Safe
Harbor invalid:
lvhat
to
expect
after the
ruling?
Sarah
Cadiot
and
Laura
De
Boel
explain
what
businesses can
do
to
enable transfers
to the
US.lSsue
137
,l ' ,
fs=w5
dletober
Sl5
zft
rr
6
O*tub,,r
2C15,
rhr.I
lCnurt ,''i
lr-rsriccol
thc\-/
Iuro[.,c.rn
Uni.'n
(CJI
U]issucrl
a
landrn;rrtr< iudgrne nrlinvalidatir:g ihe
F,urope*n Comn'rission'sDeci,sion
o{
lC'33:rvhich
r*cognise,-1rhe
adequacvoi
the
IU-U.S
S;,rfeHarbor frarrenork
{Sale
H;rrbor).
Irr
er"{<liti*nro
thcinvalidarion
of this
adeqnacr-cltcision,
rhc
CJEU
lprhclcl
thcgrorver
of
natioaallJara
llrorr:ctionAuthoriries {DPAsl
tr:
in.lependentlyinr.r,stigatc
intcrnational
dataContinued on p.3
:l
-
Safe,Harborinyalid: WhatntlnJ?1
'
Eudarifi€s:con*ptof ierdtort*iity
2
-
CornmentSate Harbor collapses 7
-
EU and US agree on datatrA*tf
etsl*r
latrr enforaernetlt14 - Tehfonica fined tO+ times in Spain
!5
-:l(or*a ehooses'aetive uaeof
lBig,
Data'tostirnL+late'Crcative,'
Economy'
28 - Book Review: Cloud Cornputing
AIHALYSIS
11 - Getting
to
gripswith
USgovernment requests for data
16 -
tLi'* Sn*5top"Shrp
mechanism19 - DPAs'GPEN grows
24 - lndian 5upreme Court causes
confusion on data privacy and lD
LEGISLATION
8
-
Japan arnsrtls its DF Aet27 - lndonesia issues
draft
MinisterialRegulation
MANAGEMENT
29 - US N|ST invites comments on loT
standards framework
30 - Assessing privacy risks as part
of
a Privacy by Design programme
*lgwg
tH
ER|EF1O - Hungary makcs B€Rs porsible
22 - Russian data localisation law
22 - Mexics ronsiders $2 million
fine
13 - €DPS:'Ethic
Advi;ory
Soard andcollection of passenger data
23 - Website awarded Europrise Seal 23 - DPAs: Sweep on children's data
rarses concerns
26 - 5ingapore issues new guidance
Z8 - franee adcpts surveilla,nce Act
ECJ
clarifies
meaning
of
territorial scope
in
DP
Directive
{)urtinue d rtn p.5
Hungarian
data protection law applies
tc
a company's activlties
inHungary although registered in Slovakia.
Andrea KLira Soos
reports.n I
f)ctober
2015,
tire
rhc ctritr:lusion rhnt the prirrciple r'rf-Luropc:rn
Cr:urt
ol
Justice
csrrhlishrrcnt should be applied br.{ECJI publishrd its
decision
thc auth*ritic,sol
{-rrhcrEU }lemlrirr
in
cese|'lo.
(l-l3Oi!C1+1.
tn
this
States.
(Jonsequ,.:rrth,
it
r'l*r;rde
cision
thc
I'-CJ {ollarvcd
thc
cor.rrre:ltrcrcor,rld
hc
inicstigarcd erguncntationi:f
Adr.utatc GcncralPedro
C*.rz YillaLlnj
rnil
t:arle
r,;Access
back
issues
on
wugw.prluacylaws,com
5ubscribers
to
paper and eiectro,nic editions can ac(ess the following:See
the
track page orwww.privacylaws.comlsubsrription_info
To check your lype
of
subscription, contartgienn@privacylaws.com or telephone +44 {0)20 8868 9200.
.
Back lssues since 1987.
Special R€ports.
Materialsfrom
PL&B eventgTEGISLATION
lndonesia
issues
draft
Ministerial
Regulation
on
Data
Protection
By
Sinta Dewi
Rosadi.
A
lthough mobile
traffic
dataA;,n;
i$'ji
::
ilT::::,;'ff;
legal protection
{or
such digital-basedactivities
is still
weak. Currently thereare
no
specificrules that
ensure theprotection of users' dataprivacy.
