Data Privacy, Cybersecurity & Digital Assets

The challenge for anyone with data from the Asia Pacific region is the ever-expanding number of countries initiating data protection/cybersecurity requirements in the region, many of which are similar, but different in important ways, to the EU’s data privacy rules (GDPR). It would be one thing if they lined up to the GDPR perfectly, but each seems to have its own flavor and unique requirements. Several have GDPR-like obligations, including requirements for data subject notifications, consent, retention and security. However, several have very unique applications, such as:

• China and Vietnam’s lack of a “legitimate interest” as a legal basis for processing, and much broader restrictions on moving data outside of each country.

• China and Singapore’s requirements to appoint a local Data Privacy Representative responsible for compliance with local data protection laws.

• Japan and Singapore’s heightened concerns over protection of national IDs, and Japan’s more stringent notification requirements yet easier ability to transfer to processors.

• Korea’s restrictions on moving data outside of Korea, as well as its 24-hour breach notification requirements for internet/mobile entities.

• Registration requirements including in China, the Philippines and Vietnam.

Most jurisdictions in Asia Pacific now have implemented or have in place their own unique data privacy/cybersecurity laws, including Hong Kong, Taiwan, Singapore, Vietnam, Thailand, Indonesia, Malaysia, the Philippines, Australia, New Zealand and others. In the event of a cross-border data breach, the determination of when that event is notifiable, to whom and by when becomes even more convoluted.

How We Can Help

We are extremely well placed in Asia, with data privacy and cybersecurity specialists in offices in Australia, China, Hong Kong, Japan and Singapore and a network of trusted local firms throughout the region as needed. We can assist in:

• Gap analysis – Assessing current practices against the local requirements, identifying gaps, developing a streamlined work plan to address those gaps and providing comprehensive templates that will enable your organization to efficiently address compliance issues.

• Data mapping – Assisting to create a record of your processing activities, which may be required by local law.

• Data protection officer (DPO) or local Data Protection Representative – Advising on compliance with applicable requirements.

• Data transfers – Advising on and implementing appropriate data transfer solutions.

• Consent – Reviewing existing consents, advising on alternatives to individual consent for processing and, where necessary, implementing mechanisms for obtaining explicit data subject consents.

• Notice – Reviewing and redrafting privacy notices as required by local law.

• Vendor compliance and management – Developing template vendor agreements to address local requirements and manage risk within your organization, including key provisions, such as data ownership, liability for breach of data protection or security requirements and notification requirements for a security incident, and reviewing or revising existing contracts.

• Data subject requests – Developing systems/processes that will enable your organization to respond to access, erasure and portability requests in the manner and within the timeframe stipulated by local law.

• Data protection impact assessments (DPIAs) – Evaluating whether processing qualifies as “high risk” or otherwise under local law and, if so, developing appropriate DPIAs, and assisting you with any consultation with the data protection authority required.

• Contracts – Preparing contracts, including updating data processing agreements to cover the new contracting requirements these laws mandate.

• Data incident preparedness – Creating a robust data breach response plan and doing preparedness drills for your team that will help your organization meet the local requirements and reduce the cost of a breach.

• Cyberbreach response – Providing a robust legal response to a data breach, especially where global data is involved, and establishing the Attorney-Client and other privileges, where appropriate, to enable free and effective communications.

• Security assessments – Assessing the adequacy of your security controls and the arrangements with your service providers/processors, including providing security compliance checklists.

• Email marketing/cookie policies – Advising clients on the development of email marketing campaigns and cookie policies/consents for compliance with local privacy laws.

Why Choose Us?

• Our global footprint allows us to provide assistance in the jurisdictions where you do business.

• Our experience advising numerous SMEs, multinational companies and global organizations with local data privacy/cybersecurity compliance will translate into efficiencies for your organization.

• Our commercial knowledge allows us to help you manage your data to leverage its value while meeting your compliance obligations.

• With deep roots in the APAC region, we are able to assist you in developing good working relationships with APAC data protection authorities and other regulators.

The EU’s General Data Protection Regulation (GDPR) came into force on May 25, 2018. The GDPR imposed new and significant obligations on businesses operating both inside and outside the EU, and stiff penalties for non-compliance.

