Page 25 – The In-House Lawyer

Data protection and cybersecurity in Brazil

In the years preceding the Brazilian Data Protection Law (Law No. 13.709/2018 or LGPD), there were already legal texts in force that provided for the protection of privacy and personal data in a sparse manner in Brazil, such as the Federal Constitution of 1988, the Consumer Defense Code – Law No. 8.078/90, the Civil Code – Law No. 10.406/2002, the Positive Credit Act – Law No. 12.414/2011, and the Access to Information Act – Law No. 12.257/2011. The LGPD, in turn, was a response to the increase in personal data flow in different types of organisations. It came into force in September 2020 and regulates how organisations can process personal data in Brazil by establishing detailed rules for its use. Continue reading “Data protection and cybersecurity in Brazil”

easyJet

‘The pandemic hit the airline sector hard and fast. We went from really being in growth mode, preparing forward-looking projects and a successful year in 2020, to very quickly having to ground our fleet almost overnight. We then had to deal with the implications of that for the company, which were severe,’ says Rebecca Mills, deputy general counsel of easyJet. Continue reading “easyJet”

Defensive manoeuvres

What are the biggest challenges facing GCs from a cyber risk perspective right now?
There are two primary risks. It’s quite clear from recent guidance from the Information Commissioner’s Office (ICO) and other organisations that ransomware is prevalent. Therefore, businesses should be preparing their playbook and their response process, so that they have them ready for when any attack might happen. Indications are that the ICO and other regulators are going to be tougher in relation to cyber incidents; whereas before they may have regarded the attacked organisation as a victim, now, because cybercrime is so prevalent, they’re saying that businesses need to be ready. Some recent ICO decisions have not been favourable to victim organisations, so it’s important for GCs to be ready. Continue reading “Defensive manoeuvres”

Significant matters – Spring 2022

Enterprise GC returns with ESG, crisis management and legal tech on the agenda

Enterprise GC, the marquee two-day general counsel event hosted by Legalease, returned to the prestigious Hilton London Syon Park for its fifth year on 25 and 26 April 2022. Continue reading “Significant matters – Spring 2022”

Cyber risk – is your organisation cyber-ready?

Cyber risk is a major threat to all businesses, irrespective of size, brand or industry. Over recent years, and particularly during the Covid-19 pandemic, the threat of a cyber-attack has increased significantly. There is a growing prevalence of ransomware being deployed across all business types and sectors. With the increased regulation of data on a global basis, and a focus by industry regulators on protecting data, a cyber-attack can and does have a very significant impact on business, including: immediate operational impact, substantial management time being diverted to deal with the situation, loss of business, reputational damage, the risk of multiple regulatory investigations and fines. Further, an entitlement to compensation for data subjects affected by a breach of legislation has led to increased risk of litigation in this area. Continue reading “Cyber risk – is your organisation cyber-ready?”

New green heroes

This is the third time we have run a boardroom priorities survey and the responses are helping build a strong picture of evolving priorities as boards face unprecedented challenges. Thank you to all those who have participated to help create valuable insights. Continue reading “New green heroes”

IT security in Germany: a jungle of laws

Introduction

Our society is becoming increasingly interconnected and digital. At the same time, cyberattacks are constantly increasing and headlines about successful cyberattacks appear in the media on a daily basis. In its latest report on the state of IT security in Germany, the Federal Cyber Security Authority (BSI) notes an overall increase in cyberattacks, as well as an increase in the number of malware variants used. The European and German legislators have recognised this growing threat and passed a number of laws in recent years to counter it and protect the economy and the state from cyber criminals. However, this has also led to a veritable ‘regulation jungle’ of legal regulations on IT security in Germany.

Framework: European regulations regarding IT security

In 2016, the European Union adopted Directive (EU) 2016/1148 (NIS Directive), creating the first legal framework for IT security standards at EU level. It aims to ensure a high common level of security of network and information systems in the EU. To this end, it establishes benchmarks for security requirements and reporting obligations for operators of essential services and providers of digital services, which are further specified by the implementation of the EU member states. A reform of the NIS Directive is currently in the legislative process.

