Database

The amendments to the National Payment System Law require international payment cards to be processed locally. The law requires international payment systems to transfer their processing capabilities with respect to Russian domestic operations to the local state-owned operator (National Payment Card System) by 31 March 2015.

The amendments are reported to be a response to the international political sanctions which prohibited certain international payment systems (e.g., Visa and MasterCard) from servicing payments on cards issued by sanctioned Russian banks.

Russian data protection has been covered since 27 July 2006 by Federal Law no. 152-FZ, also known as the OPD-law (“On Personal Data”). In July 2014, the law was amended by the Federal Law No. 242-FZ to include a clear data localisation requirement. Article 18 §5 requires data operators to ensure that the recording, systematisation, accumulation, storage, update/amendment and retrieval of personal data of the citizens of the Russian Federation is made using databases located in the Russian Federation. This amendment entered into force on 1 September 2015.

It is not clear how restrictive the data localisation requirement is, but it appears that the OPD-Law does not prohibit accessing the servers from abroad and does not impose any special restriction on cross-border data transfers or duplication of personal data.

Online websites that violate the prohibition could be placed on the Roscomnadzor's blacklist of websites.

Sanctions for data privacy violations include the suspension or permanent ban of the activities of companies that infringe certain regulations as well as fines of up to 150,000 USD.

The existing regulations follow the constitutional principle that the consent of the lawful owner is required for the transfer of any personal information.

Besides being regulated by contractual terms, data collated by banks, insurance firms, hospitals, defence establishments and other "sensitive" installations/institutions cannot be transferred to any individual/body unless it is transferred with the permission of the relevant regulator or similar bodies on a confidential basis. Additionally, in certain cases data cannot be transferred without the permission of the relevant client/customer.

The prevention of Electronic Crimes Act mandates that breaches of the confidentiality of information shall result in imprisonment which may extend to three years.

Although the transfer of data to third parties is not specifically regulated under the laws of Pakistan, data cannot be transferred to a country which is not recognized by Pakistan.

Currently, the list of countries not recognized by Pakistan include: Israel, Taiwan, Kosovo, Somaliland, Nagorno-Karabakh, Transnistria, Abkhazia, Northern Cyprus, Sahrawi Arab Democratic Republic, South Ossetia and Armenia. This list may change from time to time.

Furthermore, data can only be transferred to India if such a transfer can be justified by the transferor.

On the 13 of May 2014, the European Court of Justice ruled that individuals are entitled to seek the deletion of links on search engines about themself if the information is outdated or irrelevant, the so-called right to be forgotten. Although the court ruling only applies to the 28 European Member States, four other countries - Iceland, Liechtenstein, Norway and Switzerland - are de facto making use of it.

The Guidelines on Point-of-Sale Card Acceptance Services require IT infrastructure for payment processing to be located domestically. All Point-of-Sale and ATM domestic transactions need to be processed through local switches and it is forbidden to route transactions outside the country for processing.

At the beginning of 2014, the National Information Technology Development Agency (NITDA) released guidelines on Nigerian content development in information and communications technology.

One of the requirements imposes that "Data and Information Management Firms" host government data locally within the country and shall not for any reason host any government data outside the country without an express approval from NITDA and the Secretary of Federal Government.

Another requirement imposes that all ICT companies host their subscriber and consumer data locally.

The Information Technology Act sets fines up to 500,000 INR (around 8,000 USD) or imprisonment up to three years; or a combination of both.

A draft Personal Data Protection Bill would increase the fines for breach of its provision up to 150,000,000 INR (approximately 2,100,000 USD) or 4% of its total worldwide turnover of its preceding financial year.

The Internet Service Provider licence and Unified Access Services Licence identify several categories of records that must be made available and provided for security purposes to the Telecom Authority or authorized Intelligence Agencies. (more information available under data retention subchapter)

A draft Personal Data Protection Bill would require that data breaches be reported to the Indian Data Protection Authority "as soon as possible and not later than the time period specified by the authority." The period of time in question is to be specified on a later date.

Additionally, "upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm."

A draft Personal Data Protection Bill would require that "significant data fiduciaries" appoint a Data Protection Officer to oversee compliance with the law; comply with annual independent audits of their processing of personal data; and conduct impact assessments for new technologies or large-scale profiling or use of personal data.

A draft Personal Data Protection Bill would require that "significant data fiduciaries" perform impact assessments, "where the data fiduciary intends to undertake any processing involving new technologies or large scale profiling or use of sensitive personal data such as genetic data or biometric data, or any other processing which carries a risk of significant harm to data [subjects]"