their rights of access, rectification, deletion and objection. The guidelines also introduce a duty to maintain a department for personal data, in companies . The department deals with the protection of personal data and serves as the main point of contact for any inquiry.
Non-compliance with the Mexican data protection act may result in fines of up to US$1.5 million. This amount may even be doubled if sensitive data are part of the breach.
Austria: Current discussions in Austria circle around the reforms of the data protection act.
- In 2012 the standard and sample regulation was amended to encompass further standard data applications that no longer require notification with the Austrian data protection register (“Datenverarbeitungsregister”).
- On 1 May 2013, the most recent amendments to the data protection act entered into force. These amendments are the result of the European Court of Justice decision on the lack of independence of the Austrian data protection commission (“Datenschutzkommission”), and change the commission’s structure and organization. Unfortunately this is not accompanied by an increase in personnel. The data protection commission, as well as the register, are known for their understaffing, which means that applications for registration or approval may lie with the authorities for several years.
- The second reform is meant to implement a new and independent data protection authority because the data protection commission will be dissolved following the reform of the administrative. This reform shall enter into force on 1 January 2014.
- The original first amendment – dating back to 2012 – seems to have stagnated. Its intention was to unburden the data protection register and contained the introduction of voluntary data protection officers.
Peru: Peru’s new data protection act came into force in April. The Peruvian law, similar to the Costa Rican law, heavily leans on the European regulations. The data controller is subject to certain information duties, and the law also introduces the principle of consent. In addition, all databases that contain personal data must be reported to the new national data protection authority. However, the fines foreseen by the law are less than those envisaged by the Costa Rican act: from approx. US$300 to approx. US$14,400. For both countries it therefore remains to be seen whether these new laws, created and implemented with great motivation, can be enforced.