On December 9, 2021, Ann LaFrance, SPB Senior Partner and Vice President of the International Institute of Communications (“IIC”), moderated a panel discussion involving U.S. and international stakeholders’ perspectives on privacy and data protection trends and  the value of interoperability in cross-border data transfers at the IIC’s (virtual) annual Telecommunications & Media Forum (“TMF”) in Washington DC.

The panel participants represented a diverse cross-section of international stakeholders, including: Maureen Mahoney, Senior Policy Analyst for Consumer Reports; Sam Schofield, Trade Policy Advisor – Global Data Policy, International Trade Administration (“ITA”); Vitelio Ruiz Bernal, Director General of Investigation and Verification of the Private Sector, Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (“INAI”); and Christopher Calabrese, Senior Director, Privacy Policy, Microsoft.

The panelists discussed a wide range of topics, including the prospects for interoperability between and among national data privacy and protection regimes, data localization, emerging international frameworks, enforcement challenges and consumer trust.  A summary of the major themes covered by the panelists is provided below.

Global Interoperability

Stakeholders in the U.S. and abroad recognize the importance of facilitating cross-border transfers of personal data, and are advocating for interoperable privacy laws,  including agreement on a new framework  to replace the EU-US Privacy Shield (“Privacy Shield”), which the European Court of Justice concluded was invalid from an EU law perspective in 2020.

One emerging framework to facilitate the free flow of personal data is the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) System, which currently has nine participating countries, including the United States and Mexico.  The panelists discussed the conditions for an effective cross-border interoperability regime, including the following principles:

  1. Be transparent so that it is not difficult to comprehend what companies are doing with an individual’s data;
  2. Empower individuals by giving them rights over their own data;
  3. Promote corporate responsibility among companies that collect personal information;
  4. Have a strong enforcement mechanism to ensure that if consumers are granted rights they also have adequate remedies;
  5. Respect national sovereignty but limit data localization where necessary for national governments to protect legitimate state interests; and
  6. Be sufficiently flexible to allow for the evolution of technology and evolving regulatory requirements.

Although there is a consensus on the value of interoperable privacy regimes, there is also a recognition that there are different perspectives on what the critical elements of “interoperability” should consist of, how they should be implemented and what enforcement mechanisms should apply.

Data Localization

Data localization laws place restrictions on where personal information may be stored and processed. The panelists discussed the impact of data localization laws, including:

  1. The obstacles data localization laws create for businesses seeking to serve customers both globally and locally (e.g., significant operational costs), which affects cross-border commerce;
  2. Governments’ national security and law enforcement interests; and
  3. The need to balance the benefits of enabling data to flow freely across borders with the legitimate interests of governments to protect their citizens.

Emerging International Frameworks

Two models of interoperability were the focus of discussion: the APEC CBPR System, and the EU “adequacy” test established under the EU General Data Protection Regulation (the “GDPR”).  The panelists discussed the benefits and challenges of both models and observed that, although the GDPR is generally considered a more stringent regime, the two models are not incompatible and there are countries that participate in both (e.g., Japan, Canada).

Enforcement Challenges

The panelists agreed that establishing a global privacy standard is challenging because privacy is culturally rooted, and each country may have a different understanding of human rights and civil liberties.  Thus, what may be considered “private” in one country may not be so in another, which could affect the enforcement mechanisms included in each country’s privacy regime.  The panelists also identified additional challenges in privacy enforcement, including the:

  1. Importance of allocating sufficient resources and enforcement powers to data protection authorities so they can promote accountability and secure redress for consumers;
  2. Privacy considerations in public and private sectors, which may sometimes be divergent; and
  3. Importance of developing legally enforceable mechanisms that evolve alongside changing technology.

Consumer Trust

From the consumer perspective, ensuring trust in online transactions is an imperative that will require laws designed to protect consumer privacy by default, including strong data minimization requirements, as well as effective opt-out mechanisms, such as global privacy controls that can be activated through browser settings.

There was a general consensus that we are now approaching an inflection point, with new and divergent privacy laws coming into force around the world, such as the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD), China’s Personal Information Protection Law (“PIPL”), California’s CCPA/CPRA  and number of other privacy laws at the state level in the U.S.  The panelists agreed that the next five years will be critical to the development of a global consensus on the minimum inter-operability requirements to legitimize cross-border data flows in a world that is ever more reliant on the global internet. 

