UPDATES AND INSIGHTS
ON NEW CUSTOMER
When it comes to The Cyber, as the lamentable US President refers to all things internet-related, Singapore is rockin' it. The city state just published a new draft cyber bill that will further its ambitions and cement its status. Singapore intends to be the world's first Smart Nation; it ranks third in the Global Financial Centres Index; and it just nailed the top spot in the Global Cybersecurity Index for 2017. And it is the home of the stunning, fantastical, high tech Supertrees.Read more >
China's new regulations are implementing one of the strictest approaches to cybersecurity and data privacy worldwide. The Cybersecurity Law (CSL) came into effect June 1st, despite protests from numerous interest groups calling for changes or delays.
Critics cite vague, ambiguous laws combined with a lack of guidance, and unfavorable conditions for foreign companies. Amnesty International and other human rights organizations sharply denounced the strengthening of censorship and surveillance under the new law.
LOCALIZATION & DATA TRANSFERS
Two related and troublesome components of the CSL are - A requirement for data to be stored in China, and Regulation of cross border data transfers. Foreign companies regard data localization as an unfair burden, requiring them to maintain separate storage for Chinese data. It is also thought to be a hindrance to trade, and to make it difficult or impossible for all but the largest companies to do business in China.
The likelihood of Privacy Shield being overthrown grows ever stronger as moves by the Trump administration further alarm officials in the EU.
Last week's resolution by the European Parliament expresses doubt that Trump is committed to privacy protection and calls for a rigorous re-examination of the data transfer mechanism. Members of the European Parliament (MEPs) asked the European Commission to "take all necessary measures" to ensure the agreement respects EU privacy rights.
Parliament also desires access to US documents demonstrating the specifics of how the US government is enforcing the laws supporting Privacy Shield. They also are interested in any documents regarding surveillance by US intelligence agencies.Read more >
The battle between Facebook's WhatsApp and privacy authortities continues to wage. The latest skirmish sees a consumer rights group (VZBV) in Germany suing Facebook for illegal data collection.
In November last year the ICO demanded that Facebook stop collecting user data in the UK after an 8 week investigation, and numerous other EU countries have ongoing probes. Then, on Dec 20, the EU Commission sent a Statement of Objections alleging Facebook provided misleading information about their WhatsApp takeover.
So here's the deal. When Facebook embarked on its acquisition of WhatsApp in 2014, the EU Commission conducted its standard merger investigation. One of the Commission's concerns was whether Facebook would be able to match its users' accounts with WhatsApp users' accounts. Facebook stated that it would not be possible to make the connection, and the Commission subsequently approved the merger.Read more >
Those opposed to government mass surveillance are confronting the double whammy of a Trump administration being in command of the immensely powerful NSA. With the Presidency and both Houses of Congress in alignment, alarm bells are clanging in some segments to the tune of "A madman has been given the keys to the surveillance state."
Getting little mainstream attention, but lots of fervent discussion in some circles, are questions and concerns about Trump's intentions toward encryption and surveillance. Then there are the even less prosaic topics of privacy and Privacy Shield.
Trump's nominee for Secretary of Commerce is putting the latest scare into businesses that rely on Privacy Shield to facilitate the free flow of data between the US and Europe. At the same time as the Electronic Privacy Information Center (EPIC) was sending a letter to the new administration asking for stronger privacy protection, Wilbur Ross was hedging on a commitment to the deal.Read more >
The EU's ambitious plan to create a thriving data driven economy has gotten little attention the last year or so, with all eyes being focused on the General Data Protection Regulation and Privacy Shield. Now the GDPR is finalized, and Privacy Shield is in place, at least for the moment. So it's time to dust the GDPR off our palms and get on with things, right?
Not. Quite. Yet. With the path forward finally free, the ePrivacy Regulation roadblock thudded into place.
The laudable, ambitious, and welcome Digital Single Market Strategy has been in the works since 2015. It's a plan to expand the data economy by freeing up data flows across Europe, adding a predicted €8 billion ($8.5 billion) to the European economy every year. It will deliver €415 billion in additional growth, add hundreds of thousands of new jobs, and a build a vibrant, knowledge-based society.Read more >
Maybe you've seen Cayla, the interactive talking doll, in the news lately. She's being accused of some pretty bad behaviour.
