In a new online event produced by ACC, SPB partner Nick Chan will join Rebecca Perry, Director of Strategic Partnerships, Exterro; Andy Knowles, Tech & Cyber Counsel at GSK; and Samantha Guo, Head of Legal Americas at China Telecom Americas, to discuss China’s PIPL (Personal Information Protection Law). The distinguished team will share insights on the policy intent behind the PIPL which took effect in November 2021, draw some contrast with GDPR and CCPA, discuss data localization, data residency, data sovereignty and cross-border transfers of personal information. Don’t miss out as they debunk some myths, look at how the legislation will affect your organization’s operations and share best practices so your company can get ready.

Date: August 11, 2022

Time: 9 AM eastern

For registration details, click here.

In September 2024, the Guangzhou Internet Court released its ruling on a civil dispute that was originally issued in September 2023, involving the transfer of personal data outside mainland China. This judgment is reportedly the first judicial judgment on cross-border data transfers.

In this case, an international hotel group based in France, as the defendant, was found liable for illegally transferring the personal data of the plaintiff, an individual Chinese customer, to third parties outside of China for the purpose of marketing, without obtaining the customer’s separate consent prior to providing the data.

Continue Reading Court Ruling in China on Personal Data Transfer by International Hotel Chain

Nearly six months after the Cyberspace Administration of China (CAC) was first introduced for public consultation, with its draft regulations proposing to ease outbound data transfers from China (Draft Regulations) (see our article at China Releases Draft Regulation to Significantly Ease Cross-border Data Transfers | Privacy World), the much-awaited final rules on Regulating and Facilitating Cross-border Data Flows were published and came into effect on March 22, 2024 (New Regulations). The New Regulations largely repeat the Draft Regulations, but now have further relaxed personal data exports from China.

Meanwhile, on the same day, the CAC also released the Guide to the Application for Security Assessment of Data Exports (Second Edition) and the Guide to the Filing of the Standard Contract for Personal Data Exports (Second Edition) (collectively, the Second Edition Guides) which make corresponding adjustments pursuant to the New Regulations.

Continue Reading China Finalizes New Regulations to Relax Personal Data Exports from China

At long last, China has issued the Standard Contract terms and the Measures for implementing them. Click here for more detailed analysis, but, in short:

  1. They apply to any personal information data export from China, except those of a heightened concern (i.e. critical information or large volume and/or sensitive data transfers) or where a voluntary assessment by the Cybersecurity Administration of China (CAC) is decided.
  2. They require the data exporter to conduct a Personal Information Privacy Impact Assessment, with detailed questions to be assessed.
  3. They require the entering into of a designated Standard Contract with the receiving party, with far-reaching obligations on both the exporter and the data recipient.
  4. These documents must be filed with the CAC within 10 days of the signing of the Standard Contract.
  5. These obligations take effect on 1 June 2023 (although a six-month grace period is in place for transfers made before 1 June 2023).

We note that these Measures do not alter the obligations under Article 39 of the Personal Information Protection Law, which require separate informed consent be obtained from the data subject (although we note very few exceptions that may be used to otherwise obtain consent). We also note that such cross-border transfers are allowed only where it is “really needed” by the business (PIPL Article 38).

Given these far-reaching new obligations, we are counseling companies that want to export personal information from China to immediately assess their new obligations and move toward meeting them prior to the 1 June 2023 deadline.

In a new development, we note that China is weighing a restructure to establish a data administration bureau.  This new organization would likely become the data regulator overseeing data administration in Mainland China, taking over some roles from the Cyberspace Administration of China.  We will provide an update accordingly.

For a more detailed review of the new Measures and the designated Standard Contract, please see this alert.  In addition, we are hosting a webinar, China’s New Standard Contractual Clauses – What Do They Mean for You? to provide a deeper dive on these changes. There will be two sessions taking place to cater for different time zones, 22 March 2023 for EU/UK/MENA and 23 March 2023 for the Americas.  Sign up here.