Regulation (EU) 2019/881 (Cyber Security Act) from 2019 strengthens the European Union Agency for Cyber Security (ENISA) and gives it a permanent mandate while also introducing a uniform certification framework for the cyber security of information and communication technology. In addition, there are other regulations such as the ePrivacy Directive (last revised in 2009) as well as the Cyberattack Regulation (2019) and the Directive on Attacks against Information Systems (2013) that directly address cybersecurity.

Dedicated IT security laws and indirect requirements in Germany

At national level, the situation is even more complex. In 2015, the German legislator took a first step to counteract the threat of cybercrime with the IT Security Act. It amended various laws, in particular the Act on the Federal Cyber Security Authority (BSIG). The IT Security Act aims to protect IT infrastructures against cyberattacks in order to prevent supply bottlenecks for business, government and society in Germany. Primarily, it addresses operators of so-called critical infrastructures – companies which are part of selected sectors and which are of great importance for the functioning of the German society.

Over the years, the German legislator adjusted the IT Security Act as part of the implementation of the NIS Directive, but has also revised it further independently of EU requirements. The most recent changes came into force in 2021. Particularly, the scope of the BSIG was extended and is now not only aimed at operators of critical infrastructures and providers of digital services, but also at companies in special public interest and manufacturers of critical IT components. Particularly, the category of companies in the special public interest is rather broad and even includes suppliers to some extent. The catalogue of obligations differs between the addressees, whereas operators of critical infrastructures face the highest regulatory impact. The determination of whether a company is an operator of critical infrastructure is carried out in three steps:

First, it must offer a service that is considered critical because of its importance. The critical services are specified in the Ordinance on the Identification of Critical Infrastructures (KritisVO) and are found in the sectors of energy, water, food, information technology and telecommunications, health, finance and insurance, transport and traffic, as well as municipal waste disposal.
Second, the operator must use a facility that is necessary for the provision of the critical service, such as hospitals in inpatient medical care for the health sector.
Third, a certain level of supply must be met as a quantitative approach. The threshold value is calculated on the basis of special formulas that are also defined in the KritisVO.

Operators are obliged to fulfil an appropriate level of IT security adapted to the so-called ‘state of the art’ – a term subject to interpretation. In order to meet these obligations, operators may apply industry-specific security standards. They describe information security procedures and measures by which an appropriate level of protection can be achieved. Operators must be able to provide documentation of compliance with the security obligations and report to the BSI in the event of significant disruptions to IT security. In this context, the obligation for manufacturers of critical IT components to issue a corresponding guarantee declaration to the operator should also be emphasised. Otherwise, the use by the operator is not permitted. From May 2023, the IT security requirements also include the use of attack detection systems that continuously and automatically record and evaluate suitable parameters and characteristics from ongoing operations.

In addition to the BSIG, the IT Security Act also amends other sector-specific laws such as the Nuclear Act, Energy Industry Act or the Social Code with regard to their IT security requirements.

However, if a company is not an addressee of the IT Security Act, this does not mean that it is not equally obliged to implement IT security measures. This can be illustrated by the example of a hospital. According to KritisVO, a hospital is only to be classified as an operator of a critical infrastructure if it has more than 30,000 full inpatient cases per year. But, as a result of the Patient Data Protection Act enacted in October 2020 and the newly introduced s75c of Volume V of the Social Insurance Code from 1 January 2022 all hospitals regardless of thresholds are now obliged to take appropriate organisational and technical precautions for IT security.

Such precautions are also required of telemedia providers under s19(4) TTDSG to prevent unauthorised access to the technical facilities and malfunctions. For consumer contracts concluded on or after 1 January 2022, due to the transposition of EU Directive (EU) 2019/771 and EU Directive (EU) 2019/770, the German Civil Code provides for update obligations of the trader in certain cases in order to preserve the conformity of the contract. These updates explicitly include IT security updates.

Even data protection law, especially the General Data Protection Regulation (GDPR), can result in IT security obligations, because there is often also a data breach subject to GDPR regulatory obligations in the event of a cyberattack. Article 32 of the GDPR sets minimum requirements for IT security based on the ‘state of the art’, implementation costs, nature, scope, circumstances and purposes of the processing, different likelihood of occurrence and severity of the risk. The same applies to Article 24 and 25 GDPR. However, the regulations here have the protective purpose of ensuring that personal data are protected by IT.

