Patrick Gunning from King & Wood Mallesons reports that, on November 2, 2023, the Australian Information Commissioner filed proceedings in the Federal Court of Australia against Australian Clinical Labs Limited seeking a civil penalty (i.e., a fine) in connection with the company’s response to a data breach that occurred in February 2022. The case is significant because: (1) it is only the second time that the Australian regulator has brought court proceedings of this kind despite having the power to do so since 2014; and (2) it signals the regulator’s priority in ensuring that cybersecurity incidents are responded to swiftly. The Australian legislature increased maximum penalties for ‘serious’ contraventions of the Privacy Act with effect from December 2022 to at least A$50 million. However, the maximum penalty available in this case will be A$2.2 million because the company’s conduct occurred prior to December 2022.
On April 21, 2022, the United States, Canada, Japan, Singapore, the Philippines, the Republic of Korea and Chinese Taipei published a declaration (the “Declaration”) establishing the Global Cross-Border Privacy Rules Forum (the “Global CBPR Forum”). The Global CBPR Forum will establish an international certification system based on the existing APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) Systems, enabling participation beyond APEC member economies. The Global CBPR and PRP Systems, as they will be known, are designed to support the free flow of data and effective data protection, and enable interoperability with other privacy frameworks.
On July 23, 2019, APEC issued a press release announcing the recent appointment of the Infocomm Media Development Authority (“IMDA”) as Singapore’s Accountability Agent for the APEC Cross-Border Privacy Rules (“CBRP”) and APEC Privacy Recognition for Processors (“PRP”). This makes Singapore the third APEC economy that has fully operationalized its participation in the CBPR system, following the United States, which has two CBPR Accountability Agents, and Japan, which has one CBPR Accountability Agent.
On March 6, 2018, Singapore’s Ministry of Communications and Information announced that Singapore has joined the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. As we previously reported, Singapore submitted its intent to join both systems in July 2017.
On February 1, 2018, the Singapore Personal Data Protection Commission (the “PDPC”) published its response to feedback collected during a public consultation process conducted during the late summer and fall of 2017 (the “Response”). During that public consultation, the PDPC circulated a proposal relating to two general topics: (1) the relevance of two new alternative bases for collecting, using and disclosing personal data (“Notification of Purpose” and “Legal or Business Purpose”), and (2) a mandatory data breach notification requirement. The PDPC invited feedback from the public on these topics.
On July 27, 2017, Singapore submitted its notice of intent to join the APEC Cross-Border Privacy Rules (“CBPR”) system and the APEC Privacy Recognition for Processors System (“PRP”). Singapore would be the sixth member of the CBPR system, joining Canada, Japan, Mexico, the United States and the newest member, South Korea. The announcement was made by Dr. Yaacob Ibrahim, Minister for Communication and Information, at the Personal Data Protection Seminar 2017.
On April 14, 2015, the American Chamber of Commerce in China (“AmCham”) published a report, entitled Protecting Data Flows in the US-China Bilateral Investment Treaty (the “Report”). The Report is part of AmCham’s Policy Spotlight Series. While in principle addressed to the U.S. and Chinese teams that are currently negotiating the Bilateral Investment Treaty, the Report has been made public. It thereby provides insight into the emerging issue of data localization for the benefit of a much wider audience.
On May 16, 2014, the Singapore Personal Data Protection Commission (the “Commission”) published advisory guidelines for the implementation of its Personal Data Protection Act (the “PDPA”) for two industry sectors. The guidelines were published on the same day on which the Commission held its well-attended Personal Data Protection Seminar focusing on international perspectives on data governance. The advisory guidelines generally have the following content:
On September 24, 2013, the Singapore Personal Data Protection Commission (the “Commission”) published guidelines to facilitate implementation of the Singapore Personal Data Protection Act (the “PDPA”). The Advisory Guidelines on Key Concepts in the Personal Data Protection Act and the Advisory Guidelines on the Personal Data Protection Act for Selected Topics provide explanations of concepts underlying the data protection principles in the PDPA, and offer guidance on how the Commission may interpret and apply the PDPA with respect to certain issues (e.g., anonymization, employment, national identification numbers). The guidelines are advisory only; they are not legally binding.
Following up on its February 5, 2013 consultation paper, Singapore’s Personal Data Protection Commission has issued two additional public consultation papers concerning the guidelines the Commission is empowered to issue under the new data protection law. The first proposed set of advisory guidelines examines key concepts in the Personal Data Protection Act (“PDPA”), with thorough discussions of definitions as well as data protection obligations set forth in the PDPA. The second paper addresses selected topics: analytics and research, anonymization, employment, use of national ID numbers and online activities. In addition, the Commission has produced a cover note on how to submit comments on these public consultations.
On February 5, 2013, Singapore’s new data protection agency, the Personal Data Protection Commission, published its first consultation paper (the “Paper”) articulating proposals for a data protection regulation. The Paper outlines the Commission’s positions on three key issues: (1) requests for access and correction; (2) transfer of personal data outside of Singapore; and (3) individuals who may act for others under the Personal Data Protection Act (“PDPA”). The PDPA was passed by the Singapore Parliament in October 2012 and became law in January 2013.
On October 15, 2012, the Singapore Parliament passed the Personal Data Protection Act 2012. Though a law has been under discussion for quite some time, this bill was introduced before Parliament only recently, in September of this year. The new law will apply only to data processing in the private sector as data processing by public agencies (or organizations acting on behalf of public agencies) are already subject to internal government rules. Reportedly, the bill will become law in January 2013, enforceable after 18 months, in mid-2014.
On April 27, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) submitted comments to the latest Singapore consultation on proposed personal data protection legislation, the Personal Data Protection Act 2012. The consultation is being conducted by the Ministry of Information, Communications and the Arts and expired on April 30, 2012.
On September 13, 2011, the Singapore Ministry of Information, Communications and the Arts (the “Ministry”) published a Proposed Consumer Data Protection Regime for Singapore, outlining possible ideas for a data privacy framework and soliciting comments from the public. A few of the suggestions from the Ministry’s proposal that appear most likely to be reflected in a final data privacy law are outlined below.
On July 28, 2009, the Data Privacy Subgroup meeting at the Asia-Pacific Economic Cooperation (APEC) Forum in Singapore reported a number of privacy-related legislative developments on the horizon. Among the highlights:
- On July 15, the Malaysian Cabinet approved privacy legislation to be enacted by the Parliament in early 2010
- Vietnam is set to enact consumer protection legislation including privacy provisions in 2010
- Hong Kong's Privacy Commissioner will soon begin a review process to evaluate how privacy law has kept up with changing technology
- The Philippines is set to enact ...
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code