DBR ON DATA

Security, Privacy and Information Governance

Author: Yodi Hailemariam (page 1 of 3)

Smart Uses of Data Analytics for In-House Counsel

Share

The effective use of data analytics is quickly changing the legal landscape and the practice of law for the better. This is a fast-changing area where today’s “use cases” will be quickly superseded by new and more powerful uses of these technologies. This post discusses key areas where in-house counsel may consider the use of data analytics either as a solely in-house measure or in connection with engagements with outside counsel.

Continue reading

Sedona Conference Working Group on Data Security and Privacy Liability Releases Draft Incident Response Guide

Share

The Sedona Conference®, a nonprofit research and educational think tank dedicated to the advanced study of law, particularly in information governance, has released its Incident Response Guide , open for public comment through June 19, 2018.  Drafted by Working Group on Data Security and Privacy Liability (WG11), the guide is meant to serve as a practical resource for practitioners dealing with the legal, technical, and policy issues related to data-related incidents – from distributed denial-of-service to ransomware attacks.

Continue reading

U.S. Congress Approves CLOUD Act for Data Stored Overseas

Share

On March 23, 2018, Congress passed the “Clarifying Overseas Use of Data Act,” also known as the “CLOUD Act” (H.R. 4943, S. 2383), a new U.S. law that will have a dramatic effect on the United State government’s control over and access to data stored overseas.  The CLOUD Act was introduced to the U.S. Senate and House of Representatives on February 6, 2018, as part of a $1.3 trillion omnibus spending bill.  The bill passed both houses of Congress on March 23, 2018, and was signed into law by the President the next day.

Continue reading

Singapore Joins APEC Cross-Border Privacy Rules System and Privacy Recognition for Processors Program

Share

Singapore recently became the latest country to join the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) System.  Singapore is the CBPR’s sixth participant, joining the United States, Mexico, Japan, Canada, and the Republic of Korea.  Singapore also became the second country to join APEC’s new Privacy Recognition for Processors (“PRP”) program, joining only the United States.

As a member of APEC’s CBPR, Singapore’s personal data protection regime has been deemed to be in alignment with the CBPR’s focus on facilitating data flows between economies and preventing accidental disclosure and misuse of personal data vis-à-vis online transactions.  Remarking on this move, Singapore’s Personal Data Protection Commissioner Tan Kiat How stated, “[t]he seamless exchange of personal data will enable certified Singapore business to plug into even more regional and global business opportunities.  Meanwhile, our consumers will enjoy greater peace of mind when they shop or use vital services online.”

Endorsed by APEC Leaders in 2011, the CBPR is a voluntary, accountability-based system that implements the APEC Privacy Framework (the “Framework”) by reducing barriers to information flows, enhancing consumer privacy, and promoting interoperability across regional data privacy regimes.  Created in 2004, the Framework was developed to facilitate the flow of information between the 21 APEC member economies and their trading partners, by promoting a common set of data privacy principles designed to strengthen consumer privacy protections, encourage digital commerce, and facilitate trade and economic growth.  Both the CBPR and the Framework apply only to personal information controllers, whereas the PRP program focuses exclusively on personal information processors.  Finalized in 2016, the PRP program was designed to certify privacy compliance for personal information processors within the Asia-Pacific region by offering a Trustmark certification to processors that demonstrate their capacity to assist data controllers in complying with relevant privacy obligations.  The PRP program was created in order  that (1) data controllers are able to identify qualified data processors to implement data controllers’ data processing obligations, (2) data processors are able to demonstrate their ability to provide effective implementation of a controller’s privacy requirements, and (3) small and medium-sized institutions are able to gain exposure and visibility into a global data processing network.  Collectively, the CBPR, Framework, and PRP make up the three legs of APEC’s current data protection construct.

APEC is one of the leading Asia-Pacific economic forums designed to “support sustainable economic growth and prosperity in the Asia-Pacific region.”  The three pillars of APEC’s agenda focus on trade and investment liberalization, business facilitation, and economic and technical cooperation.  APEC currently has 21 member jurisdictions, including Australia, Brunei Darussalam, Canada, Chile, the People’s Republic of China, Hong Kong, Indonesia, Japan, Republic of Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, The Philippines, Russia, Singapore, Chinese Taipei, Thailand, the United States, and Vietnam.

Learn more about the APEC Privacy Framework.

Learn more about the APEC Cross Border Privacy Rules.

European Commission Issues GDPR Guidance

Share

The European Commission (EC) recently issued online guidance on the General Data Protection Regulation (GDPR), a sweeping European Union (EU) data protection legislation that will take effect on May 25, 2018.  The guidance is intended to be used as a tool to help businesses as well as the EC, national data protection authorities, EU Member States, and other national administrations prepare for the GDPR.  To date, only 2 EU Member States – Germany and Austria – have adopted the relevant national legislation to be in compliance with GDPR.

Continue reading

China Releases New Personal Information Privacy Standards

Share

On January 25, 2018, China released the final version of the Personal Information Security Specification, new voluntary standards on the protection of personal information.  The standards anticipate and address the “issues faced in personal information security during the rapid development of IT technology; with the protection of personal information as their core” and is meant to “regulate all phases of big data operations and related conduct, such as the collection, storage, processing, use and disclosure of personal information.”  The standards will go into effect on May 1, 2018.

The standards will apply to organizations using information systems to process personal information; specific departments that involve network security, third party assessment organizations; and other organizations that deal with the oversight, management, and assessment of personal information security.  Generally, they lay out the following 8 basic principles of personal information security.

Continue reading

Older posts

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy