Global Privacy & Security Compliance Law Blog

China Issues New Rules on Cybersecurity Review for Network Platform Operators Listing Abroad

Posted in Legislative & Regulatory Developments

Under the new rules Chinese NPOs holding more than 1 million individuals’ personal information must apply for a cybersecurity review prior to listing abroad.

By Hui Xu, Kieran Donovan, and Bianca Lee

On February 15, 2022, the Cybersecurity Review Measures (2021) (CRM 2021, unofficial English text available here) took effect. CRM 2021 was promulgated on December 28, 2021, by the Cyberspace Administration of China (CAC) and 12 other Chinese central authorities, including the Ministry of State Security, the Ministry of Industry and Information Technology (MIIT), and the China Securities Regulatory Commission (CSRC). The CAC published the first draft of CRM 2021 on July 10, 2021, for public comments, and published the final version on January 4, 2022. The CAC cites the Data Security Law (DSL) as the legal basis for the authority of CRM 2021.

The promulgation of CRM 2021 marks a step forward in China’s strict regulation of Chinese companies’ overseas listing and adds another hurdle to companies’ listing process. However, as the CSRC has repeatedly emphasized to the media, the Chinese government has no intention of banning Chinese companies from listing overseas, but rather wants to strengthen regulation from a national security and data security perspective.

See Latham’s Client Alert for a detailed discussion of CRM 2021, the new requirements that it introduces, and what Chinese companies will need to focus on when considering an overseas listing.

UAE Publishes First Federal Data Protection Law

Posted in Legislative & Regulatory Developments

Organisations subject to the law should carry out a gap analysis of their current compliance position against the new requirements.

By Brian A. Meenagh, Alexander Hendry, and Lucy Tucker

The United Arab Emirates (UAE) has issued its first federal data protection law (Federal Decree Law No. 45/2021 on the Protection of Personal Data) (the Data Protection Law), alongside a law establishing the new UAE Data Office (Federal Decree Law No. 44/2021 on Establishing the UAE Data Office).

The issuance of the Data Protection Law follows a trend of new data protection laws in the Middle East, including a data protection law in Saudi Arabia that will come into force on 23 March 2022. Continue Reading

CNIL Publishes White Paper on Digital Payments and Data Privacy

Posted in Legislative & Regulatory Developments, Privacy, Security

The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations.

By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth

The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts of the ongoing COVID-19 pandemic and the longer-term growth of e-commerce and open banking. In this context, the legal and regulatory environment around payment data is no longer limited to traditional actors in the banking sector or the long-established ambit of banking secrecy rules. As such, stakeholders from fintech startups to established technology giants face an increasing patchwork of compliance obligations. Continue Reading

FTC Serves Notice of Enforcement Approach on Endorsements and Testimonials

Posted in Legislative & Regulatory Developments

Following recent setbacks, the FTC seeks a foothold for monetary remedies in the online advertising space.

By Jennifer C. Archie, Antony “Tony” Kim, Michael H. Rubin, and Marissa R. Boynton

On October 13, 2021, the Federal Trade Commission (FTC) sent a Notice of Penalty Offenses Concerning Endorsements and Testimonials to more than 700 businesses (the Notice). The Notice does not identify any alleged violations of law. Rather, it reminds recipients that fake online reviews and misleading endorsements are unlawful and highlights that the FTC intends to seek monetary relief if any of those 700 companies engages in conduct outlined in the Notice.

In citing past administrative cases, several of which date back to the 1940s and 1950s, the FTC warns brands and advertising agencies that using endorsements or testimonials in ways that run counter to these cases may expose them to civil penalties of up to US$43,792 per violation. The Notice follows on the heels of a similar warning regarding deceptive or unfair practices that was issued earlier in October to 70 for-profit higher education institutions.

Read the full Client Alert.

China Introduces First Comprehensive Legislation on Personal Information Protection

Posted in Privacy, Security

The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021.

By Hui Xu, Kieran Donovan, and Bianca Lee

On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic of China (PIPL), the first legislation dedicated to protecting personal information in China. PIPL will take effect on November 1, 2021. PIPL previously underwent two revisions: the First Draft in October 2020 and the Second Draft in April 2021. Prior to PIPL, personal information in China was protected largely by the Network Security Law (which took effect in June 2017), the Civil Code (which took effect in January 2021), various provisions in other laws, and the Data Security Law, which was adopted in June 2021 and took effect on September 1, 2021. Collectively, these legislative sources will provide a comprehensive legal framework for protecting personal information in China.

Key Points:

  • Extraterritorial effect: PIPL applies to those who process personal information about Chinese individuals inside China as well as those who process personal information about Chinese individuals outside China.
  • Legal basis: PIPL expands the legal bases for processing personal information to seven, including where it is necessary for the performance of a contract with the individual.
  • Data transfer restrictions and localization requirements: Critical information infrastructure operators (CIIOs) and those who exceed the threshold of personal information processed set by the Cyberspace Administration of China (CAC) must store personal information in China unless they pass a CAC security assessment. PIPL also imposes more stringent requirements on cross-border data transfers, e.g., consent of the individual is always required.
  • Fines: Those who violate PIPL may face fines of up to 5% of annual revenue of the previous year or CNY50 million.

Read the full Client Alert.

China Issues New Regulations to Protect the Critical Information Infrastructure

Posted in Privacy, Security

The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law.

By Hui Xu and Kieran Donovan

On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which was adopted by the State Council on April 27, 2021. The Regulations took effect on September 1, 2021, along with the recently passed Data Security Law. The Regulations are the first set of administrative regulations promulgated by the State Counsel on the critical information infrastructure (the CII) after the concept of the CII was initially introduced in the Network Security Law in 2016.

The Regulations are designed to provide clarification and guidance on:

  • Scope and designation of the CII. The Regulations offer a more detailed definition of the CII than that in the Network Security Law, and add “national defense and technology industries” to the scope of the important industries and sectors. For a more specific identification of the CII, the Regulation delegates the competent industry regulators the authority to formulate the implementing rules to designate the CII for their industries and sectors.
  • Compliance obligations for critical information infrastructure operators (CIIOs). The Regulations further impose the compliance obligations of CIIOs as: (1) establishing comprehensive network security protection systems and accountability systems; (2) setting up a specified security management function to security protection works; (3) carrying out network security inspections and risk assessments; (4) undertaking network security reviews and entering into confidentiality agreements when purchasing network products and services; and (5) reporting network security incidents or threats to authorities.
  • Regulatory requirements on the protection of the CII. The Regulations outline responsibilities and duties for related governmental authorities to carry out the security protection of the CII, including the Protection Departments of relevant industries, the Cybersecurity Administration of China, the Public Security Bureaus, the National Security Bureaus, and relevant authorities at provincial levels.
  • Penalties (including high fines and severe consequences) on CIIOs that fail to fulfill the compliance obligations and to meet regulatory requirements. The Regulations are generally consistent with the Network Security Law on penalties for CIIOs that breach their obligations. Non-compliant CIIOs may be required to rectify damage caused by violations and may receive a warning from competent authorities, and may face monetary penalties up to CNY1 million (~US$154,000), and responsible personnel may be subject to fines up to CNY100,000 (~US$15,000).

Read the full Client Alert.

UAE Decision on Health Data Law Provides Clarity

Posted in Privacy

The decision will likely provide comfort to businesses operating in the healthcare sector both in the UAE and globally.

By Brian A. Meenagh and Avinash Balendran

On 28 April 2021 the United Arab Emirates (UAE) federal government issued Ministerial Decision No. 51 of 2021 (the Decision) to clarify when health information may be stored or transferred outside of the UAE. The Decision should pave the way for many domestic and overseas healthcare service providers to continue processing, storing, and transferring health information outside of the UAE.

The Decision reiterates the default position established in 2019 that health information must be kept within the UAE unless such activity has been approved by a decision of the health authority or the UAE Minister of Health and Prevention. Crucially, however, the Decision provides a series of exemptions to that default position.

To see a table of the exemptions, read Latham’s Client Alert.

China’s New Data Security Law: What to Know

Posted in Legislative & Regulatory Developments, Security

The Data Security Law will enhance an increasingly comprehensive legal framework for information and data security in the PRC.