Moreover, IT security obligations can also arise from general laws that do not originally relate to IT security. Rather, they arise indirectly, for example from due diligence obligations or due to the specific contract design. For instance, in the area of commercial and company law, some corporate bodies face due diligence obligations, which also include ensuring a level of IT security (s(2) Stock Corporation Act, s45 Limited Liability Companies Act). IT security measures can also represent performance obligations in contracts based on mutual (explicit or implicit) agreements, the non-fulfilment of which results in liability of the breaching party.

Conclusion

Cyber security law in Germany is complex. Companies can be subject to many preventive security obligations, depending on the nature of their business and their field of activity. In the event of a cyberattack, various additional regulations come into play. Companies must be aware of this interplay and know exactly which regulations affect them and which obligations they must comply with and implement. Within light of advancing digitalisation, increasing regulatory advancements are noticeable. In the future, IT security is therefore likely to become even more regulated. The latest legislative decisions indicate: ‘security by design’ may become a basic requirement for products in the future.

Demystifying international arbitration

This year features as an important one for arbitration in the UK with Scotland hosting the largest international arbitration gathering in the world between 18 to 21 September. The International Council for Commercial Arbitration (ICCA), accredited as an NGO by the United Nations, is holding its bi-annual conference in Edinburgh, a little over ten years after the installation of a modern regime for governing arbitrations in Scotland in the form of the Arbitration (Scotland) Act 2010.

But away from the focus such a prestigious conference will bring, what questions need to be asked by businesses of themselves about arbitration?

We can agree that formal dispute resolution processes are slow, often messy and can attract unwelcomed scrutiny in this social media age. Finding effective ways to resolve disputes, with their inevitable burden on management time, is a worthwhile goal for any business. Negotiation and mediation have their place as cost effective and quick means for overcoming differences but sometimes a formal (and enforceable) decision is required. That’s where arbitration has a key role to play.

Arbitration has been likened to private sector litigation. It is the referral by disputants to a decision maker who pronounces a legally binding decision. Rather than using the traditional court model with its inherent resource constraints, parties can determine their own procedure and choose their decision maker. This often leads to quicker outcomes.

The arbitration clause

Most arbitrations arise where businesses provide in their contracts for disputes to be resolved by arbitration. Having this in place ensures that the jurisdiction of the courts are ousted and the dispute will be dealt with in a way that is agreed by both parties. While it is possible to agree to arbitration after a dispute has arisen, in practice this can be difficult, once positions become entrenched. So the key take away is to provide for arbitration in the contract.

The arbitration clause in the contract needs to cover certain essentials to ensure it works. Choices need to be made on number of arbitrators, typically one or three (but never an even number), and how they are appointed after a dispute arises. Parties can choose to apply arbitral rules from a number of internationally recognised centres that offer appointment and administrative services. Picking the seat (venue) of the arbitration is very important because that choice determines what procedural law applies to the way the arbitration is run (as distinct from the governing law of the contract which determines the substantive rights and duties of the parties). The importance of getting the arbitration clause right cannot be understated as not doing so can lead to adverse or unexpected outcomes and in the worst cases litigation on whether there is an effective clause compelling arbitration.

So why arbitration?

Because it’s not tied to the courts of any jurisdiction, international arbitration is geographically flexible meaning that businesses wherever they are based can agree the place of arbitration and the governing law most suitable to them. This can break deadlock in cross border commerce ensuring that both parties have confidence in a neutral venue and are not stuck with the national courts of their counterparty. International arbitration offers real flexibility in choice with businesses picking the decision makers, the law, the venue and the rules of engagement, tailoring the dispute to parties’ needs rather than accepting inflexible rules.

Arbitrations are confidential. This means that they are conducted behind closed doors with sensitive commercial information not subject to public scrutiny. Unlike court judgments, the scope to challenge arbitral awards is limited. This offers the business community finality and certainty with the confidence that they can obtain a final binding decision that allows them to move forward in their endeavours without the risk of being tied up in appeal for years.

Successful parties in arbitrations will also benefit from higher cost recoveries awarded to them than those achievable in litigation. From an international perspective, arbitral awards are more readily enforceable abroad than national court judgements. Enforcement of judgments is also something that has become more challenging post-Brexit. In contrast, the arbitration enforcement landscape remains unchanged with over 140 nations signed up to the 1958 New York Convention making it easier to have your ‘win’ recognised and enforced in foreign jurisdictions. This allows for easier transition from award to payment.

