Privacy Law – does it apply to you and why you should care? 隐私法 – 它是否适用于您,及您为什么应该关心。

Privacy or data protection laws have become more stringent in recent years in response to concerns over the use of personal information. Personal information is information relating to an individual; hence, information such as company names or company switchboard numbers are not protected by privacy law.

近年来,针对个人信息不当使用的顾虑,隐私或数据保护法已变得更为严谨。个人信息是与个人有关的信息; 因此,公司名称或公司总机号码等信息不受隐私法保护。

Consequence for failing to comply
未遵守的后果

In Australia, the Notifiable Data Breaches (NDB) Scheme has significantly increased the level of fines that the Office of the Australian Information Commissioner (OAIC) can impose for breaches that is likely to result in serious harm – such breach could now result in fines up to $2.1 million for businesses or $420,000 for individuals.

在澳大利亚,“应通报数据泄露”计划(NDB)已显着的提高了澳大利亚信息专员办公室(OAIC)对可能导致严重伤害的数据泄露行为施加的罚款水平 – 这种违规现在可能导致企业被罚款210万澳元或个人被罚款420,000澳元。

In Europe, the General Data Protection Regulation (GDPR) also has serious financial consequence for non-compliance as failure to comply with the GDPR could result in sanctions being imposed of 4% of global turnover or 20 Million Euro (whichever is higher).

在欧洲,“一般数据保护条例”(GDPR)对数据泄露行为也有严重的财务后果,因为不遵守GDPR可能导致企业被罚款占全球营业额的4%或2000万欧元(以较高者为准)

It would be a mistake to think the GDPR can’t be enforced in Australia, as the OAIC has committed to cooperate internationally with regard to privacy regulation. Hence, the OAIC will likely cooperate with and assist the EU Commission and other supervisory authorities to enforce the GDPR in Australia.

认为GDPR无法在澳大利亚得到执行的观念是错误的,因为OAIC已经承诺在隐私监管方面进行国际性的合作。因此,OAIC会配合并协助欧盟委员会和其他监管机构在澳大利亚执行GDPR的可能性非常大。

Privacy Laws in Australia
澳大利亚隐私法律

In Australia, changes were made to the federal Privacy Act 1988 (Cth), which commenced from 22 February 2018. These changes created the NDB scheme, which imposes notification obligations whenever (a) personal information has been disclosed or lost, (b) such loss is deemed reasonably likely to result in serious harm to the affected individual (such harm may be psychological, emotional, physical, reputational, or other forms of harm), and (c) such harm has not been prevented.

在澳大利亚,1988年联邦隐私法案(Cth)从2018年2月22日开始发生了变化。这些变化创建了NDB计划。该计划在(a)泄露或丢失个人信息,(b)而这可能会对受影响的个人造成严重伤害(这种伤害可能是心理,情感,身体,声誉或其他形式的伤害),以及(c)此类伤害未被阻止的情况下,都有‘通报义务’(详情请见下文)。

The NDB scheme requires that holders of personal information must notify any individuals affected by the breach and the Australian Information Commissioner once it becomes reasonably known that an eligible data breach has occurred. An eligible data breach may arise when there is unauthorised access to, unauthorised disclosure of, or loss of personal information this is likely to result in serious harm to any of the individuals to whom the information relates and the likely risk of serious harm has not been prevented through remedial action.

NDB计划要求个人信息持有者必须在合理知道发生符合条件的数据泄露事件后,通知受到此事件影响的人们和澳大利亚信息专员。符合条件的数据泄露,是当未经授权,擅自泄露或丢失个人信息,而这可能会对和信息有相关的任何个人造成严重的伤害,并且可能存在严重危害的可能性尚未通过补救措施阻止。

There is no period specified of how soon notification has to be made, but it would be fair to assume that this should be fairly prompt once it is certain that there has been an eligible data breach. If it is merely suspected that there is an eligible data breach, it is generally expected that any assessment to ascertain whether there has been indeed be an eligible data breach should be completed within 30 days.

NDB计划没有指定必须何时通知受到影响的人们和澳大利亚信息专员,但一旦确定存在符合条件的数据泄露事件,平心而论,可以肯定必须尽快和及时的发出通报。如果仅仅怀疑存在符合条件的数据泄露事件,那么通常应该在30天内完成任何评估以确定是否确实存在符合条件的数据泄露事件。

The NDB scheme applies to the following organisations:

  • Australian Government agencies;
  • All businesses (including not-for-profit organisations) with an annual turnover of $3 million or more; and
  • The following businesses with an annual turnover of less than $3 million, including:

(a) All private health service providers.

(b) Businesses that trade in personal information.

(c) Tax file number (TFN) recipients ( however, if the annual turnover is below $3 million, then the NDB scheme will only apply in relation to TFN information); and

(d)Businesses that hold personal information in relation to certain activities, for example; providing services to the Commonwealth under a contract.

NDB计划适用于以下组织: •澳大利亚政府机构;•年营业额在300万澳元以上的所有企业(包括非营利组织);和•年营业额低于300万澳元的以下业务,包括:

(a) 所有私营卫生服务提供者。

(b) 交易个人信息的企业。

(c)  税务档案编号(TFN)收件企业(但是,如果年营业额低于300万澳元,则NDB计划只适用于TFN信息); 和

(d)  持有与某些活动有关的个人信息的企业; 如根据合同向联邦政府提供服务。

Privacy Laws abroad
国外隐私法律

Further afoot, the GDPR will come into force on 25 May 2018 and given its broad scope, an Australian business may need to comply with the GDPR. The GDPR applies to any organisation, including those outside of the European Union (EU) that is collecting, storing or processing personal data of any individual that lives in the EU (including non-citizens).  Companies that have customers or clients residing in the EU should therefore ascertain whether their activities fall within the scope of the GDPR.

此外,GDPR将于2018年5月25日生效;由于其范围广泛,澳大利亚企业可能需要遵守GDPR。 GDPR适用于任何组织,包括在欧盟以外收集,存储或处理任何居住在欧盟(包括非公民)的个人数据的组织。因此,拥有居住在欧盟的客户的公司都应该确定其活动是否属于GDPR的范围。

The GDPR has no threshold limits, hence Australian businesses that do not need to comply with the NDB scheme may nonetheless need to comply with the GDPR if they: (a) have an establishment in the EU, (b) are data processers and controllers based in the EU or part of an organisation with data processers and controllers based in the EU; (c) are organisations which offer goods or services to people in the EU; or (d) are organisations which monitor the behaviour of individuals in the EU.

GDPR没有门槛限制,因此,不需要遵守NDB计划的澳大利亚企业可能需要遵守GDPR,前提是:(a)在欧盟有企业,(b)在欧盟有个人数据处理人员和控制人员或是在欧盟设有个人数据处理和控制的组织的一部分; (c)是向欧盟人民提供商品或服务的组织;或(d)是监督欧盟个人行为的组织。

Under the GDPR, an individual must be able to easily withdraw the consent given, and may further seek to have their data deleted. The company also needs to demonstrate that it has implemented appropriate technical and organisational measures to comply with the GDPR. If there is any data breach, the GDPR provides that such breach shall be notified to the data protection authority within 72 hours of the breach being known by the company.

GDPR的条例规定个人必须能够轻易撤销所给予的同意,并且可以进一步寻求删除其数据。该公司还需要证明其已实施适当的技术和组织措施以符合GDPR。如果有任何数据泄露,GDPR规定应在公司知晓泄露之后的72小时内通知数据保护机构。

Both the NDB scheme and the GDPR requires that a company must obtain express consent of the individual whose data is being used, and such use can only be for a legitimate purpose and should be specified when obtaining consent, and both require transparency in the information handling practices.

NDB计划和GDPR都要求公司必须获得正在使用其数据的个人的明确同意,并且此类使用只能用于合法目的,并应在获得同意时予以说明,并且都要求有公开型的信息处理。

What should be your next step?
您的下一步应该是什么?

Apart from the fines/sanctions mentioned above, companies will likely incur additional costs in ascertaining how the breach occurred, in implementing remedial measures to prevent the breach from reoccurring, and in notifying those affected by the data breach. Apart from financial loss, it is highly likely there will also be reputational loss in the event there is a serious data breach.

除了上述罚款/制裁之外,您的公司可能会承担额外费用,因需确定泄露事件发生的方式,实施补救措施以防止泄露事件再次发生,并通知受数据泄露影响的人们和政府机构。除了财务损失之外,如果发生严重的数据泄露事件,极有可能会出现声誉损失。

As such, it is far better to be proactive and start monitoring what personal information you have access to, put in place security measures to minimise risk of disclosure or loss of information, and set out a clear process of how data breaches should be handled and reported, if the unfortunate should happen.

因此,您应该积极主动并开始监控您访问的个人信息,实施安全措施以尽量减少信息披露或丢失风险,并如果不幸真的发生,有明确的程序如何处理数据泄露事件以及如何报告此数据泄露事件。

Share