Regulatory & Compliance: Data privacy: a global perspective on application and future regulation Daniella Kafouris Associate Director Deloitte Risk Advisory
Jan 17, 2016
Regulatory & Compliance: Data privacy: a global perspective on application and future regulation
Daniella Kafouris Associate Director Deloitte Risk Advisory
Deloitte screen small Jan 2010
© 2014 Deloitte Touche Tohmatsu Limited 2
Data Privacy in South Africa
PPIA Description The PPIA sets conditions for how information must be processed and how entities are to comply with global data privacy standards. It has been signed by the President and is now law. Entities will only have one year from the commencement date to comply or face significant consequences Data privacy regulates personal information, which is processed by public or private entities whether in hard or soft copy format.
Protection of Personal Information Act 4 of 2013
3
1997 2005 2009 2012 2013
Constitution published
Law Commission
finalised investigation
PPIB published
Portfolio Committee approved
PPIB
PPIB became
law
Regulation of the entire data life cycle
Additional Requirements • Special Personal
Information • Information about
children • Information Regulator • Direct Marketing • Trans-border
Information Flows
Key Conditions
Personal Information
Accountability Processing Limitations
Purpose Specification
Further Processing
Information Quality Openness
Security Safeguards Data Subject Participation
Your duties and obligations
5. Information
officer
6. Regulator
7. Reporting –
DS and loss
8. Security –
self audit
9. Special
PI – religion/ philosophy, race/ethnicity, union, politics, health/sexuality, biometrics, criminal allegations, child
10. Operator contract – processing, security & reporting
11. Direct
marketing*
12. Cross
border*
Direct Marketing Approach in person or by mail or by electronic communication
• Contain – sender contact details • Electronic communication prohibited unless
consent or customer (similar services/product) – approach once but can opt out
• In person or by mail – meet all lifecycle requirements (reasonableness and non-excessive, RP legitimate interest, DS can object, DS notified of collection, security, cross border, SPI)
7
Privacy protection globally
Constitutional coverage
Has Privacy Law Protection
Law in Process
No Data Protection Law
Sectoral Laws
7
8
Privacy protection in Africa
Lesotho South Africa
Swaziland
Namibia Mauritius
Mozambique
Botswana
Zimbabwe
Somalia
Burundi
Rwanda
Congo
Uganda
Gabon
Egypt
Tunisia Morocco
Western Sahara
Cape Verde Islands
Senegal
Guinea-Bissau
Algeria
Niger Mali
Chad
Libya
Sudan
Democratic Republic of
Congo
Angola Zambia
Ethiopia Nigeria
Benin
Mauritania Central African Republic
Ghana
Burkina Faso
Tonga
Liberia Ivory Coast
Tanzania
South Sudan
Kenya Cameroon
Reunion
Mayotte
Comoros
Seychelles
Constitutional coverage
Has Privacy Law Protection
Law in Process
No Data Protection Law
Sectoral Laws
8
9
What is the privacy impact?
Information Regulator
Self-reporting notification
Criminal investigation
Complaints
Audit
Data Subject
Post
Media
Website
Fines
Imprisonment
Up to R10 million 12 months to 10 years
9
Deloitte screen small Jan 2010
What is the global movement towards compliance and privacy
Data Protection / Information Protection Authorities
Office of the Privacy Commissioner for Personal Data, Hong Kong
U.S. has no national data protection authority.
Federal Trade Commission (FTC)
State Attorneys General
Federal financial regulators
Japan has a similar consumer protection stance.
Multiple regulators
UK Information Commissioner Office
Bundesbeauftrager für den Datenschutz und
die Informationsfreiheit
Privacy Commissioner of Canada
?
South African Information Regulator
Current privacy regulatory framework…..
Proposed privacy regulatory framework…..
Deloitte screen small Jan 2010
What has gotten companies in trouble ?
What has gotten companies in trouble ?