While litigation has an important role to play for emergency applications to prevent a wrong (or the continuation of a wrong) from taking place, the benefits of international arbitration are clear. For Scotland the introduction of the Arbitration (Scotland) Act 2010 brought legislation into line with modern arbitration practices, strengthening its position as a place for businesses to come to resolve their disputes.

Promotion of arbitration in Scotland and international arbitrations being seated in Scotland is at the heart of the Scottish Arbitration Centre’s mandate. There is an increasing tendency for arbitrations to be used by businesses, particularly in cross border disputes. That direction of travel will only increase following the spotlight ICCA will provide in Edinburgh this year.

Brodies, an official sponsor of ICCA 2020, is home to Scotland’s leading and largest dispute resolution and litigation team in Scotland who are experts in international arbitration and all other aspects of dispute resolution.

Allan Dunlavy – Schillings

What types of work are you seeing at the moment in reputation management? Have there been any changes post-pandemic?
A lot of the work we’re doing at the moment, particularly with corporates and their senior leadership team, is about building resilience into their online profiles – so both the corporate profile and the individuals’ profiles. One of the things we’ve seen more recently, and I don’t think it’s necessarily pandemic-related, is an appreciation that companies do not stand apart from their people in this space. If your people have good reputations and resilient online profiles, then this will support the company and vice versa. There’s a connectivity between the two that didn’t really exist in the way it does now. So, we’re seeing that really take off. Continue reading “Allan Dunlavy – Schillings”

Mexico: closer to GDPR than you think

BGBG is one of the few Mexican law firms with a practice exclusively dedicated to data protection and privacy matters. How is it that you came to this?
Héctor: Back in 2011, when we started this practice, there was little knowledge and interest in Mexico in data protection. Some colleagues even said to me that this was just a momentary eccentricity that would only last two or three years.

Continue reading “Mexico: closer to GDPR than you think”

The privacy, data protection and cybersecurity law regime in China

Primary laws and regulations

China began establishing its comprehensive legal regime in regard to privacy, data protection and cybersecurity in 2016, when the Cybersecurity Law (CSL) was promulgated. The legal regime was principally established in 2021 when the Data Security Law (DSL) and the Personal Information Protection Law (PIPL) came into effect. The PIPL, DSL and CSL constitute ‘Three Pillars’ of legislation, and each has a different focus.

The PIPL, effective from 1 November 2021, introduced robust and comprehensive rules concerning the processing and protection of personal information. The PIPL adopted many legal principles and rules that resemble those in the EU’s GDPR, but also contains various rules and requirements that are quite different from the GDPR. Therefore, multinational companies with operations in China may not solely rely on GDPR-compliant policies and measures for compliance with the PIPL.
The DSL, effective from 1 September 2021, applies to processing of all kinds of records of information, but focuses on important data and state core data that have a significant bearing on national security, social stability and public interests.
The CSL, effective from 1 June 2017, primarily regulates the construction, maintenance, operation and use of connected networks and ensures cybersecurity.

As omnibus laws, the PIPL, DSL and CSL contain rather broad and general rules and requirements with few specific implementation details. The Chinese regulators are in the course of deliberating and enacting implementation regulations and measures to provide the parameters and details of the relevant rules.

Aside from the general rules applicable to business operators in all sectors, there are industry-specific regulations and standards issued by various industrial regulators that provide for more detailed rules and/or heightened requirements for companies operating in particular lines of business, especially in those heavily regulated sectors such as financial services (including banking, securities and insurance), medical and healthcare, automobile, online platforms, etc. Business operators in these special industries should also beware of additional, sector-oriented data protection requirements.

In addition, there are national or sector-specific standards, specifications or guidelines that lay out the best practices for business operators to follow in their data processing activities in China. While those guidelines are recommendations that do not have force of law, it is commonly acknowledged that the Chinese regulators will refer to them in assessing a company’s compliance with data protection requirements. Those guidelines, therefore, also warrant attention.