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

JPML Declines to Create MDL for Data Breach Cases

CPW’s Kyle Fath and Gicel Tomimbang to Speak at IAPP Webinar on Privacy in AI

BREAKING: The FTC Issues Advanced Notice of Public Rulemaking for Privacy Regulations

Legitimate Interests: Dutch Data Protection Authority’s Appeal Dismissed, But the Controversy Continues

No Injury = No Article III Standing in Data Breach Class Action

Jury Finds Credit Reporting Agency Was “Reasonable” in FCRA Case of Inaccurate Consumer Credit Report

CPW’s David Oberly Discusses Biometric Privacy Compliance Strategies in Advance of Cothron BIPA Claim Accrual Ruling in Biometric Update

On the Speaking Circuit in August: CPW’s Nick Chan to Discuss China’s PIPL

New York Department of Financial Services Slaps Robinhood Crypto with $30 Million Fine for Cyber Compliance Failures

SPB 2022 Q2 Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter

Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Our Data Privacy Practice Continues to Expand: Julia B. Jacobson and Shea Leitch Join the Team

California Federal Court Grants Plaintiff’s Motion to Remand FACTA Class Action to State Court

T-Mobile Agrees in MDL to Record Setting $350 Million Data Breach Settlement to Resolve CCPA and Other Privacy Claims

The Southern Co-op – Is the Use of ‘Spy’ Cameras Breaching UK Data Protection Laws?

Carnival Cruise Line and 46 State Attorneys General Reach $6 Million Dollar Settlement Over 2019 Data Breach

Sessions Replay Litigation Recap – Open Questions Post-Javier

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

No Injury = No Article III Standing in Data Breach Class Action

Jury Finds Credit Reporting Agency Was “Reasonable” in FCRA Case of Inaccurate Consumer Credit Report

CPW’s David Oberly Discusses Biometric Privacy Compliance Strategies in Advance of Cothron BIPA Claim Accrual Ruling in Biometric Update

On the Speaking Circuit in August: CPW’s Nick Chan to Discuss China’s PIPL

New York Department of Financial Services Slaps Robinhood Crypto with $30 Million Fine for Cyber Compliance Failures

SPB 2022 Q2 Artificial Intelligence & Biometric Privacy Quarterly Review Newsletter

Federal Bill Would Broaden FTC’s Role in Cybersecurity and Data Breach Disclosures

Our Data Privacy Practice Continues to Expand: Julia B. Jacobson and Shea Leitch Join the Team

California Federal Court Grants Plaintiff’s Motion to Remand FACTA Class Action to State Court

T-Mobile Agrees in MDL to Record Setting $350 Million Data Breach Settlement to Resolve CCPA and Other Privacy Claims

The Southern Co-op – Is the Use of ‘Spy’ Cameras Breaching UK Data Protection Laws?

Carnival Cruise Line and 46 State Attorneys General Reach $6 Million Dollar Settlement Over 2019 Data Breach

Sessions Replay Litigation Recap – Open Questions Post-Javier

 

The past week witnessed two major developments relating to data export from China. On one hand, the data export-related regulation was officially adopted which expands the scope of government assessment. On the other hand, the long-awaited draft personal data export standard contract and the rules relating to the application of the contract were released for public comment which requires such contracts to be filed with the government.

Measures on Data Export Security Assessment

On July 7, 2022, the Cyberspace Administration of China (the “CAC”) released the Measures on Data Export Security Assessment (the “Measures”). These Measures set out the detailed requirements on the security assessment organized by the CAC for data export, which is required under the Personal Information Protection Law (“PIPL”) as well as the Data Security Law. Following a draft version in 2021, the Measures clarify the quantities of personal information (“PI”) which fall under the PIPL, and adds new circumstances that will significantly expand the application of the government’s security assessment as well.

Particularly, with the data quantity threshold of 100,000 individuals’ PI and 10,000 individuals’ sensitive PI, large multinational companies with more than 10,000 employees or customers in China should carefully review whether they would be subject to the government’s security assessment.

Threshold for CAC Security Assessment

Data controllers are required to pass the government’s security assessment for data export in any of the following circumstances:

  1. Export of “important data”, meaning data that may endanger national security, economic operation, social stability, public health and safety, etc. once it is tampered with, destroyed, leaked, or illegally obtained or used.
  2. Export of PI by Critical Information Infrastructure Operators (CIIO). This is in line with the PIPL.
  3. Export of PI by a PI controller processing over 1,000,000individuals’ PI (which seems to be the definition of “large volume” PI controller under the PIPL).
  4. Cumulative export of PI of more than 100,000 individuals since January 1 of the previous year.
  5. Cumulative export of sensitive PI of over 10,000 individuals since January 1 of the previous year, or
  6. Other situations as stipulated by the national cybersecurity and informatization department.