Cayla doesn't seem to learn from her mistakes. Almost 2 years ago security experts demonstrated she could be hacked, and that vulnerability still exists.
Cayla brings to mind the hackable Hello Barbie, another conversational doll on the naughty list last Christmas. Consumer groups started a campaign called Hell No Barbie in protest.
Cayla outdoes Barbie, who interacts with appropriate preset responses pulled from a database. Cayla converts audio to text and actually searches a number of sites, including Wikipedia, for replies. That IS pretty cool.Read more >
Kim Davis, Senior Editor, DMNTech has our Kitty Kolding as a guest on his One on One Podcast. They sit down for a chat about data sourcing and compliance, and the formidable challenges posed by EU Global Data Protection Regulation. The requirements of GDPR, meant to ensure privacy, end up causing additional exposure of the data it is meant to protect.
Russia made its first move to block a western website using its data localization law. The first target, LinkedIn, was blocked for failing to store Russian personal data on a server located in Russia. As with all things Putin, its not as straight forward as it seems.
Back in 2014 Russia passed a law requiring that data on Russian citizens be stored and processed in Russia. The purported reason was to protect the data and privacy of those citizens. Other laws passed at the same time addressed Online Content, with the object of shielding children from indency and eliminating objectionable content.Read more >
Germany is again taking the lead on cross border data transfers, this time focusing on cloud and SaaS ramifications. Ten German Data Protection Authorities are working together to audit five hundred companies regarding their international data transfer practices. Earlier this year Germany issued the first fines for unlawful cross-Atlantic data transfers in light of Safe Harbor's invalidation, with the promise of larger fines to come.
The enquiry is, in part at least, an awareness campaign. The DPAs cite the enormous growth of personal data crossing borders, particularly with the use of SaaS and cloud services. Many companies, the DPAs say, may not realize the extent to which data flows out of the EU with the use of those services. They may also be unaware of data protection requirements that accompany the data flows. The enquiry process will increase the awareness of privacy laws and the requirements of compliance.
It could be a geeky group of superheros - Enforcement Network... Justice League... there's some similarity there, right? And the acronym is awfully close to G Pen, which is a line of vape devices. Upon hearing of the rarely mentioned organization we galloped off to learn what we could about the mellow, spandex-clad enforcers.
But in fact the Global Privacy Enforcement Network is an informal group of data protection authorities from around the world. The mandate of this little known organization is to support and foster cross-border cooperation among data privacy authorities in the enforcement of laws protecting privacy. GPEN, consisting of 13 privacy enforcement authorities when it was established in 2010, grew by the end of 2015, to include 59 privacy enforcement authorities in 43 jurisdictions.Read more >
Ocean Finance, owned by Intelligent Lending was fined $170,000 for spamming. They say its the brokers fault.
In 2014 the UK based company sent 7.7 million text messages peddling a new credit card. The company purchased the names and phone numbers of the text recipients from a third party data broker, with assurances that it had people’s consent to send texts.
With almost 2000 complaints on record, the Information Commissioners Office (ICO) launched an investigation. The ICO determined that the consent did not meet legal requirements and issued an enforcement notice and imposed the fine.
Ocean Finance maintained that they were told by the third party vendor that the data was compliant, and as such they were not culpable. However, data privacy law in the UK places responsibility for compliance and consent with the marketer, regardless of any assurances from the vendor.Read more >
The CEO is in a meeting with staff, one of whom is the company Controller. In the middle of a discussion the Controller apologizes for interrupting the speaker, turns to the CEO and says "Should I make this wire transfer now or wait until the meeting is over?" That was our introduction to the BEC scam.
The CEO had not sent the email to the Controller requesting an immediate wire transfer of funds.