By Hui Xu and Kieran Donovan

On June 10, 2021, the Standing Committee of China’s National People’s Congress passed the Data Security Law (DSL), which will come into effect on September 1, 2021. The primary purpose of the law is to regulate data activities, safeguard data security, promote data development and usage, protect individuals and entities’ legitimate rights and interests, and safeguard state sovereignty, state security, and development interests. The DSL will enhance an increasingly comprehensive legal framework for information and data security in the People’s Republic of China (PRC). Highlights in the DSL include that it:

  • Applies to a wide range of data and data activities, with extraterritorial jurisdiction. The DSL broadly defines “data” as any record of information created in electronic or other forms, and comprehensively defines “data activities” to include data collection, storage, usage, processing, transmission, provision, and disclosure of data. The territorial scope of the DSL extends beyond the PRC and also applies to data activities conducted outside of the PRC, if they may “harm the national security or public interests of the PRC, or the legitimate rights of Chinese citizens or entities.”
  • Refines regulations on “important data” and emphasizes protection of “core state data.” The DSL proposes to classify and protect data based on importance of the data and requires authorities to provide a list of important data to strengthen the protection. The DSL further introduces the concept of core state data and emphasizes that the state will implement a strengthened management system in relation to core state data involving national security, lifelines of the national economy, important people’s livelihood, and major public interests.
  • Imposes a set of obligations combined with high fines and severe penalties on entities and individuals who conduct data activities. In particular, entities violating regulations of cross-border data transfer, or entities violating the core state data management system or harming state sovereignty, national security, and development of interests, may face penalties including monetary fines of up to CNY10 million (~US$1.5 million) and/or revocation of business licenses or demands to close down businesses, and may bear criminal responsibilities (if applicable).

Read the full Client Alert

EDPB Issues New Guidance on Storing Credit Card Data for Future Purchases

Posted in Legislative & Regulatory Developments, Security

Online retailers storing credit card data for the sole purpose of facilitating further purchases will likely need to obtain consumer consent.

By Christian F. McDermott, Calum Docherty, and Victoria Wan

Online shopping has boomed in recent years. In 2020, the European statistics agency Eurostat estimated that 7 out of 10 internet users made online purchases within a 12-month period. The European Central Bank found that the total number of non-cash payments in the euro area increased by 8.1% in 2019 (the last year statistics are available) year-on-year with a total value of €162 trillion, which included 45 billion transactions processed by retail payment systems worth €35 trillion. This growth has likely surged during the COVID-19 pandemic, when many consumers turned to e-commerce.

The opportunities for retailers also present data protection risks. On 19 May 2021, the European Data Protection Board (EDPB) adopted Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions (the Recommendations) to address the vast data processing operations behind these transactions. The Recommendations focus on when and how online retailers can store a customer’s credit card data after a sale or transaction for the sole purpose of facilitating future purchases by that customer. The EDPB has expressly excluded from the scope of the Recommendations the storage of credit card data in relation to ongoing contracts, such as for subscription services, and the activities of payment institutions operating in online stores. The Recommendations only reference credit cards and not payment cards more generally (such as debit cards, prepaid cards, etc.). It is unclear whether the EDPB might have similar expectations of online retailers that store other payment card or direct debit data for the same purposes.

The Recommendations are not legally binding, but provide a brief exploration of the EDPB’s assessment of the legal bases available to the online retailer. The EDPB concludes that, in its view, the only appropriate legal basis for such processing is consent under Article 6(1)(a) of the General Data Protection Regulation 2016/679. Continue Reading

New Standard Contractual Clauses and Final EDPB Recommendations – Next Steps

Posted in Legislative & Regulatory Developments

Companies have three months to prepare to use the latest standard contractual clauses for new data transfers, and 18 months to migrate existing arrangements.

By Gail Crawford, Fiona Maclean, Danielle van der Merwe, and Amy Smyth

On 4 June 2021, the European Commission released its much-anticipated final Implementing Decision containing the new standard contractual clauses (SCCs) for the transfer of personal data to third countries, which will enter into effect on 27 June 2021. Organisations may continue to use the existing SCCs until 27 September 2021, after which time the new SCCs must be used for relevant new data transfers. Organisations have an 18-month grace period (until 27 December 2022) during which they must migrate any existing SCC arrangements to the new SCCs.

Continue Reading