Circumstances (4) and (5) are not provided in the PIPL and arguably expands the application of the government’s security assessment. It is unclear how the threshold will be calculated. For example, whether any update of PI that is previously exported would be counted within the current year’s quota.

CAC Assessment Procedure

Data controllers subject to the assessment should conduct a self-assessment first and submit to the CAC, among other things, the self-assessment report and the data export/process agreements contemplated to be signed with the overseas recipient.

After receiving the completed application documents, the CAC will have 7 working days to decide whether to accept the application, and another 45 working days to complete the security assessment. This duration may be further extended without a specific time limit. Such indefinite review period has raised concerns of uncertainty that may significantly impact data flow for multinational companies. The result of the security assessment is valid for two years.

Grace Period

The Measures will take effect from September 1, 2022 and offers a six-month grace period for complying with the Measures. In other words, data controllers subject to the Measures should at least make a filing to CAC before March 1, 2023. Companies in China that are currently exporting critical data or personal data outside of China should take immediate action to assess whether it falls within the scope of the Measures.

Draft PI Export Standard Contract

Also, in relation to the topic of data export, on June 30, 2022, the CAC released the Draft Personal Information Export Standard Contract and the related rules on application of the standard contract (“Draft Standard Contract”) for public comment.

Data controllers that are NOT subject to the government’s security assessment as provided under the Measures (as specified above) could rely on the signing of the standard contract to export personal data.

Surprisingly, however, the Draft Standard Contract require data controllers to file the executed standard contract (and any amendments thereof) to the authorities (CAC) within ten days after it takes effect, together with a PI protection impact assessment report. This is a new requirement not covered by the PIPL. This requirement could significantly increase the burden of data controllers on data export, especially for multinational companies that often have globally centralized management systems.  There are also concerns that the filing process may turn into a government review as the CAC may review the filed standard contract and determine whether the data export activities are appropriate.

The Draft Standard Contract sets out detailed requirements on the obligations of the parties in relation to PI protection, and the parties should specify detailed descriptions regarding the export of PI, among other things, the volume of data, and the processing location. The Draft Standard Contract specifically provides that it should prevail over any other agreements between the parties relating to the subject.

The public comment period of the Draft Standard Contract will expire on July 29, 2022. We anticipate the final version may become available within this year.

At the recent annual meeting of the French Association of Personal Data Protection Correspondents (AFCDP), CPW’s Stephanie Faber presented the latest changes on data privacy in the US (providing a global overview with details on data protection for consumers in five states, requirements for opt out and OOPS, the Federal bill, initiatives of the FTC and the possible timeline for the new US EU framework of exchange of personal data ) and in China (covering the data security act, cybersecurity act, PIPL with details on the localization requirements and international transfers).

The AFCDP is the largest French association for privacy professionals and is also the founding member of the CEDPO (the Confederation of European Data Protection Organisations).

It is clearly a challenge for DPOs based in the EEA to keep up with all the new laws around the world, and the audience expressed how keen they are to better understand the trends and the differences especially for countries like the US and China, with which French companies have important business relations and data flows. Several questions were asked about the difference in scope of such laws when compared to GDPR, and whether the right to privacy could become a constitutional right in the US.

Thanks to the collective working knowledge and know-how of the firm’s global Data Privacy, Cybersecurity & Digital Assets team, Stephanie was able to share valuable insights on these laws and the implementation of regulations and standards.

The presentation will be provided in replay by the AFCDP for those who could not attend in person.

Scott Warren has joined the faculty of China PrivSec, which will bring together senior professionals to explore Chinese privacy and security laws at a livestream event on March 15, 2022. In a session titled, “China’s Personal Information Protection Law (PIPL): What Businesses Need to Know,” Scott and his co-panelists, Wendy Pang, IP, CIPP/E, CIPM, Certified Legal Professional of PRC, Data Security and Privacy Protection Expert, and Robinson Roe, Managing Director, OneTrust, Asia Pacific, Japan, will highlight key provisions in the law, critical issues for companies operating in China and compliance requirements and best practices.

For complete event details, please click here.

