Security

Subscribe to Security via RSS

The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law.

By Hui Xu and Kieran Donovan

On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which was adopted by the State Council on April 27, 2021. The Regulations took effect on September 1, 2021, along with the recently passed Data Security

The Data Security Law will enhance an increasingly comprehensive legal framework for information and data security in the PRC.

By Hui Xu and Kieran Donovan

On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of the law is to regulate data activities, safeguard data security, promote data development and usage, protect individuals and entities’ legitimate rights and interests, and

Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent.

By Christian F. McDermott, Calum Docherty, and Victoria Wan

Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases within a 12-month period. The European Central Bank found that the total number of non-cash payments in the euro area increased by 8.1% in 2019 (the last year statistics are available) year-on-year with a total value of €162 trillion, which included 45 billion transactions processed by retail payment systems worth €35 trillion. This growth has likely surged during the COVID-19 pandemic, when many consumers turned to e-commerce.

The opportunities for retailers also present data protection risks. On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (the Recommendations) to address the vast data processing operations behind these transactions. The Recommendations focus on when and how online retailers can store a customer’s credit card data after a sale or transaction for the sole purpose of facilitating future purchases by that customer. The EDPB has expressly excluded from the scope of the Recommendations the storage of credit card data in relation to ongoing contracts, such as for subscription services, and the activities of payment institutions operating in online stores. The Recommendations only reference credit cards and not payment cards more generally (such as debit cards, prepaid cards, etc.). It is unclear whether the EDPB might have similar expectations of online retailers that store other payment card or direct debit data for the same purposes.

The Recommendations are not legally binding, but provide a brief exploration of the EDPB’s assessment of the legal bases available to the online retailer. The EDPB concludes that, in its view, the only appropriate legal basis for such processing is consent under Article 6(1)(a) of the General Data Protection Regulation 2016/679.

The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses.

By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth

On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on international personal data transfers (the Guidance) in the wake of the CJEU Schrems II decision. The EDPB simultaneously issued updated recommendations on the European Essential Guarantees for surveillance measures, which are referred to in the Guidance. The Guidance sets out the EDPB’s proposed step-by-step process for data controllers or data processors that export personal data outlining how to assess their data transfers and implement General Data Protection Regulation (GDPR)-compliant mechanisms to protect data flows. One day later, the European Commission released draft updated Standard Contractual Clauses (SCCs) for the transfer of personal data. The draft updated SCCS are explicitly designed to address Schrems II requirements, and cross-refer extensively to the Guidance in the draft implementing decision. —

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data.

By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin

On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) issued the draft Data Security Law (DSL) for public comment. Once finalized, the DSL, together with the PRC Network Security Law and the proposed PRC Personal Information Protection Law, will form an increasingly comprehensive legal framework for information and data security.

Eliminating the risk of business email compromise (BEC) attacks requires all parties to a financial transaction to pay close attention to email security, financial controls, and communication protocols.

By Jennifer C. Archie, Serrin Turner, and Tim Wybitul

Key Points:

  • The FBI has identified BEC fraud as the No. 1 financial threat to businesses in the US.
  • The FBI’s Internet Crime Complaint Center (IC3) estimates that global “exposed dollar losses” to BEC fraud has exceeded US$26 billion in the past three years.[i] In 2019 alone, the IC3 recorded 23,775 complaints about BEC, which resulted in losses worth some US$1.7 billion.
  • All parties to financial transactions must be aware of this fraud risk. Each should put in place not only appropriate security controls for email, but also financial controls for bank account and wiring-instruction verification.

What Is Business Email Compromise?

Business email compromise is a type of Internet-based fraud that typically targets employees with access to company finances — using methods such as social engineering and computer intrusions. The objective of the fraud is to trick the employee into making a wire transfer to a bank account thought to belong to a trusted partner, but that in fact is actually controlled by the fraudster.

As Russia’s internet law imposes new obligations on technology and infrastructure companies, the Russian government considers subordinate legislation.

By Tim Wybitul, Ulrich Wuermeling, and Ksenia Koroleva

On November 1, 2019, the majority of provisions of Russia’s internet law (RuNet Law) entered into force. Its principal purpose is to ensure the independent operation, safety, and security of the Russian segment of the internet. However, the overall effect of the RuNet Law is expected to be similar to China’s Great Firewall, a system of legal and technical measures employed by the Chinese government to monitor and restrict the use of the internet.

China’s PCPPIC protects children’s personal information in much the same way as COPPA and the GDPR, but with a few differences.

By Wei-Chun (Lex) Kuo, Weina (Grace) Gao, and Cheng-Ling Chen

On August 22, 2019, the Cyberspace Administration of China (CAC) released a new data privacy regulation related to children, the Provisions on Cyber Protection of Personal Information of Children (儿童个人信息网络保护规定)(PCPPIC). The regulation will come into effect on October 1, 2019, and will apply within the People’s Republic of China (PRC).The PCPPIC’s stated purpose is “protecting the security of children’s personal information and promoting the healthy growth of children in the PRC.” In 29 Articles, the PCPPIC sets forth high-level requirements for the collection, storage, use, transfer, and disclosure of the personal information of children within PRC territory.

UK confirms reciprocal requirements for digital services providers to appoint UK representatives for NIS purposes, following Brexit.

By Gail E. Crawford, Fiona Maclean, and Amy Smyth

Following a consultation process, the UK government has now confirmed that it will put forward legislation to require non-UK-based digital services providers — larger cloud providers, search engines, and online marketplaces — that provide services into the UK to nominate a UK representative following Brexit. The representative will also have to be registered with the UK Information Commissioner’s Office (ICO).

Non-UK-based digital services providers will remain liable for breaches, notwithstanding the appointment of a representative. A representative will be required to act on behalf of a provider, but it is not currently clear whether a representative maybe be liable for a provider’s breach; whether the updated UK NIS Regulations will address this point explicitly remains to be seen.

The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt.

By Myria Saarinen and Camille Dorval

On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance (Guidance). A corrective version followed on 19 July 2019.

The Guidance clarifies “consent” under Article 82 of the French Data Protection Act (Article 82). Article 82 implements the ePrivacy Directive’s cookies rule and constitutes the foundation of the French rules requiring organizations placing non-essential cookies to provide “clear and complete” information to users and to obtain their consent to the use of cookies.