Overview of Stardust at EclipseCon Ludwigsburg 2012
Stardust overview at EclipseCon Ludwigsburg in Germany featuring Dr. Marc Gille, SVP Product Management at SunGard Infinity. Learn about the origin, approach, project activity, ecosystem, and more related to Stardust.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
The new data protection Convention 108+ and its importance for Asia Graham Greenleaf Asian Privacy Scholars Network (APSN) Conference, Taiwan, August 2024
Basics of Convention 108+ 108+ = Convention 108 (1981) + amending protocol (2018) Convention = a treaty = binding on State Parties, enforced by them 108+ needs 7 more ratifications from the Parties to 108, to give 38 Will come into force in 2024 or 2025 Potentially global: any countries can be invited to accede Council of Europe is only the host; and controls accession process Convention 108 has 54 Parties: 47 European; 6 African; 3 Latin Am. Overall purpose of 108+ Parties must enact & enforce a data privacy law to 108+ standard Parties commit to allowing free flow of personal data to other Parties, Parties commit to prevent data exports unless there is appropriate protection
Benefits of Convention 108+ to Parties (1)Realism: Known standards & at least 38 parties. No starting from scratch. (2)Moderate standards: 108+ standards not as strong as the GDPR. (3)Minimum standards:Any country can enact a higher standard. (4)Voluntary obligations Accession is a voluntary acceptance of reciprocal obligations. Treaties are mutual, (5)Reciprocal unrestricted data exports between Parties. (6)Reciprocal guarantee of data export controls. (7) A de facto whitelist Any country can have Parties to 108+ as a whitelist of allowed data exports. (8) Assistance in obtaining EU adequacy GDPR recital 105
Implications of 108+ for Asia Voluntary acceptance of obligations No need for a separate regional treaty (cf Africa) Provides reciprocal obligations between Asian countries
Which Asian countries could accede? 17/26 Asian countries have data privacy laws Can use a 5-step test to determine who can accede 1 Must be a State (UN practice = UN membership) * OMIT Hong Kong; Macau; Taiwan 2 Must be democratic * OMIT China, Vietnam, Cambodia, Brunei 3 Must have full scope ( public and private sectors ) * OMIT Singapore, Malaysia - Private sector only 4 Must have a completely independent DPA & effective remedies OK Korea, Japan (EU adequacy), Philippines Arguable Indonesia, India, Sri Lanka, Thailand OMIT Bhutan, Nepal 5 Must meet substantive provisions for 108+ legislation [NEXT SLIDE]
Substantive requirements of 108+ legislation 108+ Subject matter of provision Countries 5(1), 10(4) 5(2) Proportionality required in all aspects of processing ID, SL KR, PH, PH, ID, IN Legitimate bases for processing defined 5(2) KR, TH, ID, SL, IN Stronger consent requirements unambiguous ; children s consent 5(4)(c)* Minimum collection necessary for the purpose data minimisation) KR, TH, ID, SL 5(4)(e)* Destruction/ anonymisation of personal data after purpose completed JA, KR, TH, PH, ID, SL 6(1) JA, KR, TH, ID, SL Biometric and genetic data require extra protections 6* Additional protections for sensitive data in defined categories JA, KR, TH, PH, ID, SL 7(1), 10 Direct liability for processors as well as controllers KR, TH, ID, SL 7(2) Data breach notification to DPA for serious breaches JA, KR, TH, PH, SL, IN
108+ Subject matter of provision Countries PH, ID, SL 9(1) Limits on automated decision-making 9(1) To object to processing on grounds relating to his/her situation KR, TH 9(1)* Right to erasure, including to be forgotten JA, KR, TH, ID, SL 10(1) Demonstrable accountability by controllers ID, SL, IN 10(2) Prior examination before processing of right impact KR, SL 10(2) Data protection by design and by default 12 DPAs to make decisions and issue administrative sanctions JA, KR, TH, ID, SL, IN 12, 15* Recourse to the courts to enforce data privacy rights KR, TH, PH, ID, SL 14* Restricted data exports to non-Parties JA, KR, TH, ID, SL, IN 15* Independent Data Protection Authority(-ies) (DPA) JA, KR, TH, PH, SL, IN JA, ID, SL 16-21 DPAs must cooperate with other DPAs of Parties
Compliance with substance approx. 7/17 countries now possibly compliant in theory (only 3 in 2020) 17/20 Sri Lanka 15/20 Korea 13/20 Thailand 9/20 Japan 7/20 Philippines 7/20 India Compliance also requires effective enforcement (eg Korea; contra Japan) Two approaches in tension in accession decisions Effective application of [all] provisions of 108+ (art. 4) Practice under 108 (2012-22): C tee of Ministers very flexible if a country was close enough , and/or undertook to make further reforms Guidance needed on which of the 20 provisions are most important 15/20 Indonesia
Any country can help globalize 108+ To which countries can you export personal data? A wicked problem. Any Asian country can legislate to allow unrestricted exports to: (i) Any EU/EEA member State (31) + (ii) Any country with laws assessed adequate under the EU s GDPR (+12); + (iii) Any Party to 108+, assessed as compliant by Convention C tee (+ ??) Such a Default Whitelist is additional to other export restrictions At least 6 countries have such Whitelists One Whitelist removes 43 export problems now, then more as (i)-(iii) grow. The result is a virtuous circle: Whitelists make adequacy/accession more valuable; that makes Whitelists more worth creating; etc The number of export problems will then slowly reduce