On December 9, 2021, Ann LaFrance, SPB Senior Partner and Vice President of the International Institute of Communications (“IIC”), moderated a panel discussion involving U.S. and international stakeholders’ perspectives on privacy and data protection trends and  the value of interoperability in cross-border data transfers at the IIC’s (virtual) annual Telecommunications & Media Forum (“TMF”) in Washington DC.

The panel participants represented a diverse cross-section of international stakeholders, including: Maureen Mahoney, Senior Policy Analyst for Consumer Reports; Sam Schofield, Trade Policy Advisor – Global Data Policy, International Trade Administration (“ITA”); Vitelio Ruiz Bernal, Director General of Investigation and Verification of the Private Sector, Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (“INAI”); and Christopher Calabrese, Senior Director, Privacy Policy, Microsoft.

The panelists discussed a wide range of topics, including the prospects for interoperability between and among national data privacy and protection regimes, data localization, emerging international frameworks, enforcement challenges and consumer trust.  A summary of the major themes covered by the panelists is provided below.

Global Interoperability

Stakeholders in the U.S. and abroad recognize the importance of facilitating cross-border transfers of personal data, and are advocating for interoperable privacy laws,  including agreement on a new framework  to replace the EU-US Privacy Shield (“Privacy Shield”), which the European Court of Justice concluded was invalid from an EU law perspective in 2020.

One emerging framework to facilitate the free flow of personal data is the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) System, which currently has nine participating countries, including the United States and Mexico.  The panelists discussed the conditions for an effective cross-border interoperability regime, including the following principles:

  1. Be transparent so that it is not difficult to comprehend what companies are doing with an individual’s data;
  2. Empower individuals by giving them rights over their own data;
  3. Promote corporate responsibility among companies that collect personal information;
  4. Have a strong enforcement mechanism to ensure that if consumers are granted rights they also have adequate remedies;
  5. Respect national sovereignty but limit data localization where necessary for national governments to protect legitimate state interests; and
  6. Be sufficiently flexible to allow for the evolution of technology and evolving regulatory requirements.

Although there is a consensus on the value of interoperable privacy regimes, there is also a recognition that there are different perspectives on what the critical elements of “interoperability” should consist of, how they should be implemented and what enforcement mechanisms should apply.

Data Localization

Data localization laws place restrictions on where personal information may be stored and processed. The panelists discussed the impact of data localization laws, including:

  1. The obstacles data localization laws create for businesses seeking to serve customers both globally and locally (e.g., significant operational costs), which affects cross-border commerce;
  2. Governments’ national security and law enforcement interests; and
  3. The need to balance the benefits of enabling data to flow freely across borders with the legitimate interests of governments to protect their citizens.

Emerging International Frameworks

Two models of interoperability were the focus of discussion: the APEC CBPR System, and the EU “adequacy” test established under the EU General Data Protection Regulation (the “GDPR”).  The panelists discussed the benefits and challenges of both models and observed that, although the GDPR is generally considered a more stringent regime, the two models are not incompatible and there are countries that participate in both (e.g., Japan, Canada).

Enforcement Challenges

The panelists agreed that establishing a global privacy standard is challenging because privacy is culturally rooted, and each country may have a different understanding of human rights and civil liberties.  Thus, what may be considered “private” in one country may not be so in another, which could affect the enforcement mechanisms included in each country’s privacy regime.  The panelists also identified additional challenges in privacy enforcement, including the:

  1. Importance of allocating sufficient resources and enforcement powers to data protection authorities so they can promote accountability and secure redress for consumers;
  2. Privacy considerations in public and private sectors, which may sometimes be divergent; and
  3. Importance of developing legally enforceable mechanisms that evolve alongside changing technology.

Consumer Trust

From the consumer perspective, ensuring trust in online transactions is an imperative that will require laws designed to protect consumer privacy by default, including strong data minimization requirements, as well as effective opt-out mechanisms, such as global privacy controls that can be activated through browser settings.

There was a general consensus that we are now approaching an inflection point, with new and divergent privacy laws coming into force around the world, such as the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD), China’s Personal Information Protection Law (“PIPL”), California’s CCPA/CPRA  and number of other privacy laws at the state level in the U.S.  The panelists agreed that the next five years will be critical to the development of a global consensus on the minimum inter-operability requirements to legitimize cross-border data flows in a world that is ever more reliant on the global internet. 

A recording of this discussion is available here. The IIC/TMF also hosted a panel on U.S. privacy law developments.  A blog post on that is available here.