[CB19] Applicability of GDPR and APPI to international companies and the impact on IT Security
•
2 likes•223 views
The speech will describe the new Data Protection Laws in Europe (GDPR) and Japan (APPI with supplementary rules). It will give recommendations to company leaders and IT experts on how to avoid or cope with applicability of these laws and describe necessary IT Security measures under the GDPR. The speech will describe when the GDPR and APPI are applicable, when data is considered personal data, how Japanese and EU companies benefit from the new trade deals “EU-Japan Strategic Partnership Agreement” (SPA) and the “EU-Japan Economic Partnership Agreement” (EPA). The speech aims to answer international IT experts’ questions on compliance with APPI and GDPR.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to [CB19] Applicability of GDPR and APPI to international companies and the impact on IT Security
Similar to [CB19] Applicability of GDPR and APPI to international companies and the impact on IT Security (20)
More from CODE BLUE
More from CODE BLUE (20)
Recently uploaded
Recently uploaded (20)
[CB19] Applicability of GDPR and APPI to international companies and the impact on IT Security
- 1. Applicability of GDPR and APPI to international companies and the impact on IT Security Dr Matthias Lachenmann Attorney-at-Law (Rechtsanwalt), Data Protection Officer (UDIScert) @LAWchenmann
- 2. I. EU and Japan: new Trade Deals and Data Protection Laws II. Definition of personal data, personal information and PII III. Applicability of the GDPR and the APPI IV. IT Security documentation according to GDPR and APPI V. Lessons learned Content © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 3. EU and Japan: new Trade Deals and Data Protection Laws A look back to 25 May 2018: Applicability of the EU General Data Protection Regulation (GDPR)
- 4. EU and Japan: new Trade Deals and Data Protection Laws Republic of Korea: Personal Information Protection Act (PIPA), since 30 September 2011 Several sector-specific Data Protection Laws IT Security Act, applicable since 13 June 2019 Plans for a revision of the PIPA India: Personal Data Protection Bill 2018 (Draft) China: Cybersecurity-Law (CSG), since 1 June 2017 California: California Consumer Privacy Act (CCPA), will be valid from 2020© BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 Source: Greenleaf, Graham, Countries with Data Privacy Laws – By Year 1973- 2019 (May 10, 2019), SSRN: https://ssrn.com/abstract=3386510
- 5. New Trade Deals: EU-Japan Strategic Partnership Agreement (SPA) and EU-Japan Economic Partnership Agreement (EPA) Biggest trade agreement concluded to date by the EU Covering over 600 million people and almost one third of the world’s total GDP Providing EU companies nondiscriminatory access as suppliers to the procurement markets of 54 cities in Japan Clauses on labor rights, environmental protection, intellectual property Japanese adequacy decision regarding EU and EU Commission’s adequacy decision regarding Japan Both 23 January 2019 First adequacy decision since the GDPR came into effect © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 EU and Japan: new Trade Deals and Data Protection Laws
- 6. EU and Japan: new Trade Deals and Data Protection Laws Data Protection Laws and Rules in Japan relevant in international context: Act on the Protection of Personal Information (“APPI”) Updated version introduced 30.5.2017; first version introduced 30 May 2003 Cabinet Decision ("Basic Policy"), dated 12 June 2018 Binding provisions for all companies with APPI applicable Enforcement Rules for the Act on the Protection of Personal Information adopted by the PPC (“Enforcement Rules”) Supplementary rules under the APPI for the handling of Personal Data transferred from the EU based on an Adequacy Decision (“Supplementary Rules”) Established on 15 June 2018 by the Japanese data protection authority Personal Information Protection Commission Japan (PPC) Aiming at providing a higher level of data protection for EU data processed in Japan Only applicable for data received from EU entities© BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 7. I. EU and Japan: new Trade Deals and Data Protection Laws II. Definition of personal data, personal information and PII III. Applicability of the GDPR and the APPI IV. IT Security documentation according to GDPR and APPI V. Lessons learned Content © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 8. Definition of personal data, personal information and PII © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 Types of Data PII: Personally identifiable data (USA) Personal Data (EU) Special categories of personal data (EU) special care- required personal information (JP) Personal Information (JP) Personal Data (JP)
- 9. Definition of personal data, personal information and PII Personal Information (APPI): “information relating to a living individual” Broad range: if any other entity may identify the person based on the information Personal Data (GDPR): “all information relating to an identified or identifiable living natural person (‘data subject’)” PII (NIST): “any information about an individual maintained by an agency” Information linked or linkable to an individual GDPR and APPI: Pseudonymous Data is Personal Data/Personal Information! All identifiable characteristics are replaced by identifiers Including individual identification codes (even encrypted data) Even if the Controller does not have access to the identifying information © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 10. Definition of personal data, personal information and PII © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 Type of Data PII (USA) Personal information (JP) Personal Data (EU) Name, Address, Date of birth Social Security or Credit Card No. superman42@ hotmail.com IP-Addresses, (IoT) DeviceIDs Online Identifiers (CookieID, …) Location Data
- 11. I. EU and Japan: new Trade Deals and Data Protection Laws II. Definition of personal data, personal information and PII III. Applicability of the GDPR and the APPI IV. IT Security documentation according to GDPR and APPI V. Lessons learned Content © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 12. Applicability of the GDPR and the APPI Basic Principles on international applicability of data protection laws: © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 1 2 3