• The GDPR affects every business and public body that processes the personal data of EU residents, including:

• Every employer in the EU

• All businesses that offer goods or services to individuals in the EU or that monitor their behavior, including companies that have no presence in the EU

• All businesses that process the personal data of EU individuals on behalf of other businesses

Our data protection experts have assisted small to medium enterprises (SMEs), multinational companies and global organizations to understand and implement practical approaches to meet the challenges and opportunities that the GDPR presents.

How We Can Help

• Gap analysis – Assessing current practices against the GDPR requirements, identifying gaps, developing a streamlined work plan to address those gaps and providing comprehensive templates that will enable your organization to efficiently address compliance issues

• Data mapping – Assisting to create a record of your processing activities, as required by the GDPR

• Data protection officer (DPO) – Advising on compliance with new mandatory DPO requirements

• Data transfers outside the EU – Advising on and implementing appropriate data transfer solutions

• Consent – Reviewing existing consents, advising on alternatives to individual consent for processing and, where necessary, implementing mechanisms for obtaining explicit data subject consents

• Notice – Reviewing and redrafting privacy notices to include the new mandatory information required by the GDPR

• Vendor compliance and management – Developing template vendor agreements to address GDPR requirements and manage risk within your organization, including key provisions, such as data ownership, liability for breach of data protection or security requirements and notification requirements for a security incident, and reviewing or revising existing contracts

• Data subject requests – Developing systems/processes that will enable your organization to respond to access, erasure and portability requests in the manner and within the timeframe stipulated in the GDPR

• Data protection impact assessments (DPIAs) – Evaluating whether processing qualifies as “high risk” and, if so, developing appropriate DPIAs, and assisting you with any consultation with the data protection authority required

• Data incident response – Creating a robust data breach response plan that will help your organization meet the 72-hour notification deadline

• Privacy by design – Advising and assisting in developing procedures relating to privacy by design and by default

• Security assessments – Assessing the adequacy of your security controls and the arrangements with your service providers/processors, including providing security compliance checklists

• Email marketing/cookie policies – Advising clients on the development of email marketing campaigns and cookie policies/consents for compliance with EU privacy laws

Why Choose Us?

• Our global footprint allows us to provide assistance in the jurisdictions where you do business.

• Our experience advising numerous SMEs, multinational companies and global organizations with GDPR compliance will translate into efficiencies for your organization.

• Our commercial knowledge allows us to help you manage your data to leverage its value while meeting your compliance obligations.

• With deep roots in the EU, we are able to assist you in developing good working relationships with EU data protection authorities (DPAs) and other regulators.

• Our well-connected EU Public Policy team can help you have a voice as the regulations are developed.

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) imposes burdensome European General Data Protection Regulation (GDPR) inspired transparency and individual data subject rights requirements on almost every company that handles “personal information” regarding California residents.

Effective January 1, 2023, employees and business contacts are in full scope of the California law, and further data subject rights and business obligations apply, including publishing retention schedules and ensuring collection purpose limitation. Also in 2023, CCPA/GDPR-inspired consumer privacy laws become effective in Colorado, Connecticut, Virginia and Utah, and Iowa, Montana, Indiana, Tennessee, Texas and Florida have passed legislation that will become effective in 2024. Many of these comprehensive state privacy laws require conducting and documenting assessments of data practices, which are subject to inspection by regulators. California and Colorado have promulgated very complex regulations detailing how companies must implement privacy protections, while further rule making remains ongoing.

Multiple other states have less comprehensive consumer privacy laws, several strictly regulating health-related data outside of the context of just healthcare providers, and three states now regulate data brokers. A patchwork of sectorial federal and state privacy laws (e.g., Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA)) continue to apply, although the new state laws exclude rather than overlap some, but not all, of what is covered by existing laws. In addition to the federal Children’s Online Privacy Protection Act (COPPA), a growing number of states are regulating data and online activities of minors, most notably the California Age Appropriate Design Act.

