The Singapore government has renewed its emphasis on cybersecurity due to the increase in incidents affecting the private and public sectors both domestically and around the world. As a result, Singapore set up its Cyber Security Agency (CSA) on April 1, 2015, to oversee strategy, education, outreach and industry development. On April 11, 2016, Dr. Yaacob Ibrahim, Minister for Communications and Information, announced that the government would develop a Cybersecurity Act (Cybersecurity Bill), which is expected to be tabled in Parliament next year.
On July 7, Russian President Vladimir Putin signed a law amending existing anti-terrorism legislation that could affect U.S. telecom and internet service companies operating in Russia. It will require that telecommunications operators and internet service providers (“ISPs”) retain up to 6 months of data, including personal data and communications content, as well as metadata, for periods up to 3 years. Further, if any encryption is used to protect the data, the telecommunication or internet service provider must provide the Russian authorities the decryption technology.
On January 1, 2016, China’s National People’s Congress Standing Committee enacted the new Anti-Terrorism Law (反恐怖主义法) that gives broad powers to the Chinese authorities to access and handle data held by telecommunications operators and internet providers (together, “Technology Companies”). This law provides a legal framework to compel Technology Companies to cooperate and assist the Chinese authorities to combat the threat of “terrorism.”
The second edition of The Privacy, Data Protection and Cybersecurity Law Review appears as the world is converging on more privacy laws that cover more areas of business and are subject to more enforcement. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication, including Alan Charles Raul, William RM Long, Geraldine Scali, Catherine M. Valerio Barrad, Yuet Ming Tham, Jillian Lee, Takahiro Nonaka, Tasha D. Manoranjan, and Vivek K. Mohan. For a closer look at this developing area of law, please visit http://www.sidley.com/the-privacy-data-protection-and-cybersecurity-law-review-11-2015.
Despite having previously stated it would not issue further clarifications, in August 2015, the Russian Ministry of Communications and Mass Media (Minkomsvyaz) issued a further statement regarding the data localization law. The Ministry of Communications is empowered to supervise the data protection authority (Roskomnadzor) and to provide interpretations of laws that fall within their purview (including the data localization law). The Minkomsvyaz statement reiterated that the law does not have retroactive effect – personal data of Russians collected prior to September 1, 2015 may reside in foreign jurisdiction so long as they are not updated or changed, at which point they would be subject to the localization requirement. The clarification further noted that data localization requirement would not apply to entities that are not resident in Russia. This statement is notable for being issued in writing, and providing companies with a statement of standards and expectations that may be cited by companies should issues arise.
See previous coverage in Data Matters July 21, 2015 Post: Impending Russian Data Localization Law
Sidley does not practice law in Russia, so the information here is based on our understandings from public sources and discussions with local counsel. This article should not be construed as advice about Russian law.
On April 24, 2015, China amended its Advertising Law for the first time since its initial promulgation in 1994. The amended Advertising Law (the “Amended Law”) will take effect on September 1, 2015. In the absence of a comprehensive data protection law in China, the Amended Law introduces certain provisions addressing data and privacy issues, in addition to existing data privacy rules which are scattered in various laws and regulations.
On July 1, 2015, China’s top legislature adopted a new National Security Law (中华人民共和国国家安全法), highlighting cyber security and paving the way for a coordinated crisis management system. The law aims to provide a general legislative framework to cover a wide range of areas, ranging from finance, politics, the military and cyber security to culture, ideology and religion.
We are rapidly approaching the effective date for the so-called Russian “data localization law,” a development that prompted considerable backlash from the global business community and could have significant consequences for entities operating in the Russian market. In July 2014, Russia adopted Federal Law No. 242-FZ, which in effect requires that information a company holds pertaining to Russians must be stored on servers physically located within Russia. These obligations apply to individuals in their capacity as employees as well as consumers; thereby impacting even companies that do not maintain brick-and-mortar operations in Russia.
Section 33 of the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) (the PDPO) deals with the transfer of personal data, and prohibits the transfer of personal data outside Hong Kong except in specified circumstances, such as when:
- the data protection laws of the foreign country are similar to the PDPO; or
- the data subject has consented in writing to the transfer.