A recording of this discussion is available here. The IIC/TMF also hosted a panel on U.S. privacy law developments.  A blog post on that is available here.

 

China Publishes New Draft Measure on Cross-Border Data Transfer

On October 29, 2021, China released the Draft Measures on Data Cross-Border Security Assessment (the “Draft Measures”) for public comments. Following its two previous versions in 2017 and 2019, this new draft is developed based on the very recent adoption of the Personal Information Protection Law (“PIPL”) and the Data Security Law, and provides the detailed requirements on the security assessment organized by the Cyberspace Administration for cross-border data transfer. Most importantly, the Draft Measures clarify the definition of “large volume” personal information under PIPL in connection with data localization and cross-border transfer, and also add new circumstances that will significantly expand the application of government security assessment.

Specifically, data processors are required to pass government security assessment for cross-border transfer of data in any of the following circumstances:

  1. Transfer of personal information (“PI”) and important data by Critical Information Infrastructure Operators. This is in line with the PIPL.
  2. Transfer of “important data”. “Important data” a concept under Data Security Law, meaning such data as classified by the government as “important data”.
  3. By a PI processor processing the PI of over 1,000,000 The PIPL provides the PI processors processing a “large volume” of PI must pass the security assessment prior to any cross-border transfer of PI, and such volume threshold is now defined in the Draft Measures as one million individuals.
  4. Transfer of PI of over 100,000 individuals accumulatively. This is a new requirement that is not provided the PIPL. The difference between this clause and the one above is unclear. It seems that item (3) above refers to a processor having more than 1 million individuals PI, regardless how much data is transferred to overseas; item (4) instead focuses on the number of PI actually transferred.
  5. Transfer of sensitive PI of over 10,000 individuals accumulatively. Again, this is a new requirement, not under the PIPL. It seems that sensitive PI is considered separately from other PI in terms of cross-border transfer.  It may significantly expand the application of government security assessment, especially to employees PI transfer by large corporations.
  6. Other circumstances as required by the CAC.

The public comment period of the Draft Measures will expire on November 28, 2021.

As Scott WarrenLindsay Zhu and Katherine Fan discuss in greater detail here, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”).  They explain that “[t]he final version of the PIPL sets forth a number of new obligations that apply to all Personal Information (PI) collected from the mainland of the People’s Republic of China (hereinafter ‘China’, or the ‘PRC’).  The main changes from the earlier drafts of the PIPL are that the final version allows the processing of employee information, revises the definition of ‘Sensitive Personal Information’ and indicates that special rules will be created for small enterprises.”  They provide a detailed breakdown of the PIPL’s requirements, which reiterate the importance of companies taking immediate steps to ensure compliance with these new and comprehensive regulations, including conducting a data inventory and mapping exercise, assessing the purpose and lawful basis for PI processing, conducting a PI protection assessment and other measures in order to respond to data subject requests.

As reported in our recent post, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”). The implementation date is set for November 1, 2021, though we await some additional detail via promulgation orders on a number of important provisions, as set forth below, from the regulatory authorities. Continue Reading New PRC Personal Information Protection Law Passed: A Deeper Dive into the Provisions

After three rounds of revisions, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China officially passed the Personal Information Protection Law (the “PIPL”).

  • Fundamental Principle. The fundamental principles under the PIPL is that collection and processing PI should be limited only the minimum level as necessary to fulfill the specific purpose of PI processing; or the so-called “as minimum and as necessary” principle. PI processing beyond the level of minimum and necessity may be found a violation of the PIPL, even if individual consent is obtained or other formality is fulfilled. PI processing and compliance program should be set up always with the fundamental principles in mind.

Continue Reading NEW: China’s Personal Information Protection Law

China continues to be a hotbed of activity in the areas of privacy and cybersecurity legislation.  For background on the draft Personal Information Protection Law (“PIPL”) and proposed modifications published in April 2021, please see:

China’s Personal Information Protection Law: What It Means to Companies (Client Alert)

China Releases Second Draft of the Personal Information Protection Law: Comparison of Proposed Changes to First Draft (Security & Privacy // Bytes Blog)

China’s Personal Information Protection Law (Second Draft) – What to Expect (Consumer Privacy World Blog)

In a related development, on April 26, 2021, the Ministry of Industry and Information and Technology of People’s Republic of China (the “MIIT”) issued draft Interim Measures on Personal Information Protection of Mobile Internet Applications “Measures”), for public comments.