You may have heard of the Business Email Compromise scam. It has netted over 3.1 BILLION dollars in reported losses by companies in all 50 states, and over 100 countries. Victims are companies large and small, from numerous sectors, and number around 23,000. They have been hit for amounts ranging from thousands to $46.7 million in the case of Ubiquity.Read more >
Baidu is often referred to as China's Google, and there are indeed many similarities. Baidu just got permission to join Google in testing its self driving cars in California. Both companies have a diverse set of product offerings, with overlap in categories like knowledge, location-based, music, mobile, search, social, games, and translation services. And both Google and Baidu are leading the way in Artificial Intelligence developments.
Google left China in 2010 in response to government censorship requirements and hacking intrusions. Google's refusal to go along with censorship, and Bauidu's willingness to comply, is one big difference between the two. China's Great Firewall has effectively blocked out the world, and local search engines are complicit with censorship and adherence to state controlled policies.Read more >
Chile's feeble old privacy laws may be inching closer to an upgrade, although we've heard that before. While privacy reform, essential for growing the economy, flounders in a legislative morass, Chile takes decisive action in other areas. Perhaps the Department of Food and Nutrition can pass along some tips for effective legislative action.
In the past malnutrition was Chile's main nutritional issue, but these days 67% of people older than 15 are obese or overweight. Packaged food, high in fat, salt, and sugar is readily available and eagerly consumed by all segments of the population. Diet and obesity related conditions are an enormous public health issue, and cardiac problems and certain cancers account for half of all deaths in Chile. The last 20 years in particular have seen the rapid growth of unhealthy eating and attendant health issues.Read more >
With the GDPR ready for implementation in mid-2018, data collectors, processors, brokers, and buyers are grappling with what this truly onerous legislation will mean to their businesses – and if they aren’t, they should be. The law is completely finalised, and there is no going back. There are no grace periods, no grandfathering, and no appeals to be made.
As an American company that assists US-based marketers to source data from more than 4,500 data collectors in over 90 countries – including every EU market – we’ve necessarily taken a very hard look at the more than 200 pages of the GDPR. We are nothing short of alarmed at what we see.Read more >
Recent legislation pushed through the Russian Parliament will be a potent weapon in Putin's war on freedoms and rights. Human rights activists, privacy watchdogs, and telecom companies are vociferously critical, claiming the true purpose is to squash dissent and further undermine the freedoms and rights of the Russian people.
Part of the bill amends the counter terrorism law, and the other amends the IT and data protection law, specifically addressing data storage by telecoms and internet service providers. Freedom of expression and the right to privacy, especially on the internet, are severely curtailed by the news laws and others already in place.Read more >
EU businesses have resigned themselves to the fact that they will have to start complying with the long-awaited EU General Data Protection Regulation and are preparing themselves for 2018. How is the GDPR perceived from the outside looking in? Kitty Kolding, CEO and president, Infocore Inc. writes exclusively for ExchangeWire, to give her valuable insight into what American businesses think about the GDPR and how it will have an impact beyond the EU borders.
The Australian government has embarked on a Cyber Security Strategy, acknowledging that it, like four other APAC countries, is highly vulnerable to cyber attacks. Australia, along with New Zealand, Japan, South Korea, and Singapore have been deemed the Highest Vulnerability Economies in Deloitte’s Asia-Pacific Defense Outlook report.
Australia's Cyber Security Strategy is built on five themes of action, and outlines a $230 million plan to take place over the next four years. Ongoing initiatives to strengthen cyber defenses over the next decade will cost up to $400 million.
The Deloitte report notes that all of Asia has experienced rapid economic development, and strong internet adoption, but identifies the "Cyber Five" as being inordinately vulnerable to cyberattack. Their economies "are the most heavily dependent on internet based interactions".Read more >
The new Do Not Call Service in France was implemented as of June 1, 2016. The BLOCTEL list replaces its predecessor, Pacitel, and imposes new obligations on telemarketers. Pacitel, which closed 01-01-16 was a voluntary service, but BLOCTEL is mandatory.