\fith
awide
rangeof
applications, users areasked
to
providetheir
address, mobilephone number and credit card number
-and those details
will
be recorded.No
less important
is that
data conrollers processdata
on
transactions, travelroutes,
user
habits,
patterns
of
communications
and
dataabout
useractivity
in
the
contextof
a varietyof
applications
or
Internet
pages. Toaddress these developments, Indonesia's
Ministry
of
Communications
andInformatics
(Infocom)
has
draftedMinisterial
Regulationson
PersonalData Protection (PDPES)
in
ElectronicSystems as an implementing regulation
based
on
Governmenr Reguiation No.82/2A12
on
Electronic
TransactionSystems.2
Ministry
regulationsare
alower
form of
legislation
thanGovernment regulations
or
Acts
of
Parliament. The PDPES
will
cover basicprotection mechanisms such as the rights
of data subjects, user liabiliry liabiliry
for
operators
of
electronic systems; disputeresolution,
public
participation
andadrninistrative sancrions.
A
publicconsultation was completed in July, but it is not certain when the final Regulation
will
be released.The
draft
regulation
deservesattention because
for
thefirst
time thegovernment
of
Indonesiawill
issue aspecific
regulation
on
protection of
personal
data.
However,
it
isregretmble
that
PDPESwill
overlapwith
the
PersonalData
Bill
beingprepared
by
another Directorate in
Infocom.
A
ministerial regulation
isnot
compatible
vdth
Indonesia'sConstitution,
according
to
which
personal data protection is
part of
thePrivacy
Right which
is
protecred bythe Constitution
and considered as afundamental righq therefore requiring
an
Act'
rather than the lesser form of aMinisterial Regulation.
It
may also becriticised
on
other
grounds.
ThePDPES does
not
clearly stipulate itsscope
(individuals
or
legal
entities;public
and/or private
secrors),although
it
does
only
apply
ro'E,lectronic System
Operators'.
The regulation only applies minimum basicdata protection principles such
asconsent,
right
to
verified content, andright
to
accessand correction.
Theregulation
requires
data
subjecrs'written
consent,but
doesnot
clearly stipulate whether the rnechanismto
beused is opt-in or opt-out.
The
data rerenrionperiod is
longunder PDPES
(5
years);
this
is
in
accordance
with the
National
Retention Schedules Regulation
in
theNational Archives Law,
which
was-
developed
to
regulate
the
publicarchive, not personal data.
There is no specific rule
in
PDPESthat
gives authority
to a
stareinstitution to supervise this system. To
effectively implement legislation,
asupervision mechanism
would
berequired, as
well
as a legal instrumentwhich.
g4overns
personal
dataprotectlon.
According
to
the 'data localisation' requirementin
the draft governmentalregulation
(under
which
this ministerial regulation is made) the'datacentre and
disasterrecovery
centre'must
be
located
on
Indonesianterritory. This drafr
is still
rentative because theMinistry
isin
the processof receiving input from the public. The
Draft Minlstry
Regulationwill
operate as
follows':
1.
Protected personal dataPersonal data refers to any true and real information that can be direcriy or
indirectly identified
as relaringto
anindividual,
to
be
usedin
accordancewith
existing regulation.2.
Data collection and processing The PDPES includes protectionof
the collection,
processing, analysing,storing,
notification,
transmission,dissemination
and
destruction
of
Personal
Daa.
Personal
data shall be
processedonly if:
(a)
Data
subjects have given their
consent
(b)
Personal
data
obtained
andcollected
directly
must be verifiedby the data subject
(c)
Personal
data
obtained
and collected indirectly musr be verifiedbased on various sources
(d)
Personal
data
may
only
beprocessed and analysed accordihg
to the
needs/purpose
of
theElectronic
SystemsOperator
rhathave been stated
clearly
when obtaining and collecting the data.3.
RetentionElectronic Systems operators may
store personal data for 5 years or more
or iq
accordance
with
applicableregulations.o
4.
Responsibility
of
electronicsystem administrator/management Each Electronic System Operator
must have internal rules
to
carry
out the process and ensure the protection of personal data. n5.
Therights
of Eata subjects:a.
The
confidentiality
of
theirpersonal data
b.
Theright
to
file
a complaintwith
the personai data dispute resolution
institutions
for
failure of
personaldata
confidentiality protection
bythe Operator Electronic
Systems, and the right to suein
a civil courtc.
Theright to
reclaim one's personaldata,
when
the
services
of
anElectronic System Operator are no longer needed
d. The rigEt
to
access
and
theopportunity
to"'changeor
updatepersonal
dam
without
disturbingpersonal data
managementsystems.
5.
The
responsibility
controllersof
dataa.
To
maintainthe
confidentiaiityof
personal da''a thatit
has obtained, collected, processed and analysedb.
To
process personal dataonly in
accordance
with
the
purposesfor
whichit
was collected