© 2005 Morrison & Foerster LLP All Rights Reserved Data Security and Incident Notification: The Impact of Foreign Law Presented April 26, 2006 to EDUCAUSE Policy Conference Session on Data Security and Incident Notification Charles H. Kennedy,
Non-U.S. Privacy Law: Overview Approximately 50 countries have privacy and data protection laws. Among other provisions, those laws generally require collectors of personal information to take reasonable measures to secure that information from unauthorized access, acquisition, use or destruction. Only the U.S. and Japan have laws that specifically require notification of data security breaches.
Non-U.S. Privacy Law: Overview Even in a foreign country without a breach-notification requirement, a data breach that becomes known to the host country’s authorities might establish a violation of that country’s data security laws. For this reason, U.S. educational institutions should protect all personal data collected or maintained in foreign countries. In today’s presentation, we focus on the EU and Japan.
When Is My School Subject to European Privacy Law? European Union Data Protection Directive applies to any collector of personal information that is “established” in a European member state or owns or controls facilities, located in a member state, that are used to collect personal information. The EU member state has jurisdiction, even if the information collected is not that of a resident of the state. You are not subject to the EU Directive when you collect personal information of a student or employee who is a resident of an EU member state, as long as the information is collected outside the EU. Note that the EU Directive is implemented by national laws that may vary in their terms. Spain, for example, has adopted an especially demanding privacy law.
Basics of the EU Data Protection Directive The EU Directive applies to all “controllers” of personal data by any entity subject to an EU member state’s laws. Personal data may be collected only for specified, explicit and legitimate purposes. Personal data may be maintained only if it is relevant, accurate and up-to-date. Individuals must be given the option to provide requested information or not, by means of a notice and opt-out procedure. Individuals have the right of access to data; the right to know where the data originated; the right to have inaccurate data rectified; the right of recourse in the event of unlawful processing of data; and the right to withhold permission to use of their data in certain circumstances.
Basics of the EU Data Protection Directive (Continued) Personal data may not be transferred from an EU country to a non-EU country that does not provide an “adequate” level of data protection. When the Directive was adopted, the United States was identified as one of the “inadequate” destinations. The result is the “Safe Harbor” agreement between the EU and the U.S. Department of Commerce.
Basics of the EU Data Protection Directive (Continued) Article 17 – Security of Processing “Member states shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”
When Is My School Subject to Japanese Privacy Law? Japan’s Privacy Laws include the Law Concerning the Protection of Personal Information (“PIPL”) and the Law Concerning the Protection of Personal Information Held by Independent Administrative Legal Entities (“IALE”). Both laws are relatively new. Both laws are highly general and are implemented by detailed guidelines issued by agencies having jurisdiction over particular businesses and institutions. Although there is some ambiguity, the PIPL appears to apply to private colleges and universities. The IALE appears to apply to public colleges and universities.
When Is My School Subject to Japanese Privacy Law? You may have obligations under Japanese privacy law if: You are affiliated with a Japanese company or institution. You use or have access to employee or student information maintained in Japan. A Japanese institution with which you are involved, for example, in a study-abroad program enters into a contract with you, according to which you assume privacy obligations under Japanese law.
Basics of Japanese Privacy Law Individuals are entitled to notice of the purpose of collection and use of personal information. Individual Ministry guidelines specify methods of notice required. Businesses must limit their use of information to the purposes disclosed. Businesses must respond to requests for access to personal information. Businesses must provide notice and obtain opt-in consent before sharing information with third parties. Information may be shared and used jointly by affiliates if prior notice is given to the affected individuals.
Basics of Japanese Privacy Law (Continued) Japanese businesses are responsible for unauthorized uses of data by agents and contractors. Businesses must adopt appropriate measures to prevent unauthorized disclosure, loss, or destruction of personal information. Ministry Guidelines require disclosure of any data leak or breach, including data that are merely lost or destroyed. Ministries have not yet announced how promptly notice must be given or how much detail is required. Also, some ministries require notice only to affected persons, while otherwise require notice to responsible ministry as well. The guidelines concerning data breach are still under development.
Breach Notification by Colleges and Universities in Japan Private colleges and universities are exempt from PIPL requirements when handling personal student information for “academic” purposes, such as grade reporting, but not when handling employee information or student information for managerial purposes other than strictly academic affairs. Public universities are fully subject to IALE requirements, as previously explained. Breach notification requirements apply.
When Is My School Subject to Other Foreign Privacy Law? Most countries other than Japan and the EU member states have less explicit privacy protections, but that is changing. A college or university should be aware of the privacy laws of any country in which it maintains a facility or from which it collects personal information of students, employees or others.
Principal Countries with Privacy Laws North America Canada Mexico (pending) United States Central and South America Argentina Brazil (pending) Chile Colombia (pending) Costa Rica (pending) Ecuador (pending) Paraguay (pending) Peru (pending) Uruguay (pending)
Principal Countries with Privacy Laws (Continued) Middle East Israel Africa South Africa (pending) Europe All EU member states
Principal Countries with Privacy Laws (Continued) Asia-Pacific Rim Australia China (pending) Hong Kong India (pending) Japan Malaysia (pending) New Zealand Philippines (pending) Singapore South Korea Taiwan Thailand (pending)
Practical Considerations It bears repeating that data security should be a priority for all organizations. U.S. breach notification laws complicate the picture for data breaches that also affect foreign persons or operations. If an institution reports a breach to affected residents of U.S. states, the advisability of reporting to affected residents of foreign jurisdictions, as well, should be considered for reputational, if not legal, reasons. Similarly, if a report to a foreign jurisdiction is required, reports to U.S. persons affected by the same incident should be considered, even where those persons do not reside in breach-notification states.
Practical Considerations (Continued) For both foreign and domestic reporting purposes, a breach notification plan should be in place before it is needed. Know the channels through which applicable laws require you to send notice, and have notices ready to go. Consider going beyond the bare minimum of notification requirements. Train your responsible employees.