It is important for organizations and companies to protect an individual’s data privacy. General Data Protection Regulation (GDPR), Personal Data Privacy Ordinance(PDPO) and California’s new IoT Security Law (SB-327) are laws that regulate personal data usage and security of devices. Below will explain the difference between these laws in terms of background information, coverage, individual rights, penalty and breach notification.
GDPR (General Data Protection Regulation) has been implemented since 2016. It states that all companies or enterprises that use personal data of European residents will have to comply with the law. The new regulatory framework includes several requirements that are not found under the PDPO in Hong Kong. While for the PDPO, it took effect since 1996, and it is one of Asia’s longest-standing data protection laws. Recently, there is also one newly introduced law namely California’s new IoT (Internet of Things) security law. Its importance is that the “reasonable security measures” can ensure that the device would contain a unique preprogrammed password or require a user to generate a new authentication before granting access.
In terms of coverage, the GDPR has the largest coverage as it is applicable to (1) data processors and controllers with an establishment in the EU where personal data is processed in the context of the activities of the establishment*, regardless of whether the data is actually processed in the EU or (2) does not have an establishment in the EU, but offer goods or services to or monitor the behaviour of individuals in the EU. While for the PDPO in Hong Kong, it is only applicable to data users (controllers/processors) who, either alone or jointly or in common with other persons, control the collection, holding, processing or usage of the personal data in or from Hong Kong. However, California’s new IoT security law is slightly different from the aforementioned laws. Rather than covering the usage of personal data, it focuses primarily on the IoT devices sold in California, and it defines IoT devices as any device or “other physical object” that is capable of connecting to the internet (even by being paired with another device) and assigned an IP or Bluetooth address.
*Establishment: Presence of sales offices, which promote, sell, advertise or market goods or services to individuals in the EU
The GDPR states that an individual has the following 4 rights: (1): Enhanced right to notice on data processing; (2): Enhanced right to erasure (“right to be forgotten”); (3): Enhanced right to object to processing; (4): New right to restriction of processing and data portability. Compared with GDPR, however, individuals under PDPO have fewer rights. They have less extensive notice requirements for data users/ controllers(processors). Individuals also will not have the rate to erase, but data shall not be retained longer than necessary. They also have no rights to restrict processing and data portability, but data access and correction requests are complied with. Moreover, individuals have no right to object to processing (including profiling) but may refuse direct marketing activities and PDPO contains provisions regulating data matching procedure. Although individuals under the PDPO seemed to have less rights when compared with GDPR, they still reserve the right to request for access and correction of their personal data. The data subject also has the right to get consent before the matching procedure is carried out. While for California’s new IoT security law, there is currently no specification of private right of action.
In terms of penalty, GDPR empowered data protection authorities to impose administrative fines on data controllers and processors for contravention of the GDPR. The penalty depends on the nature of the breach. Failure to comply with the lower-tier administrative fine can cause fine of 10 million Euros or 2% of the total worldwide annual turnover of preceding financial year, or cause fine of 20 million Euros or 4% of the total worldwide annual turnover of preceding financial year if failure to comply with the upper-tier administrative fine. For the PDPO in Hong Kong, the privacy commissioner is not empowered to impose administrative fines or penalties. However, the privacy commissioner may serve enforcement notices on data users who fail to comply with which may attract penalties after the judicial process. For example, disclose a person’s data without the data user’s consent can cause a maximum penalty of a fine of 1 million Hong Kong dollars and imprisonment for 5 years. Failure to comply with the direct marketing requirements can result in a fine of $500,000 and imprisonment for 3 years, or up to a fine of $1,000,000 and imprisonment for 5 years if data was provided to a third party for gain. For California’s new IoT security law, it delegates enforcement exclusively to the California Attorney General, city attorneys, county counsels, and district attorneys. The law also does not specify what types of penalties are imposed, or what the maximum penalties are.
In terms of breach notification, it is a formal notification given by the data user to data subjects affected and the relevant parties and regulators in a data breach. Under GDPR, it is mandatory for organizations to give data breach notification. It requires companies to notify supervisory authority in the EU member states of a data breach within 72 hours when organizations discover cybersecurity affairs, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Compare with the PDPO, there are no mandatory requirement. However, it is recommended to notify the Privacy Commissioner in the interest of all stakeholders including data users or controllers and subjects. While for California’s new IoT security law, there is currently no specification of on breach notification.
Considering the importance of above laws and the risk of data breaching, organizations and companies have the responsibility to understand the coverage and penalty of above laws to protect individual’s data privacy.
According to Article 32 of GDPR, enterprises require to implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. To effectively monitor any suspicious traffic and intrusion, StormEye provides managed services of SOC and Log Management to help enterprises to fulfil the requirements and secure their data assets.
Based on Article 33 of GDPR, enterprises require to notify the personal data breach within 72 hours after aware of the breach incident. SOC generates alerts and notifies customers for the events to help enterprises to remediate issues before bad happens and notify the incident to the authority.
#GDPR #PDPO #SB-327 #IoT #California #cybersecurity #cyber #security #privacy #data #dataprotection #data processing #datasubject #datauser #dataprocessor #breachnotification #Stormeye #SIEM #log
General Data Protection Regulation:
The Personal Data Privacy Ordinance:
California’s new IoT Security Law: