Costa Rica
https://images.plurk.com/5i2vSZCKcvrCI9XPxsiSM0.jpg
----------------------------------------------
TRACEROUTE
----------------------------------------------
Start: 20 Jan 2016 13:14:07
Find route from: Sjef-van-Beerss-MacBook-Pro.local
to: images.plurk.com (190.93.241.232 [AS13335]), Max 30 hops, 40 byte packets
Host Names truncated to 32 bytes
1 192.168.42.1 (192.168.42.1 ): 5.695 12.151 5.572
2 AS1103 194.171.139.1 (194.171.139.1 ): 5.013 9.437 12.770
3 172.16.255.254 (172.16.255.254 ): 7.873 8.159 4.766
4 AS1103 ge5-0-3.2080.jnr01.asd002a.surf. (145.145.30.9 ): 7.253 23.494 16.229
5 AS1200 ams-ix.as13335.net (80.249.211.140 ): 10.025 13.207 10.138
6 AS13335 images.plurk.com (190.93.241.232 ): 9.853 11.741 9.778
Trace completed 20 Jan 2016 13:14:10
----------------------------------------------
LEGISLATION ON PERSONAL DATA
----------------------------------------------
Law
The development of data privacy regulation in Costa Rica is divided among two laws. The first law is Law No. 7975, Undisclosed Information Law, which makes it a crime to disclose confidential/personal information without authorization. The second law is Law No. 8968, Protection in the Handling of the Personal Data of Individuals, which was enacted to regulate the activities of companies that administer databases containing personal information. Therefore, its scope is limited.
Definition of Personal Data
Personal information contained in public or private registries (e.g. medical records) that identifies or could be used to identify a natural person. Personal information can only be disclosed to persons/entities with a "need to know" such information.
Definition of sensitive Personal Data
Personal information relating to ideological orientation, creed, sexual preferences. Sensitive personal data cannot be disclosed without express prior authorization from the data subject.
National Data Protection Authority
Pursuant to Law No. 8968, the Agency for the Protection of Individual’s Data, hereinafter the "Agency" is the entity charged with enforcing compliance with the regulation. The Constitutional Court also has jurisdiction to hear claims alleging violations of the Laws.
Registration
Under Law 8968, companies that manage databases containing personal information and that sell such personal information must register with the Agency.
Data Protection officers
There is no requirement for a data protection officer.
Collection And Processing
Any company may store and manage a database containing personal information if the following rules are respected: (i) when accumulating personal information, private companies and/or the government must respect the "sphere of privacy" to which all individuals are entitled; (ii) companies that maintain personal information about others in their databases must ensure that such information is (a) materially truthful; (b) complete; (c) accurate; and, (d) individuals have access to their personal data and must be entitled to dispute any erroneous or misleading information about them.
Companies that manage databases containing personal information and that sell such personal information must comply with Law 8968, including by (i) reporting the company and the database to the Agency, (ii) reporting the technical issues related to the security of the database, (iii) protecting and respecting confidentiality issues, (iv) securing the information they maintain, and (v) establishing a proceeding to review requests by individuals to review and amend any error or mistakes in the database.
Transfer
Transfer of personal information is authorised if: (i) data subjects give written consent; or (ii) information transferred is public.
Security
Any company or individual using and/or managing this type of information must take all necessary steps to guarantee that the information is kept in a safe environment. If security is breached because of improper management or protection, then the responsible company may be held liable, and may be subject to penalties and civil liability for any harm.
Breach notification
There is no mandatory requirement. Nonetheless, if there is a breach the entity is liable.
Enforcement
All claims can be brought directly to: (i) the entity, (ii) the Agency or (iii) the Constitutional Court.
Electronic Marketing
General rules of data protection will apply. There is little to no regulation of electronic marketing. However, pursuant to the Telecommunications Act, marketing companies may not advertise via phone unless they have express written consent from the data subject.
Online Privacy (Including Cookies And Location Data)
There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional Court, with respect to the collection and processing of personalinformation, do apply.
The Netherlands
http://sjefvanbeers.nl/images/IMG_9854.JPG
----------------------------------------------
TRACEROUTE
----------------------------------------------
Start: 20 Jan 2016 14:01:43
Find route from: Sjef-van-Beerss-MacBook-Pro.local
to: sjefvanbeers.nl (141.138.168.146 [AS51696]), Max 30 hops, 40 byte packets
Host Names truncated to 32 bytes
1 192.168.42.1 (192.168.42.1 ): 5.662 5.541 4.369
2 AS1103 194.171.139.1 (194.171.139.1 ): 5.081 8.533 3.692
3 172.16.255.254 (172.16.255.254 ): 4.432 6.413 4.522
4 AS1103 ge5-0-3.2080.jnr01.asd002a.surf. (145.145.30.9 ): 7.111 9.540 9.849
5 AS1200 ae1.nikhef-ixp.openpeering.nl (80.249.208.189 ): 9.908 10.358 8.660
6 AS24785 nikhef-cr.openpeering.nl (217.170.0.241 ): 10.336 16.407 10.017
7 * * *
8 AS24785 juniper-1.nikhef.jointtransit.nl (213.207.0.225 ): 10.714 10.539 8.587
9 AS24785 jointtransit.antagonist.nl (213.207.9.92 ): 12.434 14.950 13.061
10 AS51696 sjefvanbeers.nl (141.138.168.146): 13.341 12.207 9.400
Trace completed 20 Jan 2016 14:02:01
----------------------------------------------
LEGISLATION ON PERSONAL DATA
----------------------------------------------
Law
The Netherlands implemented the EU Data Protection Directive 95/46/EC on 1 September 2001 with the Dutch Personal Data Protection Act ("Wbp"). Enforcement is through the Dutch Data Protection Authority ("College Bescherming Persoonsgegevens").
Definition of Personal Data
Any data relating to an identified or identifiable natural person.
Definition of Sensitive Personal Data
Personal data regarding a person’s religion or philosophy of life, race, political persuasion, health and sexual life, trade union membership, criminal behaviour and personal data regarding unlawful or objectionable conduct connected with a ban imposed as a result of such conduct.
National Data Protection Authority
The College bescherming Persoonsgegevens Juliana van Stolberglaan 4-10
2595 CL DEN HAAG
Postbox 93374
2509 AJ DEn HAAG
t 00.31.70 – 8888 500
f 00.31.70 – 8888 501
www.cbpweb.nl
Registration
Unless an exemption applies, data controllers who process personal data by automatic means must notify the College Bescherming Persoonsgegevens so that their processing of personal data may be registered and made public. Changes to the processing of personal data will require the notification to be amended.
The notification shall, inter alia, include the following information:
- name and address of the data controller;
- purpose(s) of the processing;
- data subjects or categories of data subjects;
- data or categories of data relating to these data subjects;
- recipients or categories of recipients;
- proposed transfers of personal data to countries outside the European Union; and
a general description of the security measures the data controllers is planning to take.
If any of the following changes occurs, the data controller must notify the College Bescherming Persoonsgegevens of these changes within one year after the previous notification. This concerns changes in:
- the purpose or purposes of the data processing;
- the data subjects and recipients or categories of data subjects and recipients;
- the security measures; and/or
- the intended transfers to countries outside the European Union.
However, this is only required if the changes are not of a purely incidental nature.
Also, any change to the name or address of the data controller should be notified to the College Bescherming Persoonsgegevens within one week.
Data Protection Officers
Companies, industry associations, governments and institutions can appoint a data protection officer. There is no legal requirement in the Netherlands to do so. The data protection
officer ensures that processing of personal data will take place in accordance with the Wbp. The statutory duties and powers of the data protection officer gives this officer an independent position within the organization.
Collection And Processing
Data controllers may collect and process personal data when any of the following conditions are met:
For collecting personal data:
Pursuant to the Wbp, a data controller may only collect personal data if he has a purpose for this.
The purpose must be:
- specified;
- explicit; and
- legitimate.
A data controller may not collect data if he has not clearly specified the purpose.
For processing personal data:
- the data subject has unambiguously given his prior consent thereto;
- the processing is necessary for the performance of a contract to which the data subject is party;
- the processing is necessary in order to comply with a legal obligation to which the data controller is subject;
- the transfer is necessary in order to protect the vital interests of the data subject;
- the transfer is necessary or legally required in order to protect an important public interest; or
- the processing is necessary for upholding the legitimate interests of the data controller or of a third party to whom the data is supplied, except where the interests or fundamental rights and freedoms of the data subject, in particular the right to protection of individual privacy, prevail.
In addition, personal data may not be further processed in a way incompatible with the purposes the data was collected. Whether further processing is incompatible depends on different circumstances, such as:
- the relationship between the purpose of the intended processing and the purposes for which the data originally was obtained;- the nature of the data concerned;
- the consequences of the intended processing for the data subject;
- the manner in which the data have been obtained; and
- the extent to which appropriate guarantees have been put in place with respect to the data subject.
Also, personal data may only be processed, where, given the purposes for which they are collected or subsequently processed, they are adequate, relevant and not excessive.
Finally, the Wbp sets out strict rules in relation to sensitive data. The main rule is that such data may not be processed, unless the data subject has given its explicit consent to it.
Transfer
Transfer of a data subject’s personal data to non EU/European Economic Area countries is allowed if the countries provide "adequate protection". For transfer of data to the United States, companies which adhere to the US/EU Safe Harbor principles are deemed to offer adequate protection.
Data controllers may transfer personal data out of the European Economic Area to countries which are not deemed to offer adequate protection if any of the following exceptions apply:
- the data subject has unambiguously given its consent thereto;
- the transfer is necessary for the performance of the contract between the data controller and
the data subject;
- the transfer is necessary in respect of an important public interest, or for the establishment, exercise or defence in law of any right;
- the transfer is necessary in order to protect the vital interests of the data subject;
- the transfer occurred from a register that was set by law and can be consulted by anyone or
by any person demonstrating a legitimate interest;
- the transfer is based on unchanged Model Clauses as referred to in article 26(4) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data; or
- a permit thereto has been granted by Minster of Justice, after consultation of the College Bescherming Persoonsgegevens. In order to obtain such permit, certain conditions should be met. One of these conditions can be implementing Binding Corporate Rules (BCR).
BCR are internal codes of conduct regarding data privacy and security, to ensure that transfers of personal data outside the European Union will take place in accordance with the EU rules on data protection.
The use of BCRs is not obligatory. It will however bring benefits to both processors and controllers.
Once BCRs are approved they can be used by the controller and processor, thereby ensuring compliance with the EU data protection rules without having to negotiate the safeguards and conditions each and every time a contract is entered into.
Security
Data controllers and processors must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access.
Breach Notification
The Wbp does not yet provide for a data security breach notification duty.
Mandatory Breach Notification
There is no mandatory requirement in the Wbp. However, a legislative bill introduces the obligation to report such a data breach as soon as possible to the College Bescherming Persoonsgegevens. If a data breach is not reported, the College Bescherming Persoonsgegevens can impose a fine up to EUR 200,000.
Enforcement
In case of possible violations of the Wbp, the College Bescherming Persoonsgegevens can impose the following sanctions:
- Enforce an administrative order. The data controller would be forced to change its policy with immediate effect;
- Administrative fines up to a maximum of EUR 19,500 may be imposed by the Authority in case of violation of the notification duty; or
- Penal sanctions could be punished with a fine of the second category in case of contravention of:
– the duty to designate a person or body in the Netherlands to act on party who are not established in the European Union, but make use of means situated in the Netherlands;
– the notification duties mentioned before;
– transfer of personal data to a country outside the European Union that is not considered to guarantee an adequate level of protection, or transfer without permit to those countries.
Electronic Marketing
Electronic marketing is partially regulated in Article 11.7 of the Dutch Telecommunications Act. In the context of this Article electronic marketing could be defined as SMS, e-mail, fax and similar media for the purposes of unsolicited communication related to commercial, charitable or ideal purposes without the individuals’ prior express consent.
Electronic marketing directed to corporations does not require prior consent if:
- the advertiser/electronic marketer uses electronic address data which are meant to be for this particular purpose;
- if the individual is located outside the EU, the advertiser/electronic marketer complies with the relevant rules of that particular country in this respect.
On the basis of Article 11.7 electronic marketing to individuals is in principle prohibited. If certain conditions are being met, such as prior express consent, electronic marketing directly to individuals can be allowed. Furthermore, electronic marketing to individuals is also allowed if it is restricted to the marketing of existing customers and restricted to similar products/services of the advertiser/electronic marketer. In the last case, the advertiser/electronic marketer is obliged to provide opt-out possibilities to his customers when obtaining the data from the customers and in every marketing message sent.
Online Privacy (Including Cookies And Location Data)
Traffic Data – Traffic Data is regulated in Article 11.5 of the Dutch Telecommunications Act. Traffic Data held by a public electronic communications services provider ("CSP") must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:
- It is being used to provide a value added service; and
- Consent has been given for the retention of the Traffic Data. Traffic Data can only be processed by a CSP for:
- The management of billing or traffic;
- Dealing with customer enquiries;
- The prevention of fraud;
- The provision of a value added service (subject to consent); or
- Market research (subject to consent).
Location Data (Traffic Data not included) – Location Data is regulated in Article 11.5a of the Dutch Telecommunications Act.
Location Data may only be processed:
- If these data are being processed in anonymous form; or ■ With informed consent of the individual.
Cookie Compliance – The amended E Privacy Directive requires the user to consent to the use of cookies. On 5 June 2012, the Netherlands implemented the E-Privacy Directive through the Dutch Telecommunications Act in Article 11.7a. (hereinafter: Article 11.7a). The Independent Post and Telecommunications Authority ("OPTA") is entrusted with the enforcement of Article 11.7a.
The main rule is that the website operator needs to obtain prior consent from a user before using cookies (opt-in). It is necessary to obtain the informed agreement of website visitors to the use of cookies by way of an "I agree" button or a similar arrangement. Implicit consent is not sufficient under Dutch law. Please note that the website operator is entitled to refuse website visitors access to its website(s) if no consent is given.
The requirement to obtain prior consent from a user does not apply where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user. An example is that of where a user of a site has chosen the goods they wish to buy and the user clicks the "add to basket" or "proceed to checkout" button, the site remembers what they have chosen from the previous page. This cookie is deemed "strictly necessary" to provide the service requested by the user, therefore no consent to the storage of such a cookie is required.
As per 1 January 2013, the information collected through cookies are to be considered ‘personal data’, unless the party which places the cookies can prove otherwise. This goes only for tracking cookies, whereby the surfing behaviour of customers on several different websites is being observed (and the information obtained is being used for commercial purposes).
In case of violation of electronic marketing or online privacy legislation, the OPTA can impose fines up to EUR 450,000 per violation.
New Zealand
http://iforce.co.nz/i/goozn4zv.vhp.jpg
----------------------------------------------
TRACEROUTE
----------------------------------------------
Start: 20 Jan 2016 17:08:56
Find route from: Sjef-van-Beerss-MacBook-Pro.local
to: iforce.co.nz (202.68.89.154 [AS24183]), Max 30 hops, 40 byte packets
Host Names truncated to 32 bytes
1 192.168.42.1 (192.168.42.1 ): 5.732 16.744 5.573
2 AS1103 194.171.139.1 (194.171.139.1 ): 5.111 8.897 4.532
3 172.16.255.254 (172.16.255.254 ): 3.434 8.508 3.648
4 AS1103 ge5-0-3.2080.jnr01.asd002a.surf. (145.145.30.9 ): 8.936 11.580 20.902
5 linx-lon.as45177.net (195.66.226.119 ): 142.129 146.123 145.310
6 AS24183 202.174.183.242 (202.174.183.242): 329.818 338.216 274.458
7 AS24183 202.174.183.241 (202.174.183.241): 266.911 293.997 264.724
8 AS24183 v899.cr2.wlg.dtsanz.com (202.174.183.81 ): 274.586 320.876 271.078
9 AS24183 iforce.co.nz (202.68.89.154 ): 343.131 358.286 307.063
Trace completed 20 Jan 2016 17:09:31
----------------------------------------------
LEGISLATION ON PERSONAL DATA
----------------------------------------------
Law
The Privacy Act 1993 ("Act") governs how agencies collect, use, disclose, store and give access to personal information. The Act gives the Privacy Commissioner the power to issue codes of practice that modify the operation of the Act in relation to specific industries, agencies, activities or types of personal information. Codes in place as at 31 January 2013 are:
- Credit Reporting Privacy Code;
- Health Information Privacy Code;
- Justice Sector Unique Identifier Code;
- Superannuation Schemes Unique Identifier Code;
- Telecommunications Information Privacy Code; and
- Civil Defence National Emergencies (Information Sharing) Code. Enforcement is through the Privacy Commissioner.
Definition Of Agency
"Agency" is defined under the Act as any person or body of persons, whether corporate or unincorporated, and whether in the public sector (including a government departments) or the private sector. Certain bodies are specifically excluded from the definition.
Definition Of Personal Data
Personal data is "Personal information" under the Act and defined as information about an identifiable individual; and includes information relating to a death that is maintained by the Registrar General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act 1995, or any former Act.
Definition Of Sensitive Personal Data
No differentiation is made between how different types of personal information are to be treated under the Act.
National Data Protection Authority
The Privacy Commissioner’s Office
Level 4
109-111 Featherston Street Wellington 6143
new Zealand
t +64 474 7590
f +64 474 7595 enquiries@privacy.org.nz
www.privacy.org.nz
Registration
There is no obligation on agencies to notify the Privacy Commissioner that they are processing personal information. However, the Privacy Commissioner may require an agency to supply information for the purpose of publishing or supplementing a directory or to enable the Commissioner to respond to public enquiries in this regard.
The Privacy Commissioner may from time to time publish a directory of personal information including:
- The nature of any personal information held by an agency;
- The purpose for which personal information is held by an agency;
- The classes of individuals about whom personal information is held by an agency;
- The period for which personal information is held by an agency;
- The individuals entitled to access personal information held by an agency and the conditions relating to such access; and
- Steps to be taken by an individual wishing to obtain access to personal information held by an agency.
Data Protection Officers
The Act requires all agencies to appoint a privacy officer. The privacy officer’s responsibilities include:
- The encouragement of compliance with personal information privacy principles;
- Dealing with requests made to the agency pursuant to the Act;
- Working with the Privacy Commissioner in relation to investigations relating to the agency; and
- Ensuring compliance with the provisions of the Act.
coLLection anD ProcessinG
Subject to specific exceptions, agencies may collect, store and process personal data in accordance with any of the following 12 "Privacy Principles":
1. The personal information is needed for a lawful purpose connected with the agency’s work;
2. The personal information is collected directly from the relevant person;
3. Before the information is collected, the agency has taken reasonable steps to ensure that
the person knows that the information is being collected; the purpose for which it is being collected; the intended recipients; the name and address of the agency collecting and holding the information; if the information is authorised or required by law, the applicable law and the consequences if the requested information is not provided; and that the person concerned may access and correct the personal information;
4. The personal information is not collected in an unlawful or unfair way or in a way that unreasonably invades a person’s privacy;
5. The personal information must be kept reasonably safe from being lost, accessed, used, modified or disclosed to unauthorised persons;
6. I f the personal information is easily accessible, the relevant person is entitled to know whether information is held and to have access to it;
7. Where an agency holds personal information, the relevant person is entitled to request correction of the information. If the agency will not correct the information, the person may provide a statement of the correction sought to be attached to the personal information;
Before it is used, the agency must check the personal information is accurate, up to date, complete, relevant and not misleading;
9. The personal information may not be kept for any longer than it is needed;
10. Subject to certain exceptions, personal information collected for one purpose may not be used for another purpose;
11. An agency must not disclose personal information to another person, body or agency except in specific circumstances; and
An agency may only assign a unique identifier to an individual if it is needed for the agency to carry on its work efficiently and may not assign a unique identifier to an individual if the same identifier is used by another agency.
Personal information does not need to be collected directly from the relevant person if:
- The personal information is publicly available.
- The relevant person authorises collection of the personal information from someone else.
- Non-compliance would not prejudice the interests of the relevant individual.
- The personal information is being collected for a criminal investigation, enforcement of a financial penalty, protection of public revenue or the conduct of court proceedings.
- Compliance would prejudice the purpose of the collection of the personal information or is not practical in the circumstances.
- The personal information will be used in a way which will not identify the person concerned.
Transfer
An agency should not disclose personal information to another entity unless the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained. Care must be taken that all safety and security precautions are met to ensure the safeguarding of that personal information to make certain that it is not misused or disclosed to any other party.
The Privacy Commissioner is given the power to prohibit a transfer of personal information from New Zealand to another state, territory, province or other part of a country ("State")
by issuing a transfer prohibition notice ("Notice") if it is satisfied that information has been received in New Zealand from one State and will be transferred by an agency to a third State which does not provide comparable safeguards to the Act and the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines, which include:
- The collection limitation principle (there should be limits to the collection of personal data);
- The data quality principle (personal data should be accurate, complete and kept up to date);
- The purpose specification principle (the purposes for which personal data are collected should be specified);
- The use limitation principle (personal data should not be used otherwise than in accordance with the purpose specification principle, except with the consent of the data subject or by authority of law);
- The security safeguards principle (personal data should be protected by reasonable security safeguards);
- The openness principle (there should be a general policy of openness about developments, practices and policies relating to personal data);
- The individual participation principle (individuals should have the right to obtain confirmation of whether a data controller holds their personal data, to have that data communicated to him/her, to be given reasons if a request for that data is denied and to be able to challenge that denial, and to challenge data relating to him/her and have that data erased, rectified, completed or amended if successful); and
- The accountability principle (a data controller should be accountable for complying with the above principles).
In considering whether to issue a Notice, the Privacy Commissioner must have regard to whether the proposed transfer of personal information affects, or would be likely to affect any individual, the desirability of facilitating the free flow of information between New Zealand and other States, and any existing or developing international guidelines relevant to trans border data flows.
On 19 December 2012 the European Commission issued a decision formally declaring that New Zealand law provides a standard of data protection that is adequate for the purposes of EU law. This decision means that personal data can flow from the 27 EU member states to New Zealand for processing without any further safeguards being necessary.
Security
An agency that holds personal information shall ensure that the information is kept securely and protected by such security safeguards as are reasonable in the circumstances to protect against:
- loss;
- access, use, modification or disclosure, except with the authority of the agency; and - other misuse or unauthorised disclosure.
If it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency must be done to prevent unauthorised use or unauthorised disclosure of the information.
Breach Notification
There is no mandatory requirement in the Act to report an interference with privacy.
Any person may make a complaint to the Privacy Commissioner alleging an action is, or appears to be, an interference with the privacy of an individual. For there to be an interference with privacy, there must be a breach of the law and the breach must lead to financial loss or other injury, an adverse effect on a person’s right, benefit, privilege, obligation or interest or significant humiliation, loss of dignity or injury to a person’s feelings. There is no requirement to show harm in a complaint about access to, or correction of, personal information. An unauthorised disclosure of personal information is sufficient to breach the Act.
Enforcement
In New Zealand, the Privacy Commissioner is responsible for investigating a breach of privacy laws. The Privacy Commissioner has powers to enquire into any matter if she believes that the privacy of an individual is being, or is likely to be, infringed. The Privacy Commissioner will primarily seek to settle a complaint by conciliation and mediation. If a complaint cannot be settled in this way, a formal investigation may be conducted so that the Privacy Commissioner may form an opinion on how the law applies to the complaint. The Privacy Commissioner’s opinion is not legally binding but is highly persuasive. The Privacy Commissioner is not able to issue a formal ruling or determination and cannot begin prosecution proceedings or impose a fine.
If the Privacy Commissioner is of the opinion that there has been an interference with privacy, she may refer the matter to the Director of Human Rights who may then in turn decide to take the complaint to the Human Rights Review Tribunal. The Tribunal will hear the complaint afresh and its decision is legally binding.
Electronic Marketing
The Act does not differentiate between the collection of and use of any ‘personal information’ for electronic marketing or other forms of direct marketing.
The Unsolicited Electronic Messages Act 2007:
- prohibits unsolicited commercial electronic messages (this includes email, fax, instant
messaging, mobile/smart phone text (TXT) and image-based messages of a commercial
nature – but does not cover internet pop-ups or voice telemarketing) with a New Zealand link (messages sent to, from or within New Zealand).
- requires commercial electronic messages to include accurate information about who
authorised the message to be sent;
- requires a functional unsubscribe facility to be included so that the recipient can instruct the
sender not to send the recipient further messages; and
- prohibits using address-harvesting software to create address lists for sending unsolicited commercial electronic messages.
The Marketing Association of New Zealand has a Code of Practice for direct marketing which
governs compliance by members of the principles of the code. The Code establishes a "Do Not
Call" register to which anyone not wanting to receive any direct marketing can register.
Online Privacy (Including Cookies And Location Data)
Other than compliance with the Act, no additional legislation deals with the collection of
location and traffic data by public electronic communications services providers and use of cookies (and similar technologies). The New Zealand Privacy Commissioner has general guidelines on protecting online privacy.
Russia
https://pp.vk.me/c630629/v630629176/10428/hjwd0o_LC-w.jpg
----------------------------------------------
TRACEROUTE
----------------------------------------------
Start: 20 Jan 2016 19:08:27
Find route from: Sjef-van-Beerss-MacBook-Pro.local
to: pp.vk.me (95.213.4.210 [AS47541]), Max 30 hops, 40 byte packets
Host Names truncated to 32 bytes
1 dd-wrt (192.168.1.1 ): 0.875 3.254 1.702
2 AS5524 94.142.208.65 (94.142.208.65 ): 2.704 3.258 1.010
3 AS5524 vlan109-e1-19.rtr2-arn01.breedba (46.226.56.125 ): 2.161 5.935 2.375
4 AS5524 46.226.56.118 (46.226.56.118 ): 20.726 33.948 344.602
5 AS5524 46.226.56.222 (46.226.56.222 ): 80.853 13.918 10.290
6 AS5524 vlan4001-e2-2.rtr1-hil01.breedba (46.226.56.101 ): 17.771 13.996 9.566
7 AS5524 vlan4000-e2-1.rtr2-ams01.breedba (46.226.56.49 ): 7.098 46.239 26.819
8 AS1200 ams-ix.vk.com (80.249.211.206 ): 44.993 80.852 108.434
9 AS47541 srv206-191-240-87.vk.com (87.240.191.206 ): 46.121 46.393 47.292
10 * * *
11 AS47541 pp.vk.me (95.213.4.210 ): 80.611 48.078 49.187
Trace completed 20 Jan 2016 19:08:47
----------------------------------------------
LEGISLATION ON PERSONAL DATA
----------------------------------------------
Law
Fundamental provisions of data protection law can be found in the Strasbourg Convention
for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention") ratified by Russia in 2006 and the Russian Constitution establishing the right
to privacy of each individual (articles. 23 and 24). There is also specific legislation, including the Data Protection Act No. 152 FZ dated 27 July 2006 ("DPA") and various regulatory Acts adopted to implement the DPA as well as the Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of employees’ personal data (Part XIV). Other laws may also contain data protection provisions which implement the provisions of DPA in relation to specific areas of state services or industries.
Definition of Personal Data
Personal data is any information that relates directly or indirectly to the specific or defined physical person (the data subject).
Definition of Sensitive Personal Data
Sensitive personal data is defined as special categories of personal data in Russian legislation. Such special categories include data related to race, national identity, political opinions, religious and philosophical beliefs, health state, intimacies and biometrical data.
National Data Protection Authority
Federal Service for Supervision of Communications, information Technologies and Mass Media or, in short, roscomnadzor ("agency").
build. 2, 7, Kitaigorodskiy proezd
Moscow, 109074
t +7 495 987 6800
f +7 495 987 6801
http://www.rsoc.ru/
Registration
The Agency is in charge of maintaining the Registry of data controllers.
Any data controller shall notify the Agency in writing about its intention to process personal data, unless one of the following exclusions applies:
- The personal data is data about employees;
- The personal data was received in connection with a contract entered into with the data subject, provided that such data is not transferred without the consent of the data subject, but used only for the performance of the contract and entering into contracts with the data subject;
- The personal data is the data about members of a public or religious association and processed by such an organisation for lawful purposes in accordance with their charter documents, provided that such data is not transferred without the consent of the data subjects;
- The personal data was made publicly accessible data by the data subject; The personal data includes the surname, name and father’s name only;
- The personal data is necessary in order to give single access to the premises of the data controller or for other similar purposes;
- The personal data is included in state automated information systems or state information systems created for the protection of state security and public order;
- The personal data is processed in accordance with the law without any use of automatic devices; or
- The personal data is processed in accordance with transportation security legislation in purposes of procurement of stable and secure transport complex and personal, community and state interests protection.
The notification letter shall contain information about:
- The full name and address of the data controller;
- The purpose of the processing;
- The categories of personal data processed;
- The categories of the subjects whose personal data is processed;
- The legal grounds for processing;
- The types of processing of the personal data;
- The measures of protection of personal data;
- Name and contacts of physical person or legal entity responsible for personal data processing;
- The commencement date;
- Information on occurrence of cross border transfer of personal data;
- The term of processing or the conditions for termination of processing the personal data; and
- Information on personal data security provision.
Data Protection Officers
If the data controller is a legal entity it shall appoint a data protection officer. Such an appointment is considered to be a personal data protection measure. The data protection officer controls the data controller and its employees regarding the data protection issues, informs them off statutory requirements and organises receiving and processing of communications from data subjects.
Collection And Processing
Data controllers may collect and process personal data where any of the following conditions are met:
- The data subject consents;
- The processing is required by a federal law or under an international treaty;
- The processing is required for administration of justice, execution of the court order or any other statements of public officers to be executed;
- The processing is required for provision of state or municipal service;
- The data controller needs to process the data to perform or conclude a contract to which the
data subject is a party or beneficiary party or guarantor;
- The processing is carried out for statistical or scientific purposes (except it is also for advertising purposes) provided that it is impersonalised;
- The processing protects the data controller’s vital interests and it is impossible to have the data subject’s consent;
The processing is required for execution of statutory controller’s or third parties’ rights or for purposes important for community provided data subject’s rights are not in breach;
- Personal data that is processed was publicly made accessible by the data subject or upon his or her request;
- The processing is carried out by a journalist or mass media as a part of its professional activities or for the purposes of scientific, literary or other creative activities, except if the processing would damage the data subject’s rights and freedoms; or
- Personal data that is processed is subject to publication or mandatory disclosure under law. As a general rule, consent may be given in any form, but it is the data controller’s obligation to provide proof that he has the data subject’s consent. In the following cases the DPA requires that the data subject’s consent should be in writing:
- Where the personal data is collected to be included within publicly accessible sources;
- Where sensitive or biometrical data is processed;
- In the case of the cross border transfer of personal data, where the recipient state does not provide adequate protection of personal data; or
Where a legally binding decision is made solely on the grounds of the automated processing of personal data.
Consent is deemed to have been given in writing where it is signed by hand or given in an electronic form and signed by an electronic signature.
Consent may be revoked.
Consent in writing must contain the following information:
- The identity of the data subject, his/her address and passport details and identity of the subject
- Data representative (if any);
- The identity and address of the data controller or the entity that processes personal data on behalf of the data controller (if any);
- The purpose of the processing;
- The list of personal data that may be collected and processed;
- The types of processing that are authorised;
- The term for which the consent, remains valid and way of revocation; and
- The data subject’s signature.
The data controller shall ensure the confidentiality of personal data. The data controller and other persons who have access to the personal data, shall not disclose any information to a third party without a prior consent of the data subject.
Transfer
Prior to a transfer of personal data out of Russia, the data controller must ensure that the recipient state provides adequate protection of personal data. The fact that the recipient state ratified the Convention is sufficient grounds to deem that the state provides adequate protection of personal data for the purposes of the DPA.
Where there is no adequate protection of personal data, a cross border transfer is permitted if one of the following conditions is met:
- The data subject consents;
- The transfer is provided for under an international treaty to which Russia is a signatory;
- The transfer is necessary in accordance with federal laws for protection of the Constitution, state defence, security and transport system;
- For the purposes of performance of a contract to which the data subject is party; and
- The transfer protects the data subject’s vital interests where it is not possible to get the
written consent of the data subject.
Security
Data controllers must take appropriate technical and organisational measures against unauthorised or unlawful processing and agains accidental loss, changing, blocking or destruction of, or damage to, personal data. There is a recent special regulation as to the measures that the data controller should undertake to ensure security of personal data, data systems, carriers of biometrical information and technologies.
Breach Notification
There is no mandatory requirement to report data security breaches or losses to the Agency or to data subjects.
Enforcement
In Russia, the Agency is responsible for the enforcement of the DPA.
The Agency is entitled to:
- Carry out checks;
- Consider complaints from data subjects;
- Require the submission of necessary information about personal data processing by the data controller;
- Require the undertaking of certain actions according to the law by the data processor, including discontinuance of the processing of personal data;
- File court actions;
- Initiate criminal cases; and
- Impose administrative liability.
If the Agency becomes aware that a data controller is in violation of the law, he can serve an enforcement notice requiring the data controller to rectify the position.
A data controller can face civil, administrative or criminal liability if there is a violation of personal data law. Officers of the data controller responsible for the offence may face disciplinary action.
Usually, in the case of violation of data protection law, the Agency will serve an enforcement notice requiring the position to be rectified and may also impose an administrative penalty and/or recommend imposing disciplinary action on the officers of the data controller who are responsible for the offence.
The maximum administrative penalty that can be imposed, as at the date of this review, is EUR 10,000. Lately, there has been much discussion at about dramatically increasing the administrative penalty.
Electronic Marketing
Electronic marketing activities are subject to limitations set by the Russian Law on Advertising No. 38-FZ dated 13 March 2006 ("AA"), under which the distribution of advertising through telecommunications networks, in particular, through the use of telephone, facsimile and mobile telephone communications, is allowed only subject to preliminary consent of a subscriber or addressee to receive advertising.
Advertising is presumed to be distributed without preliminary consent of the subscriber or addressee unless the advertising distributor can prove that such consent was obtained. The advertising distributor is obliged immediately to stop distribution of advertising to the address of the person who made such a demand.
Online Privacy (Including Cookies And Location Data)
Russian law does not specifically regulate online privacy. The definition of personal data under the DPA is rather broad and there are views that information on number, length of visits of particular web-sites and IP address (in combination with other data allowing the user to be identified) could be considered personal data.
South Korea
http://cythumb.cyworld.com/810x0/cyimg44.cyworld.com/common/file_down.asp?redirect=%2F440020%2F2016%2F1%2F19%2F57%2FCyHome_1351453158017344_871.JPG
----------------------------------------------
TRACEROUTE
----------------------------------------------
Start: 20 Jan 2016 15:37:55
Find route from: Sjef-van-Beerss-MacBook-Pro.local
to: cythumb.cyworld.com (211.234.243.232 [AS4792]), Max 30 hops, 40 byte packets
Host Names truncated to 32 bytes
1 192.168.100.1 (192.168.100.1 ): 0.536 0.549 0.377
2 AS1103 ge5-0-3.2080.jnr01.asd002a.surf. (145.145.30.9 ): 22.678 3.933 3.607
3 AS1200 www.skbroadband.com (80.249.211.90 ): 233.021 232.694 232.926
4 AS9318 39.115.132.86 (39.115.132.86 ): 271.400 268.693 271.702
5 AS9318 58.229.14.130 (58.229.14.130 ): 267.912 267.344 267.750
6 AS9318 58.229.92.198 (58.229.92.198 ): 268.003 268.528 268.544
7 AS18302 cythumb.cyworld.com (219.253.3.34 ): 268.430 268.719 268.710
Trace completed 20 Jan 2016 15:38:48
----------------------------------------------
LEGISLATION ON PERSONAL DATA
----------------------------------------------
Law
In the past, South Korea did not have a comprehensive law governing data privacy. However, a new law relating to protection of personal information (Personal Information Protection Act, "PIPA") was enacted and became effective as of 30 September 2011.
Moreover, there is sector specific legislation such as:
- The Act on Promotion of Information and Communication Network Utilization and Information Protection ("IT Network Act") which regulates the collection and use of personal information by IT Service Providers, defined as telecommunications business operators under Article 2.8 of the Telecommunications Business Act; and other persons who provide information or intermediate the provision of information for profit by utilizing services rendered by a telecommunications business operator;
- The Use and Protection of Credit Information Act ("UPCIA") which regulates the use and disclosure of Personal Credit Information, defined as credit information which is necessary to determine the credit rating, credit transaction capacity, etc. of an individual person. The UPCIA primarily applies to a Credit Information Providers/Users, defined under Article 2.7 of the UPCIA as a person (entity) prescribed by Presidential Decree thereof who provides any third party with credit information obtained or produced in relation to his/her own business for purposes of commercial transactions, such as financial transactions with customers, or who has been continuously supplied with credit information from any third party to use such information for his/her own business; and
- The Act on Real Name Financial Transactions and Guarantee of Secrecy ("ARNFTGS") which applies to information obtained by financial or financial services institutions.
Under PIPA, except as otherwise provided for in any other Act, the protection of personal information shall be governed by the provisions of PIPA.
Definition of Personal Data
Under PIPA, except as otherwise provided for in any other Act, the protection of personal information shall be governed by the provisions of PIPA.
Under PIPA, information pertaining to a living individual, which contains information identifying a
specific person with a name, a national identification number, images, or other similar information (including information that does not, by itself, make it possible to identify a specific person but that which enables the recipient of the information to easily identify such person if combined with
another information).
Under the IT Network Act, information pertaining to a living individual, which contains information identifying a specific person with a name, a national identification number, or similar in a form of code, letter, voice, sound, image, or any other form (including information that does not, by itself, make it possible to identify a specific person but that enables to identify such person easily if combined with another information). The relevant Korean authorities’ understanding is that the construction of Personal Data under PIPA and that under IT Network Act are same in spite of subtle difference in definition wordings.
Definition Of Sensitive Personal Data
Under PIPA, Sensitive Data is defined as Personal Data consisting of information relating to a living individual’s: (i) thoughts; (ii) history regarding membership in a political party or labor union; (iii) political views; (iv) health care and sexual life; and (v) other Personal Data stipulated under the Enforcement Decree (the Presidential Decree) which is anticipated to otherwise intrude seriously upon the privacy of the person.
The Enforcement Decree of PIPA includes genetic information and criminal record as Sensitive Personal Data. IT Network Act also has a similar definition.
National Data Protection Authority
The Minister of Public Administration and Security (the "MOPAS") is in charge of the execution of PIPA.
The Korea Communications Commission (the "KCC") is in charge of the execution of the IT Network Act.
Registration
Under PIPA, a public institution which manages a Personal Data file (collection of Personal Data) shall register the following with the MOPAS: (a) name of the Personal Data file; (b) basis and purpose of operation of the Personal Data file; (c) items of Personal Data which are recorded in the Personal Data file; (d) the method to process Personal Data; (e) period to retain Personal Data; (f) person who receives Personal Data generally or repeatedly; and (g) other matters prescribed by Presidential Decree. A "public institution" in this context refers to any government agency or institution.
The Presidential Decree of PIPA stipulates that the followings also shall be registered before MOPAS:
the name of the institution which operates the Personal Data file;
- the number of subjects of the Personal Data included in the Personal Data file;
- the department of the institution in charge of Personal Data processing;
- the department of the institution handling the Personal Data subjects’ request for inspection of Personal Data; and
- the scope of Personal Data inspection of which can be restricted or rejected and the grounds therefore.
Only "public institutions" are required to register before the MOPAS.
Data Protection Officers
Under PIPA, every Data Handler (which means any person, any government entity, company, individual or other person that, directly or through a third party, handles Personal Data in order to manage Personal Data files for work purposes) must to designate a data protection officer.
Under IT Network Act, every IT Service Provider must designate a director or chief officer of department in charge of handling Personal Data as a data protection officer. Pursuant
to Presidential Decree of the IT Network Act to, an IT Service Provider with less than 5 employees, the owner or representative director shall be the person in charge.
Collection And Processing
If a Data Handler under PIPA or an IT Service Provider under IT Network Act intends to collect Personal Data from the data subject or IT service user, it must:
- first notify the data subject or IT service user of the vital information stipulated under the law; and
- obtain the data subject’s or IT service user’s prior consent to such collection other than some exceptional cases stipulated under the law.
If a Data Handler under PIPA intends to collect Sensitive Personal Information, the consent must be separately obtained.
Under the newly amended IT Network Act, which became effective as of 18 August 2012, an IT Service Provider shall not collect a Resident Registration number (equivalent to Social Security number in the United States), unless (i) the IT Service Provider is designated as an identification institution by the KCC; or (ii) there exist special provisions under any other laws or Notification of the KCC.
Under the PIPA, prior to obtaining the prerequisite consent for collecting Personal Data from a data subject, a Data Handler must notify the data subject of (a) the purpose of collection and use of Personal Data, (b) items of Personal Data to be collected and (c) time period for possession and use of Personal Data, (d) the fact that the data subject has the right to refuse to consent and the consequences of refusing.
Under the IT Network Act, prior to obtaining prerequisite consent for collecting Personal Data from IT service user, an IT Service Provider must notify the IT service user of (a) the purpose of collection and use of Personal Data, (b) items of Personal Data to collect and (c) time period for possession and use of Personal Data.
When a certain business transfer occurs, the Data Handler or IT service provider, must provide its data subjects or IT service users a chance to opt out by providing a notice, including items of: (a) the expected occurrence of Personal Data transfers; (b) the contact information of the recipient of the Personal Data, including the name, address, telephone number and other contact details of the recipient; and (c) the means and process by which the data subject or IT service user may refuse to consent to the transfer of Personal Data.
If the data subject or IT service user is under 14, the consent of his/her legal guardian must be obtained.
As a general rule, a Data Handler under PIPA or an IT Service Provider under IT Network
Act may not handle Personal Data, without obtaining the prior consent of the data subject or
IT service user, beyond the scope necessary for the achievement of the Purpose of Use. This general rule also applies where a Data Handler or IT Service Provider acquires Personal Data as a result of a merger or acquisition.
Exceptions to the general rule above apply in the following cases under PIPA:
- Where there exist special provisions in any Act or it is inevitable to fulfil an obligation imposed by or under any Act and subordinate statute;
- Where it is inevitable for a public institution to perform its affairs provided for in any Act and subordinate statute, etc.;
- Where it is inevitably necessary for entering into and performing a contract with a subject of Personal Data;
- Where it is deemed obviously necessary for the physical safety and property interests of a subject of Personal Data or a third person when the subject of Personal Data or his/her legal representative cannot give prior consent because he/she is unable to express his/her intention or by reason of his/her unidentified address, etc.; and
- Where it is necessary for a Data Handler to realise his/her legitimate interests and this obviously takes precedence over the rights of a subject of Personal Data. In such cases, this shall be limited to cases where such data is substantially relevant to a Data Handler’s legitimate interests and reasonable scope is not exceeded.
Exceptions to the general the rule above apply in the following cases under IT Network Act:
- If the Personal Data is necessary in performing the contract on provision of IT services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason;
- If it is necessary in settling the payment for charges on the IT services rendered; and
- If a specific provision exists in this Act or any other Act.
Under the ARNFTGS, financial institutions must obtain written consent for the disclosure of an individual’s information relating to his/her financial transactions.
Transfer
As a general rule, a Data Handler or an IT Service Provider may not provide Personal Data to a third party without obtaining the prior opt in consent of the data subject or IT service user.
Exceptions to the general rule above apply in the following cases under PIPA:
- Where there exist special provisions in any Act or it is necessary to fulfil an obligation imposed by or under any Act and subordinate statute;
- Where it is necessary for a public institution to perform its affairs provided for in any Act and subordinate statute, etc.; and
- Where it is deemed obviously necessary for physical safety and property interests of a subject of Personal Data or a third person when the subject of Personal Data or his/her legal representative cannot give prior consent because he/she is unable to express his/her intention or by reason of his/her unidentified address, etc.
Exceptions to the general rule above apply under IT Network Act if a specific provision exists in this Act or any other act otherwise.
Under PIPA, a Data Handler must obtain consent after it notifies the data subject of (a) the person (entity) to whom the Personal Data is furnished, (b) purpose of use of the Personal Data by the person (entity), (c) types of Personal Data furnished, (d) period of time during which the person (entity) will possess and use the Personal Data and (e) the fact that the data subject has the right to refuse to consent and the consequences of refusing.
Under the IT Network Act, an IT Service Provider must notify the IT service user of (a) the person (entity) to whom the Personal Data is furnished, (b) purpose of use of the Personal Data by the person (entity), (c) types of Personal Data furnished and (d) period of time during which the person (entity) will possess and use the Personal Data, and then obtain consent from the IT service user.
The UPCIA stipulates that prior to obtaining prerequisite consent for providing personal
credit information to any other person, a Credit Information Provider/User must notify the credit information subject of (a) the person (entity) to whom the credit information will be furnished;(b) the purpose of use of the Personal Credit Information by the person (entity); (c) the types of Personal Credit Information to be furnished; and (d) the period of time during which the person (entity) will possess and use the Personal Credit Information.
Exceptions to the general rule above apply in the following cases under the UPCIA:
- Where a Credit Information Company as defined under the Article 2.5 of the UPCIA provides such information for the purpose of performing central management and utilization thereof with another Credit Information Company or Credit Information Collection Agency as defined under the Article 2.6 of the UPCIA;
- Where such provision is required to perform a contract, and to entrust the processing of credit information under Article 17.2 of the UPCIA;
- Where the relevant Personal Credit Information is provided as part of rights and obligations that are transferred by way of business transfer, division, merger, etc.;
- Where Personal Credit Information is provided for a person who uses the information for purposes prescribed by Presidential Decree, including claims collection (applicable only to the credit which is an object of collection), license and authorization, determination of a company’s credit worthiness, and transfer of securities;
- Where Personal Credit Information is provided in accordance with a court order for submission thereof or a warrant issued by a judicial officer;
- Where such information is provided upon the request of a prosecutor or judicial police officer, in the event of occurrence of an emergency where a victim’s life is in danger or he/she is expected to suffer bodily injury, etc., so that no time is available to issue a judicial warrant;
- Where such information is provided as the head of a competent government office requests, in writing, for the purpose of inquiry and examination in accordance with any laws pertaining to taxes or demands the taxation data required to be provided in accordance with such laws pertaining to taxes;
- Where Personal Credit Information held by a financial institution is provided to a foreign financial supervisory body in accordance with international conventions, etc.; and
- Where such information is otherwise provided in accordance with other laws.
Under the ARNFTGS, financial institutions must obtain written consent for the transfer of an
individual’s information relating to his/her financial transactions to a third party.
securitY
Under PIPA and IT Network Act, every Data Handler or IT Service Provider must, when it handles Personal Data of data subject or IT service user, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of Personal Data:
- establishment and implementation of an internal control plan for handling Personal Data in a safe way;
- installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to Personal Data;
- measures for preventing fabrication and alteration of access records;
- measures for security including encryption technology and other methods for safe storage
and transmission of Personal Data;
- measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; and
- other protective measures necessary for securing the safety of Personal Data. Breach notification
Under PIPA, if a breach of Personal Data occurs the Data Handler must notify the data subjects without delay of the details and circumstances, and the remedial steps planned. If the number of affected data subjects exceeds 10,000, the Data Handler shall immediately report the notification to data subjects and the result of measures taken to MOPAS, KISA or the National Information Security Agency (the "NIA").
Under the IT Network Act, an IT Service Provider must, if it discovers an occurrence of intrusion:
- immediately report it to the KCC or the Korea Internet & Security Agency (the "KISA"); and - analyse causes of intrusion and prevent damage from being spread, whenever an intrusion
occurs.
The KCC may, if deemed necessary for analyzing causes of an intrusion, order an IT Service Provider to preserve relevant data, such as access records of the relevant information and communications network.
Under the newly amended IT Network Act, which became effective as of 18 August 2012, if a loss, theft or leakage of Personal Data occurs, the IT Service Provider must notify the IT Service user and report to the KCC without delay of the details and circumstances, and the remedial steps planned.
Enforcement
The competent authorities may request reports on the handling of Personal Data, and also may issue recommendations or orders if a Data Handler or IT Service Provider violates PIPA or the IT Network Act. Non compliance with a request or violation of an order can result in fines, imprisonment, or both.
Under the IT Network Act, an IT Service Provider who collected Personal Data without consent
of the relevant user shall be subject to the penalty of imprisonment for not more than 5 years or a fine not exceeding KRW 50 million.
The transmission of an advertisement via an network, including electronic mails is not prohibited by the IT Network Act, but provides individuals with the right to prevent the processing of their personal data (e.g. a right to "opt out") for electronic marketing purposes. An IT Service Provider who intends to transmit an advertisement by information and communication network must specify the following information in the advertisement.
- The type and main contents of the transmitted information;
- The name and contact information of the sender;
- The source from which the electronic mail address was collected (applicable only when transmitted by electronic mail); and
- Matters concerning the measures and method by which the addressee can express his intention to decline reception of the information easily.
A person who intends to transmit an advertisement by telephone (includes SMS text messages) or facsimile shall obtain a prior consent (e.g. a right to "opt in") from the addressee, unless (a) the person who has collected an addressee’s contact information directly through a transaction of goods, etc. intends to transmit to the addressee any advertising information for profit concerning the goods, etc. offered by that person or (b) the relevant advertising information falls under the definition of an advertisement under the Act on the Consumer Protection in the Electronic Commerce Transactions, etc. or a soliciting telephone call under the Door-to-Door Sales, etc. Act. A person who intends to transmit an advertisement by telephone or facsimile must specify the following information.
- The name and contact information of the sender; and
- Matters concerning the measures and method by which the recipient can express his intention to revoke his consent to receive the information easily. A person who transmits an advertisement shall not take any of the following technical measures.
- A measure to avoid or impede the addressee’s denial of reception of the advertising information or the revocation of his consent to receive such information;
- A measure to generate an addressee’s contact information, such as telephone number and electronic mail address, automatically by combining figures, codes, or letters;
Online Privacy (Including Cookies And Location Data)
Cookie, log, IP information, etc. are also regulated by the IT Network Act as personal data, which if combined with other information enable the identification a specific individual person easily. Under the IT Network Act, using cookies (or web beacons) must be done with the opt-out consent of the user and the privacy policy must publicise the matters concerning installation,
operation and opt-out process for automated means of collecting personal information, such as cookies, logs and web beacons.
The protection of location information is governed by the provisions of the Act on the Protection, Use, etc. of Location Information (the "LBS Act").
Under the LBS Act, any person who intends to collect, use, or provide location information
of a person or mobile object shall obtain the prior consent of the person or the owner of the object, unless (a) where there is a request for emergency relief or the issuance of a warning by an emergency rescue and relief agency; (b) where there is a request by a police for the rescue of the person whose life or physical safety is in immediate danger; or (c) where there exist special
provisions in any Act. Under the LBS Act, any person (entity) who intends to provide services based on location
information (the "Location-based Service Provider") shall report to the KCC. Further, any person (entity) who intends to collect location information and provide the collected location information to location-based service providers (the "Location Information Provider") shall obtain a license from the KCC.
If a Location Information Provider intends to collect personal location information, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal location information.
- Name, address, phone number and other contact information of the Location Information
Provider;
- Rights held by the subjects of personal location information and their legal agents and
methods of exercising the rights;
- Details of the services the Location Information Provider intends to provide to Locationbased
Service Providers;
- Grounds for and period of retaining data confirming the collection of location information; and
- Methods of collecting location information.
If a Location-based Service Provider intends to provide location-based service by utilising personal location information provided from Location Information Provider, it must specify the following information in its service agreement, and obtain the consent of the subjects of personal
location information;
- Name, address, phone number and other contact information of the Location-based Service
Provider;
- Rights held by the subjects of personal location information and their legal agents and
methods of exercising the rights;
- Details of the Location-based Services;
- Grounds for and period of retaining data confirming the use and provision of location
information; and
- Matters concerning notifying the personal location information subject of the provision of location information to a third party as below.
If a Location-based Service Provider intends to provide location information to a third party, in addition to the above, it must notify the subjects of personal location information of the third
party who will receive the location information and the purpose of this provision.
United States
http://i.imgur.com/2c3IqdG.jpg
----------------------------------------------
TRACEROUTE
----------------------------------------------
Start: 20 Jan 2016 16:16:56
Find route from: Sjef-van-Beerss-MacBook-Pro.local
to: i.imgur.com (185.31.19.193 [AS54113]), Max 30 hops, 40 byte packets
Host Names truncated to 32 bytes
1 192.168.16.1 (192.168.16.1 ): 1.177 3.150 1.256
2 * * *
3 172.16.255.254 (172.16.255.254 ): 10.713 6.616 4.326
4 AS1103 ge5-0-3.2080.jnr01.asd002a.surf. (145.145.30.9 ): 30.862 10.231 7.501
5 AS3257 xe-10-0-1.ams12.ip4.gtt.net (77.67.72.109 ): 9.774 9.914 9.804
6 AS3356 ae10.edge3.amsterdam.level3.net (4.68.70.97 ): 10.530 13.165 9.875
7 AS3356 ae-237-3613.edge6.london1.level3 (4.69.166.81 ): 16.656 17.420 17.084
8 AS3356 ae-237-3613.edge6.london1.level3 (4.69.166.81 ): 16.923 17.170 16.975
9 * * *
10 AS54113 i.imgur.com (185.31.19.193 ): 19.851 19.147 15.824
Trace completed 20 Jan 2016 16:17:30
----------------------------------------------
LEGISLATION ON PERSONAL DATA
----------------------------------------------
Law
The United States has about 20 sector specific or medium specific national privacy or data
security laws, and hundreds of such laws among its 50 states. (California alone has more than
25 state privacy and data security laws). These laws address particular problems or industries.
They are too diverse to summarize fully in this volume
In addition, the large range of companies regulated by the Federal Trade Commission ("FTC")
are subject to enforcement if they engage in materially unfair or deceptive trade practices. The FTC has used this authority to pursue companies that fail to implement minimal data security measures or fail to live up to promises in privacy policies.
Definition Of Personal Data
Varies widely by regulation.
Definition Of Sensitive Personal Data
Varies widely by regulation.
National Data Protection Authority
No official national authority. However, the FTC has jurisdiction over most commercial entitiesand has authority to issue and enforce privacy regulations in specific areas (e.g. for telemarketing, spamming, and children's privacy). The FTC uses its general authority to prevent unfair and deceptive trade practices to bring enforcement actions against inadequate data security measures, and inadequately disclosed information collection, use and disclosure practices.
State Attorneys General typically have similar authority and bring some enforcement actions.
In addition, a wide range of sector regulators, particularly those in the health care and financial services sectors, have authority to issue and enforce privacy regulations.
Registration
There is no requirement to register databases.
Data Protection Officers
With the exception of entities regulated by HIPAA, there is no requirement to appoint a data
protection officer, although appointment of a chief privacy officer and an IT security officer is a best practice among larger organisations.
Collection And Processing
US privacy laws and self-regulatory principles vary widely, but generally require pre-collection
notice and an opt out for use and disclosure of regulated personal information.
Opt in rules apply in special cases involving information that is considered sensitive under US law, such as for health information, use of credit reports, personal information collected online from children under 13 (see below for the scope of this requirement), video viewing choices,
and telecommunication usage information. The FTC interprets as a "deceptive trade practice"
failing to obtain opt in consent if a company engages in materially different uses or discloses personal information not disclosed in the privacy policy under which personal information was collected.
States impose a wide range of specific requirements, particularly in the employee privacy area.
The US regulates marketing communications extensively, including telemarketing, fax
marketing and email marketing (which is discussed below).
Transfer
No geographic transfer restrictions apply in the US, except with regard to accountants
transferring tax preparation materials. The Commerce Clause likely bars US states from
imposing data transfer restrictions and there are no other such restrictions in US national laws.
By contrast, some European data protection authorities take the position that personal data
transferred to the United States under the US EU Safe Harbor principles may not be transferred outside the US without another valid legal basis.
Security
Most US businesses are required to take reasonable technical, physical and organizational
measures to protect the security of sensitive personal information (e.g. health or financial
information, telecommunications usage information, or information that would require
security breach notification). A few states have enacted laws imposing more specific
security requirements for data elements that trigger security breach notice requirements. For
example, Massachusetts has enacted regulations, which apply to any company that collects
or maintains sensitive personal information on Massachusetts resident. Among other things,
the Massachusetts regulations require regulated entities to have a comprehensive, written
information security program; the regulations also set forth the minimum components of such
program. HIPAA regulated entities have much more extensive data security requirements, and
some states impose further security requirements (e.g. for payment card data, for social security numbers, or to employ secure data destruction methods). HIPAA security regulations apply to so-called "covered entities" such as doctors, hospitals, insurers, pharmacies and other health-care providers, as well as their "business associates" which include service providers who have access
to, process, store or maintain any protected health information on behalf of a covered entity.
Breach Notification
Security breach notification requirements are a US invention. 46 US states and most
US territories require notifying state residents of a security breach involving residents’ name plus a sensitive data element – typically, social security number, other government ID number, or credit card or account number in combination with any security code or password that would permit access to a financial account. Notice of larger breaches is typically required to be provided to credit bureaus, and in minority of states, to State Attorneys Generals, and in rare cases to other state officials. National laws require notification in the case of breaches of health care information, breaches of information from financial institutions, and breaches of government agency information.
Enforcement
Violations are generally enforced by the FTC, State Attorneys General, or the regulator for the industry sector in question. Civil penalties are generally significant. In addition, some privacy laws (for example, credit reporting privacy laws, electronic communications privacy laws, video
privacy laws, call recording laws, cable communications privacy laws) are enforced through
class action lawsuits for significant statutory damages and attorney’s fees, and defendants can be sued for actual damages for negligence in mishandling personal information such as payment card data.
Electronic Marketing
The US regulates marketing communications extensively, including email and text message
marketing, as well as telemarketing and fax marketing.
E-mail: The CAN-SPAM Act is a federal law that applies labelling and opt-out requirements toall commercial email messages. CAN-SPAM generally allows a company to send commercial
emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender’s contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender. Not only the FTC and State Attorneys General, but also ISPs and corporate email systems can sue violators. Furthermore, knowingly falsifying the origin or routing of a commercial email message is a federal crime.
Text Messages: Federal and state regulations apply to the sending of marketing text messages to individuals. Generally, express, opt-in consent is necessary to send marketing text messages and applicable regulations also specify the form of consent.
Telemarketing: In general, federal law applies to most telemarketing calls and programs,
and a state’s telemarketing law will apply to telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law, as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing. For example, national ("federal") and state rules address calling time restrictions, honouring do-not-call registries and opt-out requests, mandatory disclosures to be made during the call, requirements for completing a sale, executing a contract or collecting payment during the call, restrictions on the use of auto-dialers and pre-recorded messages, and record keeping requirements. Many states also require telemarketers to register or obtain a license to place telemarketing calls.
Callers generally must scrub their calling lists against both a national and multiple state do-notcall registries, as it is prohibited to place a telemarketing call to a number listed in a do-not call registry unless a specific exemption applies. The national do-not-call rules (and several state
rules), for example, exempt calls to existing business customers who have purchased a product or service in the last 18 months from the company on whose behalf the call is placed, as long as the customer has not specifically opted out of receiving telemarketing calls from the company.
The use of auto-dialers to send pre-recorded messages generally requires affirmative opt-in
consent of the recipient.
Fax Marketing: Federal law and regulations generally prohibit the sending of unsolicited
advertising by fax without prior, express consent. Violations of the law are subject to civil
actions and have been the subject of numerous class action lawsuits. The law exempts faxes
to recipients that have an established business relationship with the company on whose behalf
the fax is sent, as long as the recipient hasn’t opted out of receiving fax advertisements and has provided their fax number "voluntarily," a concept which the law specifically defines. The law also requires that each fax advertisement contain specific information, including (i) a "clear
and conspicuous" opt out method on the first page of the fax; (ii) a statement that the recipient may make a request to the sender not to send any future faxes and that failure to comply with the request within 30 days is unlawful; and (iii) a telephone number, fax number, and cost-free mechanism to opt-out of faxes, which permit consumers to make opt-out requests 24 hours a day, seven days a week.
Electronic Privacy (Including Cookies And Location Data)
Cookies: There is no specific federal or state law that regulates the use of cookies, web beacons, Flash LSOs and other similar tracking mechanisms. However, undisclosed online tracking of customer activities poses class action risk. The use of cookies and similar tracking mechanisms should be carefully and fully disclosed in a website privacy policy. Furthermore, it is a best
practice for websites that allow behavioural advertising on their websites to participate in the Digital Advertising Alliance code of conduct, which includes displaying an icon from which users can opt-out of being tracked for behavioural advertising purposes.
Location Data: Privacy requirements of location-based apps and services is in flux and is a
subject of extensive interest and debate. Federal Communications Commission regulations
govern the collection and disclosure of location information by telecommunications carriers,
including wireless carriers. Further, any location service that targets children under the age of 13 or has actual knowledge that it is collecting location information from children under age 13 must comply with the requirements of the Children’s Online Privacy Protection Act (COPPA) Rules – including obtaining prior verifiable parental consent in most circumstances. Both the Federal Trade Commission and California Attorney General’s Office have issued best practices recommendations for mobile apps and mobile app platforms, and the California Attorney General has entered into an agreement with major app platforms in which they promise to prompt mobile apps to post privacy policies. Furthermore, a Department of Commerce-led multistakeholder
negotiation to develop a code of conduct for mobile app privacy is well underway.