Main regulators

There is currently no single designated data protection authority in China. The Cyberspace Administration of China (CAC) is in charge of the overall planning and co-ordination and relevant regulatory affairs, and takes the lead in formulating the implementation regulations and measures of the PIPL, DSL and CSL. Alongside the CAC, various ministries and industrial regulators are and will continue to be responsible for overseeing and enforcing various requirements in relation to privacy and data protection within their respective purview. The main ministries include the Ministry of Industry and Information Technology (overseeing telecommunications and internet business activities (such as websites and mobile applications) as well as the automotive industry), the Ministry of Public Security (the police department with regulatory focus on enforcement of multi-level cybersecurity protection pursuant to the CSL), and the Administration of Market Regulation (primarily taking charge of protection of consumers’ personal information).

Extraterritorial application

While the CSL, DSL and PIPL are primarily applicable to data processing activities conducted within China, China expanded the geographic scope of application of its privacy and data protection regulatory regimes through the PIPL and DSL to overseas organisations and data processing activities.

The PIPL applies to processing activities conducted outside of China involving the personal information of individuals resident in China, where the processing activities: (i) are for the purpose of offering products or services to individuals in China; (ii) analyse and evaluate the behaviour of individuals in China; or (iii) meet other circumstances stipulated in law. A foreign PIP (as defined below) that is subject to extraterritorial application of the PIPL should establish a dedicated local organisation or representative in China, and report its/their name and contact details to the competent regulators.

The DSL applies to data processing activities conducted outside of China that impair the national security of China, public interests, or legitimate rights and interests of organisations and individuals in China.

Requirements applicable to cross-border data transfers and data localisation

Pursuant to the PIPL, the transfer of personal information abroad must be for genuine business needs, and an exporting controller should ensure that the processing of data by the foreign recipient meets the level of data protection standard provided under the PIPL, and at least one (or more) of the following conditions has to be satisfied (to the extent applicable):

(i) Critical information infrastructure operators (CIIO) and (ii) controllers processing an aggregate volume of personal information that exceeds certain thresholds (which is anticipated to be set at personal information of more than one million individuals) are subject to the requirement to store and process personal information and (where applicable) important data within China, and are generally required to undergo and pass (as clearance) the CAC-administered security assessment as a prerequisite to export personal information or important data overseas.
A controller exporting personal information may need to obtain a personal information protection certification from an eligible institution in accordance with the CAC regulations (to be issued). Details of the circumstances triggering certification, the certification requirements, and the scope of qualified certification institutions are currently unclear and require further clarification.
An exporting controller would need to enter into a legally compliant contract with the foreign recipient concerning the export of personal information in accordance with standard contract to be issued by the CAC. This is likely to be a default requirement.

Penalties for breach

Similar to the GDPR, the PIPL imposes significant penalties for serious breaches that are measured in proportion to the yearly turnover of the institutional offender. For a severe violation of the law or in the absence of required data security measures, fines can be up to the greater of: (i) RMB50m; and (ii) 5% of the offending entity’s annual turnover in the preceding year. Additional administrative sanctions may also be imposed.

An institutional offender may further face civil claims brought by the impaired individuals or public interest litigation brought by the people’s procuratorate or other competent institutions if the offender infringes upon the rights and interests of many individuals. In civil proceedings, burden of proof is shifted to the PIP in proving that it has no misconduct.

Criminal liabilities may be triggered in case of malicious acts (such as the illegal sales of personal information) with severe consequence of the breach.

Conclusions

The PIPL, DSL and CSL jointly form the framework of the Chinese privacy and data protection regulatory regimes and have brought it to a new age. With that said, many of the detailed rules thereunder are still under deliberation by the Chinese regulators, and it can be anticipated that a string of implementation implementations and measures will be announced and implemented in the foreseeable future. Multinational companies with operations in China are advised to keep close track of the relevant developments to ensure compliance in a timely manner.

A state of flux

For personal injury (PI) practitioners, dynamism is one of the features which makes this such a fulfilling field to work in. The work follows a constant ebb and flow of patterns and trends – from the boom and wane of asbestos-related cases, to the rapid spike in noise-induced hearing loss claims, to the recent resurgence of interest in vicarious liability. The world of PI often acts as a microcosm of broader market and societal changes, mapping developments and drawing out issues. It’s no surprise, then, that the pervasive and rapid changes inflicted on our daily lives over the last few years have been mirrored, magnified and mulled over in the personal injury arena, and the fallout is of primary concern to in-house legal teams, particularly in the insurance sector. Continue reading “A state of flux”