BLOCTEL was established as part of the Frence Consumer Code, and as such governs only consumer marketing, not B2B activities. Consumers can register both landlines and mobile numbers on the website, and the opt-outRead more >
EU US data transfer is on the ropes after taking a one two punch to the Privacy Shield and a kick to the model contract clauses. And all that came after Safe Harbor was KO'd last year. It came as no surprise to many who felt that Privacy Shield was only a minimal improvement on Safe Harbor. After Safe Harbor's demise, model clauses were a flawed but acceptable interim mechanism allowing data transfer to continue while the specifics of Privacy Shield were developed.
SELF CERTIFICATION - NOT SO GOOD
Safe Harbor, implemented in 2000, allowed data from the EU to be legally transferred to the US, by guaranteeing the data would be handled with levels of privacy protection equivalent to that required by EU privacy laws. US companies that were Safe Harbor certified were then able to receive EU data legally.
Singapore has taken its first action against data protection violations since legislation came into force in 2014. The enforcement decisions, along with newly issued guidance, give insight into the expectations and intentions of the Personal Data Protection Commission (PDPC).
Information about nine Data Protection Enforcement Cases was published on the PDPC website. The PDPC issued warnings and directions to seven organizations and imposed fines on four.
The largest case involved the data of 317,000 individuals who were members of K Box, a karaoke chain.Read more >
Turkey has, after decades, finally implemented a data protection law. But that's not actually good news according to critics, who say the law further empowers a totalitarian regime. Add to the mix refugees, accusations of a sell out by the EU, and a hard line taken by Turkey, and this unsavory compromise is about more than data protection.
Back in 1981 Turkey signed a treaty addressing data privacy but it was never ratified. In 2008 a Draft Law was proposed, which followed the provisions of the EU's Data Protection Directive. Turkey, eager to join the European Union, is currently in Candidate status. Adherence to EU standards for Data Protection law is one of many criteria that must be met for Turkey to gain member status.Read more >
For the last four years the European Union has been hammering out new legislation to modernize and reform the laws that address the handling of personal data. The General Data Protection Regulation (GDPR) is a sweeping piece of legislation that will have profound effects on global business, the digital economy, and direct marketing.
The 200+ page draft of the General Data Protection Regulation (GDPR) is now complete in substance and will be polished into the final version by mid-2016. It will be implemented and fully in force two years later – mid 2018. This new legal framework covers all aspects of personal data processing and applies to any business that handles the data of EU citizens, no matter where the business is based.Read more >
FACEBOOK: A High Profile Crackdown
France's data protection authority, CNIL has taken the first prominent enforcement action since Safe Harbor was struck down, and issued an injunction against Facebook. The action is notable for several reasons.
SAFE HARBOR was invalidated on October 6th but companies were given until the end of Jan 2016 before any enforcement action would be taken. With that deadline now expired, this action marks the first significant enforcement measure and indicates that companies still operating under Safe Harbor are fair game.Read more >
Like a body with a weakened immune system, the Healthcare sector is being attacked on many fronts. From hackers in China, to the drug infusion pumps mainlining meds to hospital patients, we are vulnerable.
One in three patients had their medical records exposed in 2015, and 2016 is predicted to be as bad or worse. Healthcare organizations are a soft, lucrative target for cybercriminals, but human negligence and malicious intent also take a toll.Read more >
Nuisance calling - obnoxious, un permissioned telemarketing, is a pervasive problem in the UK, and a key area of action for the data protection authority.
How big of a problem is it you wonder? Well, recently 2 companies selling Nuisance Call Blocking services were fined for making many obnoxious nuisance calls trying to sell their nuisance call blocking services.
Many of the calls are made by lead generation centers who try to locate people who would be interested in a certain service or product. Then the leads are sold to companies that would provide that service.Read more >
Indonesia is making a move toward modern data protection law at last. The largest ASEAN (Association of South-East Asian Nations) country in population and GDP, Indonesia currently has no consolidated data protection law.
The draft regulation for the protection of personal data in electronic systems would be Indonesia's first comprehensive data protection law. The Draft Bill, now up for debate in the House of Representatives, would narrow the gap between Indonesia and its more modern neighbors Singapore and Malaysia. It is likely the bill will be enacted soon.