- 13. Applicability of the GDPR and the APPI Case 1:Collection of a Data Subject’s personal data by a entity located within the same country as the Data Subject (one step) Only the country’s laws of Data Subject’s and entity’s location apply GDPR special provisions: territorial scope also applicable if the foreign company has an establishment in Europe The establishment in Europe does not need to process the data subject’s data E.g. renting office space only for advertisement purposes © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 1
- 14. Applicability of the GDPR and the APPI Case 2:First, collection of Personal Data within the Data Subject’s country; Second, transfer from the entity to an entity located in a third country GDPR requirements for third country transfers: Full GDPR compliance only for first entity which collects the data Appropriate safeguards, e.g. adequacy decision, Standard Contractual Clauses (SCC) For the receiving entity: bound to the provisions of Appropriate Safeguards, GDPR compliant purposes and local laws and further provisions apply APPI requirements for third country transfers: To be based on a) equivalent standards set by PI Protection Commission, b) contractual agreements to ensure equivalent standards or c) consent was© BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 2
- 15. Applicability of the GDPR and the APPI Case 3:Collection of a Data Subject’s personal data by an entity located in another country than the data subject (third country) Basis: local laws of the collecting entity apply Additionally: extraterritorial scope in many Data Protection Laws E.g. in Article 3 (2) GDPR, Article 75 APPI or § 1798.140 [c] CCPA Even with no establishment in the country where the Data Subject is located © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 3
- 16. Applicability of the GDPR and the APPI Case 3: GDPR’s scope on collection of personal data outside the EU, Article 3 (2): Entity aiming at Data Subjects located in the EU and Entity offers goods or services in the EU or … Applicable when obviously intending to offer services in EU member states Examples: websites in an EU language, price labeling in local currency (e.g. EUR) … observing the behavior of Data Subjects located in EU Activity linked with behavioral monitoring of Data Subjects taking place within the EU Special GDPR provisions with extraterritorial scope: Designation of a Representative within the EU acc. Article 27© BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 3
- 17. Applicability of the GDPR and the APPI © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 1 2 3 Applicable Data Protection Law in Japan: - Applicable Data Protection Law in Japan: APPI Basic Policy Supplementary Rules Enforcement Rules GDPR purpose limitation Applicable Data Protection Law in Japan: APPI Basic Policy Supplementary Rules GDPR
- 18. I. EU and Japan: new Trade Deals and Data Protection Laws II. Definition of personal data, personal information and PII III. Applicability of the GDPR and the APPI IV. IT Security documentation according to GDPR and APPI V. Lessons learned Content © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 19. IT Security documentation according to GDPR and APPI General Compliance obligations of the GDPR: Accountability Principle (documentation of GDPR compliance) Information obligations (supplying privacy policies for websites, customers, …) Rights of the data subject (access, correction, deletion, …) Data protection by design and by default (considering GDPR when planning) Contract Data Processing (contracts to bind processing Service Providers) Records of processing activities (documentation of processing operations) Security of processing (technical and organizational measures) Notification of a personal data breach (72 hour deadline to supervisory authority)© BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 20. IT Security documentation according to GDPR and APPI Appropriate technical and organizational measures, Article 32 GDPR, include: the pseudonymization and encryption of personal data the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems the ability to restore the availability in a case of a Security incident; a process for regularly testing, assessing and evaluating the effectiveness of the taken measures Taking into account Costs and Risks GDPR stresses availability of data © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 Security Control Action, Article 20 APPI: “A personal information handling business operator shall take necessary and appropriate action for the security control of personal data including preventing the leakage, loss or damage of its handled personal data.” APPI stresses minizing risks of data loss
- 21. IT Security documentation according to GDPR and APPI Recommended Documentation of IT Security Measures: Establishing procedures for a Data Security Process: Management measures to protect personal data, … General information: Location of premises and data centers, processing systems, … Organizational control: Management tasks, employee training, Review process, … Description of the technical and administrative measures: Protection target: Confidentiality (Entry control, Admittance control, Access control, Separation control) Protection target: Integrity (Data circulation control, Entry control) Protection target: Availability (Availability control)© BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 Measures to document IT Security Data Security Process Documentation of IT Security Measures
- 22. I. EU and Japan: new Trade Deals and Data Protection Laws II. Definition of personal data, personal information and PII III. Applicability of the GDPR and the APPI IV. IT Security documentation according to GDPR and APPI V. Lessons learned Content © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 23. Lessons learned: More data protection laws worldwide require data audits Ensure tagging and documentation of all data, depending on applicable law(s) Personal Data/Information cover most information on identifiable individuals APPI offers possibilities on processing Anonymously Processed Information Most laws contain provisions on extraterritorial applicability GDPR: Obligation to appoint a Representative acc. Article 27 Organize processing to avoid (full) GDPR applicability Document IT Security measures © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019
- 24. Contact BHO Legal Hohenstaufenring 29-37 50674 Cologne Germany Tel.: + 49 (0) 221 270 956 0 E-Mail: cologne@bho-legal.com © BHO Legal, 2019 | Dr. Matthias Lachenmann | Code Blue Conference | 30 October 2019 Dr. Matthias Lachenmann Attorney-at-Law | Partner Tel.: + 49 (0) 221 270 956 180 Cell: + 49 (0) 151 240 213 44 E-Mail: matthias.lachenmann@bho-legal.com