How We Can Help

We can:

• Determine the applicability of data privacy and protection laws to your company and its data

• Conduct a gap assessment of your company’s current data practices against privacy and security and other consumer protection laws

• Prepare and execute work plans to achieve compliance in a cost-effective, efficient manner, leveraging existing compliance efforts where applicable

• Interpret nuances in statutory and regulatory provisions, such as identifying business partners as service providers, contractors, processors, co-controllers, third parties or something else under the laws and developing strategies for avoiding certain obligations or implications of the laws

• Assist with individual compliance tasks, such as:

  • Conducting data inventories and assessing data practices

  • Designing processes and templates to respond to individual right requests and providing counsel on specific request responses

  • Drafting privacy notices, including meeting regulatory content requirements and addressing purpose, sale and sharing, targeted advertising, profiling, sensitive data, rights request processes, loyalty programs and other financial incentives and retention

  • Making data broker registrations

  • Assessing data security and incident preparedness

  • Preparing contracts, including updating data processing agreements (DPAs) to cover the new contracting requirements these laws mandate

  • Advising on digital advertising, data transfers, processing of sensitive data and use of automated decision-making and profiling, and how to apply new opt-in and opt-out rights to these activities when required

• Help design and implement privacy-by-design and data inventory and assessment procedures and provide assessment counsel

• Negotiate and document data-related transactions

• Advise on the use of artificial intelligence, including profiling and automated decision making

• Train employees regarding the new legal requirements

• Educate C-suite/board and data stakeholders regarding compliance obligations

• Defend companies in enforcement actions

• Assess cybersecurity and respond to security incidents

Why Choose Us?

• Our lawyers have spent decades helping companies comply with requirements in other US data privacy and protection laws (e.g., HIPAA, GLBA, Fair Credit Reporting Act (FCRA), COPPA, Video Privacy Protection Act (VPPA), Cable Act, Privacy Act, California Online Privacy Protection Act (OPPA), California Shine the Light, the Illinois Biometric Information Privacy Act (BIPA) and other laws regulating biometrics, and state data security and incident notification laws, etc.). Our team includes the former chief information officer (CIO) of the US government, lawyers with significant business and in-house experience, and multiple regulatory agency lawyers.

• Our US and European lawyers worked hand-in-hand to assist hundreds of enterprises with the compliance challenges stemming from the GDPR. Many of the same skills, processes and materials, as well as nuanced interpretations and decision-making, developed for GDPR compliance are used by us for US compliance.

• The global composition of our Data Privacy, Cybersecurity & Digital Assets team provides us with unique experience that we leverage to our clients’ benefit when creating global data governance programs that address the Americas, Asia Pacific and EMEA.

• The work that you will get from us will not be merely academic lists of the statutory requirements with examples as to how to comply. We pride ourselves on being responsive, commercial and practical in our advice by understanding and balancing our clients’ business goals and risk tolerance with legal requirements, best practices and potential exposure.

Our Experience

• Multibrand consumer products company – Assessed impact of new state laws on current practices, including mobile apps, loyalty programs, processing of health and other sensitive personal data, targeted advertising and e-commerce and developed compliance strategies.

• Transportation services provider – Serving as outside counsel for a leading bus line in North America on data privacy and security issues, including addressing complex data sharing arrangements with interline carriers and marketing and sales partners.

• Leading consumer brand – Responded to an enforcement action by the California attorney general regarding various digital advertising practices and negotiated a resolution that did not result in any penalty.

• Multinational technology company – Advised on designing several new innovative data-using product offerings, including revising customer agreements, preparing privacy statements, addressing secondary uses, designing user-friendly mobile app consent mechanisms, honoring individual rights, and advising on nuanced comparisons to GDPR and integrating with GDPR compliance efforts.

• Online publishers – Counseling website and mobile app publishers on use of cookies and other tracking technologies, session replay, chatbots and other data-gathering and -processing practices, including regarding transparency and choice.

• Biometrics services provider – Developed notice, consent and other compliance practices for a platform as a service (PaaS)/software as a service (SaaS) provider of biometrics and artificial intelligence services.

• Global engineering and manufacturing company – Developed a work plan leveraging simultaneous GDPR and US compliance efforts with parallel work streams for customer and employee data.

• Global digital advertising and analytics company – Advised on how state privacy laws apply to various data practices, then developed and implemented a compliance plan, including data mapping and assessments, drafting a separate US privacy statement, expanding individual rights processes to cover US residents, and updating vendor and customer agreements. Providing ongoing counsel on new practices.