It addresses private data and sensitive data, permitted uses, transfer, and protection of data through each stage of processing. Rights of the data subjects and obligations of the users are described. Of interest is the inclusion of government agencies in the regulations, along with the private sector.Read more >
Japan's My Number system debuted this month amid protests and PR campaigns. This will be the first national ID system in Japan, and a move toward the "single card society" that the Prime Minister wants to create. The system is analogous to Social Security numbers in the US and will consolidate many separate systems into one ID, and link together all government, health, financial and other records.
As a country with disparate ID systems requiring people to carry a wallet full of cards, it's clear why the government wants to move toward a consolidated system with more current technology. The administrative burden is immense and accuracy is lacking.Read more >
Recent guidance published by the Hong Kong Commissioner covered the use of CCTV and Drones, and the collection of Biometric data.
CCTV and Drones
A specialist drone retailer estimates that there are now more than 5,000 drone users in Hong Kong. As well, Hong Kong is the hub for shipment of over 90% of the world's drones. Recently updated guidance issued by the Hong Kong Commissioner expanded guidance regarding use of CCTV to also be applicable for drones.
Hong Kong is seemingly the first Asia Pacific jurisdiction to address the use of drones from a Privacy perspective. There has been attention and legislation around drones, but it has been focused on Aviation and safe operation.Read more >
On September 9, 2015 in Hong Kong, a company was convicted for failure to honor an opt out request and fined HK$30,000.
This was the first conviction after a change in the maximum penalty for a direct marketing offence. Failure to comply with an opt out request previously carried a maximum penalty of a fine of HK$10,000.Read more >
Last month Canada imposed its first financial sanction under the CASL legislation - a 1.1 million dollar fine on flagrant offender Compu-Finder.
Unlike the usual spammer that focuses on individuals, Compu-Finder is a B2B spammer, and promotes various business training courses to business email addresses it gathers illegally. Over 25% of complaints submitted to the Spam Reporting Centre regarding the Professional Training category are about Compu-Finder.
Compu-Finder scrapes business sites for email addresses and sends commercial emails without consent. When the messages actually have an unsubscribe link, as is required, it doesn't work.Read more >
OVERALL, IT'S INCONSISTENT
Inconsistent best describes the overall state of data privacy regulation in Asia Pacific countries. The presence of a comprehensive, consolidated data privacy law in APAC countries covers the spectrum - ranging from essentially none, to some of the most exacting.
Regulations are fundamentally similar, but every country's implementation is unique. At the core, most policies cover the same areas, such as the collection and use of personal data, direct marketing consents, and cross-border data transfer etc. But the requirements for compliance can be different for every country. Using the example of direct marketing, one country implements a strict opt-in policy, another is content with opt out, and yet another isn't explicitly stated.Read more >
We've recently seen a flurry of articles discussing Iceland’s potential to be the world’s new data privacy haven - to be to Data the way Switzerland is to Information. Let’s take a concise look at the factors leading Iceland to be the Switzerland of Bits.
POLITICS & LEGISLATION
During a speech in 2008, digital activist John Perry Barlow said “My dream for this country is that it could become like the Switzerland of Bits”. Shortly after that, the economy suffered a devastating financial collapse caused by malpractice of the three largest banks, and collusion of government officials.
Data Privacy legislation is changing quickly and – in some parts of the world – onerously. Most the changes are an attempt to balance the protection of individuals’ privacy, given the explosion of data gathering technologies, without completely killing off marketing and advertising activity, which stimulates revenues and business overall.
Here’s an understanding of the basic framework of most data privacy legislation around the world, and what marketers should consider when they look to work in a country that is new to them:Read more >
At the end of 2014 Hong Kong demonstrated its willingness to impose jail time for offenses of the Personal Data Ordinance. And it seems there are several other incidents already under criminal investigation.
Hong Kong, like most Asia Pacific countries, leans toward criminal prosecution and imprisonment to enforce their law. According to DLA Piper here:Read more >
Spam was the first course served up by Canadian legislation. Let's take a look at the rest of the meal.