This draft Measures follow several rounds of enforcement actions relating to mobile applications (“apps”) in recent years, targeting the over-collection of users’ personal information (“PI”) by demanding access to camera, microphone, photos, contact lists, etc. Currently, these activities are covered by two app-related practical guidelines, and the proposed Measures are the first comprehensive rules on the topic. The draft Measures specify various requirements and obligations applicable to app developers, distribution platforms, third-party app service providers, mobile device manufacturers and network access service providers. Other important provisions may be summarized as follows: Continue Reading China Issues Draft Interim Measures on Personal Information Protection of Mobile Internet Applications

On April 29, 2021, the National People’s Congress Standing Committee of the People’s Republic of China released a second draft of the Personal Information Protection Law (the “PIPL”) for public comment. In general, the second draft does not deviate much from the prior version released in October 2020. For further details on the original draft of the PIPL, please see our previous blog and client alert.

China’s Personal Information Protection Law: What It Means to Companies (Client Alert)

China’s Personal Information Protection Law (Second Draft) – What to Expect (Consumer Privacy World Blog)

We have summarized the highlights of the proposed changes contained in the second draft below: Continue Reading China Releases Second Draft of the Personal Information Protection Law: Comparison of Proposed Changes to First Draft

On April 29, 2021, China unveiled its second draft of the Personal Information Protection Law (draft PIPL). The draft is now available for public comments until 28 May 2021. The law aims to provide greater protections for personal information and create a data privacy regime that is more in line with the General Data Protection Regulation (GDPR) of the EU.

Some highlights of the draft PIPL are as follows:

Territorial scope

The draft PIPL applies to the processing of personal information within the People’s Republic of China (PRC), and the extraterritorial processing of personal information of natural persons within the territory of PRC under certain circumstances, such as for the purpose of providing products or services to these natural persons or under other circumstances regulated by laws and administrative regulations.

Key definitions

There are a number of obligations on “Personal Information Processors” (PIPs), which the PIPL defines as “organizations or individuals that independently make decisions on personal information processing matters such as the purpose and means of processing”.  This term appears to correlate with the “data controller” concept under the GDPR.

Obligations of PIPs and “data processors”

The obligations of PIPs are detailed in Chapter 5 of the draft PIPL. In particular, it is noted that PIPs who process personal information in a specified volume shall designate a personal information protection officer responsible for supervising personal information processing activities and adopt protective measures. PIPs are also required to conduct prior risk assessments of certain personal information processing activities e.g. those relating to sensitive personal information, and conduct regular audits. Entities entrusted to process personal information (entities similar to “data processors” under the GDPR) shall fulfill the same obligations under this Chapter 5.

Cross-border transfer of personal information

Under the draft PIPL, PIPs can only transfer personal information overseas by complying with at least one of the following: (1) undergo a security assessment administered by the National Cyberspace Administration (NCA); (2) obtain verification from professional institutions in accordance with the rules of the NCA; (3) enter into a transfer agreement with the transferee using the standard contract published by the NCA; or (4) follow the transfer mechanisms in accordance with other laws and regulations.

Individual rights

Individuals are entitled to various rights under the draft PIPL, including but not limited to the right to restrict or refuse the processing of their personal information, right of access to their personal information and the right to request correction and deletion of their personal information. PIPs would have to explain with reasons if they reject the above requests from individuals.

Violations of the draft PIPL could attract significant penalties. Fines of up to 1 million Renminbi (~USD 150,000) could be imposed on companies, with fines of 10,000 to 100,000 Renminbi (~USD 1,500 to 15,000) imposed on responsible individuals. In more serious cases, fines could be increased to 50 million Renminbi (~USD 7.5M) or 5% of the company’s total turnover in the preceding year for companies, and 100,000 to 1 million Renminbi (~USD 15,000 to 150,000) for responsible individuals.

It is impossible to predict whether the draft PIPL will be further modified prior to its final enactment.  Nonetheless, if passed, the legislation would be the first in the PRC dedicated to personal information protection and it will likely form the legal framework that governs personal data protection in the PRC for years to come.

For more on this area of the law and additional detail, be sure to check out the earlier authored China’s Personal Information Protection Law: What It Means to Companies by Nicholas Chan, Scott Warren, Ju (Lindsey) Zhu, Rosa Barcelo, Alan Friel and Ann LaFrance.