• Worldwide management consulting company – Advised this consulting company (serving purely as a service provider) regarding CCPA applicability and consequences of engaging in secondary data uses.

• Specialty pharmacy/distributer – Helped one of the nation’s leading suppliers of critical-care biopharmaceuticals, plasma products and vaccines to interpret and plan CCPA implementation (largely for its employees, given that other consumer information is subject to HIPAA and, therefore, exempt from CCPA).

• Global auto manufacturer – Advising on the applicability of state laws generally and how to structure new and innovative smart car technologies involving secondary uses of data for purposes such as usage-based insurance, value-add applications and services, and first- and third-party marketing.

• Multifamily dwelling unit operator – Assessing proposed uses of data, including profiling and artificial intelligence, by the landlord for targeted advertising, tenant screening, differential pricing and services and renewal terms, including application of state and federal housing, credit and public accommodations laws, and state privacy laws.

• Global food and beverage company – Counseling on development and implementation of its AI policy and framework and associated assessments, training personnel on program requirements, assisting with assessments and negotiating agreements with AI providers. Developing and implementing novel, consumer-facing non-fungible token (NFT) promotion in partnership with a major sports league.

Our global cross-practice response team is composed of cybersecurity, data protection, e-privacy, litigation, government investigations, insurance, and labor and employment professionals. All are subject-matter experts in their respective legal fields and many have developed substantial experience advising on cross-border and international data breaches and cybersecurity incidents of all types. As a team, we offer our clients the in-depth knowledge and experience required to prepare for and respond to cybersecurity and data breach incidents, which regularly transcend practice areas and global borders. We frequently work together with technical security professionals and forensic experts to provide our clients with a fully integrated approach that is both tactical and strategic. We also work closely with public relations professionals to help coordinate the content of internal and external communications relating to cybersecurity incidents and data breach situations. We have a proven track record of assisting and guiding clients through:

• Prevention and protection – e.g., conducting personal data breach and cybersecurity risk assessments, developing organization-specific cybersecurity and data breach compliance programs, strengthening IT environments, etc.

• Preparation and training – e.g., developing and conducting employee and IT-specific training, conducting table top exercises and simulated breach events, etc.

• Detection and response – e.g., coordinating containment and eradication efforts, making required notifications, liaising with the relevant authorities, etc.

• Recovery and strengthening – e.g., restoring data, liaising with insurance carriers, and litigating data security and privacy matters, etc.

• Enforcement proceedings and litigation – e.g., anticipating and minimizing the risk of legal claims and enforcement proceedings, and representation throughout all phases of such proceedings

Our Services

We provide advice on a wide range of matters related to cybersecurity risk management, data breach response and cybersecurity litigation. This includes, but is not limited to, advising clients on their options and obligations in responding to ransomware attacks, personal data breaches, inadvertent disclosures, phishing emails, etc.; interfacing with law enforcement agencies, regulators, data protection authorities, law enforcement authorities and insurers; coordinating and making appropriate breach notifications to data subjects and data protection authorities; coordinating crisis management response; and litigating any matters arising out of such Incidents.

We also work with technical security professionals to assess our clients’ cybersecurity profiles. When vulnerabilities are found, we work with management teams, boards of directors, vendors, PR and other consultants and third parties to design, implement and train employees on newly developed cybersecurity compliance programs. Finally, we advise on due diligence for third-party service providers, mergers, acquisitions and joint ventures.

Why Choose Our Global Cross-practice Response Team?

• Our experienced cross-practice and global breach response team provides the legal, regulatory and procedural advice and support that our clients require around the world.

• We have advised on hundreds of cybersecurity incidents and breach responses, including some of the largest security incidents in the past few years, acquiring comprehensive knowledge of the requirements of national data protection authorities and regulators, and we expertly and swiftly direct all aspects of incident response based on significant real-world experience.

• We draw on extensive regulatory and litigation expertise to provide substantive and strategic litigation support, whether in civil, criminal or regulatory proceedings.

• Where breaches are particularly severe, we work closely with our Public Policy team to design communications strategies at all affected levels of government.

• We provide experienced advice on a wide range of insurance policies and claims to help our clients protect themselves financially when a security incident occurs.

• We frequently team with technical security professionals to provide our clients with a holistic approach to developing effective cybersecurity and data breach compliance programs.