There is an abundance of information about Canada's Anti-Spam Legislation (CASL), mostly focused on...well, spam. But there is much more to the law than that. As Davis LLP notes here, when the first part of the law went into effect July 1, 2014Read more >
Malaysia's Personal Data Protection Act 2010 is fully in force. The rocky roll-out was plagued with confusion, a scarcity of information, and an initially lackadaisical attitude toward compliance, despite the severe penalties.
There's abundant information available about the specifics of the act if you'd like to dig deeper - see the links at bottom. But here, let's do a quick overview and then look at some of the more interesting aspects of the PDPA.
The PDPA was created to regulate companies that process personal data in commercial transactions. The definition of "processing" is sufficiently broad to include just about any company that collects or uses personal data.Read more >
Unless you’ve been buried deep in the Siberian permafrost for the last year, you know that the Russian president is often accused of saying one thing while pursuing a very different agenda. And so it goes with recent data privacy legislation.
Two new, highly controversial laws will have far reaching effects. Critics claim that the laws, enacted under the guise of protecting the privacy of citizens, shielding children from indecency etc., are instead a way to gain more control over foreign companies and to strengthen censorship and repression.
The laws address Data Locality, and Online Content. Links at bottom will take you to additional material, but here we can take a look at some ramifications of the legislation.Read more >
If you’re thinking that Australians are fun loving, easy going types, and that doing direct marketing to Australians is probably the same way, think again. The data privacy regime in Australia has recently made the process of getting truly compliant direct marketing data for your Aussie campaigns a whole lot tougher, and has instituted some penalties for non-compliance that have more teeth than a crocodile.
Any entity even remotely connected to collecting or using any kind of marketing data in Australia should take pains to thoroughly understand the numerous new interpretations, definitions, requirements and penalties that were enacted as of March 12, 2014. A lot of very smart people have written extensively about this subject, and one of the most thorough reviews can be read here: http://bit.ly/1jaiAuY. If you’re a skimmer and prefer a summary, here are some of the highlights of the so-called “New Act”:Read more >
In 1981 Turkey signed a treaty addressing data privacy. It has a good chance of being ratified in this coming fall term, more than thirty years later. That treaty, along with another piece of legislation, would implement long awaited data protection in Turkey.
The treaty, as it is sometimes referred to, is actually a Convention – The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. It was sent to the Turkish Parliament at the end of July 2014, after 30+ years on the shelf, and put on the fast track for ratification.
The Convention was drawn up in 1981 by the Council of Europe, not to be confused with the European Union or its similarly named institutions. Unlike the European Union it cannot create binding laws, so Turkey was in no way compelled to ratify and implement the CoE Convention. The Convention would greatly strengthen privacy protection in Turkey, which at this time is only lightly regulated.Read more >
Stiff penalties include fines up to HK$50,000 and up to 2 years jail.
After a significant set of new regulations were enacted in October of 2012, two new amendments came into force on April 1, 2013. Both of the new amendments specify added restrictions against the use and provisioning of personal data in direct marketing activities. Additionally, the legislation confers new levels of authority on the Privacy Commissioner for Personal Data (“PCPD”) in Hong Kong, and calls for the PCPD to provide legal assistance to individuals making claims in civil proceedings.
Stiff penalties apply when the data user does not comply with warnings and enforcement notices from the PCPD, including fines of up to HK$50,000 and imprisonment for up to 2 years. Although Hong Kong is still an “opt-out” market, there is considerable confusion in the business community due to workshops put on by the office of the PCPD stating that all data owners should operate as though the law is “opt-in”.Read more >
Sweeping changes to Canada’s direct marketing landscape go into effect July 1
In Canada there are 27 federal, provincial and territorial privacy statutes that govern the protection of personal information in the private, public and health sectors. Electronic marketing is governed by both Canadian Privacy Statutes and Canada’s Anti-Spam Legislation (“CASL”). CASL was approved in December 15, 2010 and is currently scheduled to be in force by July 1, 2014. Under CASL it is prohibited to send, or cause or allow to be sent, a commercial electronic message unless the recipient has provided express or implied consent.Read more >