PL&B International E-news, Issue 36
- Japan’s data protection comes into force
- EU approves guidelines for anti-fraud databases
- Europe urged to promote data protection officers
- Spain teams up with US in fight against spam
- US agencies publish security response guidelines
1. Japan’s data protection comes into force
On April 1st, Japan’s Personal Information Law came into force. The law, which was passed in May 2003, covers both the public and private sectors. It applies to any organisation holding information on more than 5,000 individuals.
The law contains similar provisions to privacy laws in Europe. Organisations are required to explain to individuals how their details will be used, seek consent before disclosing information to third parties, limit data processing for secondary purposes, and implement security controls to prevent unauthorised access.
Consumers and employees have also been given specific privacy rights, such as the right to access personal data held by organisations and to correct or delete inaccurate information.
Sanctions for breaching the law include fines up to 300,000 yen (around Euros 2,000 or $3,000) and the possibility of a six month maximum prison sentence.
Unlike most countries that have enacted privacy legislation, Japan’s Personal Information Law will not be supervised by a single independent regulatory authority. Instead, government departments have been tasked, not with enforcing the law on their respective jurisdictions, but with producing sector specific guidance. The telecommunications sector, for example, will be overseen by the Ministry for Internal Affairs and Communications (MIC), while employment and healthcare issues will be handled by the Ministry of Health, Labour and Welfare.
2. EU approves guidelines for anti-fraud databases
The Article 29 Data Protection Working Party (the EU’s data protection advisory body) has endorsed a set of industry-developed guidelines aimed at preventing payment fraud across Europe. The guidelines set out the payment industry’s legal obligations when setting up pan-European databases on merchants which are no longer permitted to accept card payments.
The European Commission estimates the pan-European anti-fraud databases could save up to Euros 200 million. The guidelines will be implemented by Mastercard and Visa over the following year and the operation of the guidelines will be reviewed by the Working Party in 2006.
3. Europe urged to promote data protection officers
The Article 29 Working Party has published a number of recommendations for simplifying the notification process (the requirement for organisations to register or notify their data processing activities with their national data protection authority).
The Working Party has urged European governments to reduce the bureaucratic burden of notification by taking advantage of the exemption and simplification measures outlined in the EU Data Protection Directive. For example, in some EU member states - although not in the UK - organisations that appoint official data protection officers are exempted from notification.
Data protection authorities are also being advised to consider making the registration process simpler, for example, by setting up online notification forms that use drop-down category lists.
4. Spain teams up with US in fight against spam
Spain has signed a bilateral Memorandum of Understanding (MoU) with the US Federal Trade Commission (FTC) to promote enhanced cooperation and information-sharing on spam enforcement. The FTC has recently signed MoUs with the UK and Australia.
5. US agencies publish security response guidelines
A number of US government financial agencies have published interagency advice on how to respond to security incidents which compromise consumers’ personal data. The guidance follows a number of high profile security breaches in the US, in which hundreds of thousands of people’s personal information were left exposed. In one case, criminals were able to access records on 145,000 people held by data broker ChoicePoint. As a result, around 750 people become targets of identity fraud.
The guidance, drawn up by agencies including the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation, states that organisations should inform customers of any unauthorised access to their accounts that could result in “substantial harm or inconvenience”.
Financial institutions that suffer security breaches should investigate the likelihood that customer data has been, or will be, misused. “If the institution determines that misuse of its information about a customer has occurred or is reasonably possible,” states the guidance, “it should notify the affected customer as soon as possible.” Delays will be allowed where notifying customers would inhibit investigations by law enforcement agencies.
Copyright Privacy Laws & Business 2005