Examples of activities where non-compliance led to enforcement actions, lawsuits, or monetary fines:
Failure to comply with the organization’s privacy policies (especially when third parties are involved in processing data)
Misrepresenting the purpose for collecting personal data
Failure to disclose the means used to collect data, i.e., the use and/or duration of cookies, web bugs, spyware, tracking technologies (especially in HR environment)
Disclosing, sharing, or selling personal data to third parties contrary to the organization’s privacy policy or legal/contractual framework (eg in Cloud environment)
Export of personal data not in compliance with privacy laws of the originating country
Misrepresenting the security protection and redress possibilities of personal data
What has gotten companies in trouble ?
Organizations that do not adequately
manage the risk of compliance with privacy laws and
regulations may face the following:
• Suspension or stopping of data processing an data transfers • Restructuring of local and global IT systems and processes • Relocation of services and renegotiation of contracts with
vendors, suppliers etc. • Need to obtain consent to be able to lawfully use the data • Loss of potential revenues or opportunities where use of
databases is restricted
BUT ALSO
• Liabilities to customers, partners and others whose information is compromised
• Time lost taking systems offline to do the forensics necessary to find out what went wrong
• Extra Software and other upgrades to make sure the problem doesn’t happen again
• Opportunity Cost (personnel performing all of these tasks are not doing any other revenue earning things that would be benefiting the company)
• Damage to company reputation can affect future sales efforts • Loss of confidence with data protection authorities and/or
employees/customers • Joint & severe liability for supplier failures
Foreign Jurisdictions overview & actions taken to address e-commerce
European Union
• The EU list of electronically supplied services is as follows:
i. “Website supply, web-hosting, distance maintenance of programmes and equipment;
ii. Supply of software and updating thereof;
iii. Supply of images, text and information and making available of databases;
iv. Supply of music, films and games, including games of chance and gambling games, and of political, cultural, artistic, sporting, scientific and entertainment broadcasts and events;
v. Supply of distance teaching.”
Foreign Jurisdictions & Organisations Overview & Actions Taken
18 © 2014 Deloitte Touche Tohmatsu Limited
South Africa Pre-2014 and post 2014 VAT Amendments
VAT Treatment of Cross-Border Electronic Services – Certain foreign suppliers will now be required to register in SA
• The South African VAT legislation was officially amended in December 2013 to address electronic services supplied by persons from an export country to a South African resident or where payment for the supply originates from a SA bank account.
• The amendments were due to come into effect 1 April 2014, however, this was postponed until 1 June 2014.
• From 1 June 2014 foreign suppliers supplying services which qualify as electronically supplied services will be required to register for VAT in SA at the end of any month where the value of supplies exceeds R50,000.
South Africa Post Electronic Service VAT Amendments
20 © 2014 Deloitte Touche Tohmatsu Limited
• The list includes the following main categories and then each category includes specific sub-categories:
i. Educational services ii. Games and Games of chance iii. Internet-based auction services iv. Miscellaneous services (e.g. supply of e-books, music, etc.) v. Subscription service to a list of specific items
• South Africa does not make a B2B and B2C distinction.
South Africa Post Electronic Service VAT Amendments
21 © 2014 Deloitte Touche Tohmatsu Limited
Deloitte screen small Jan 2010
Deloitte TMT predictions 2014
Deloitte TMT predictions 2014
Wearable computing ($3 billion)
Tablets (BYOD)
Massive Open Online Courses
(MOOCs) 100% E-visits
100 million globally
VOD in Sub-Saharan Africa
growth (1m)
24
Daniella Kafouris Deloitte Associate Director - Johannesburg Risk Advisory-Legal BA LLB HDIP Cyberlaw Certified Information Privacy Professional – CIPP US / EU International Association of Privacy Professionals - Certified Trainer Member of IAPP Faculty Tel: + 27 (011) 209 8101 Mobile: +27 (0)72 559 0360 [email protected] @dkafouris
Contact details
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. The more than 200 000 professionals of Deloitte are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2014 Deloitte & Touche. All rights reserved. Member of Deloitte Touche Tohmatsu Limited