Updates on developments in data privacy and cybersecurity
On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.
This audiocast episode is repurposed from a…
In October 2019, the UK and U.S. Governments signed an agreement on cross-border law enforcement demands for data from Communication Service Providers (the “Agreement”, which we described in our earlier post here). Only now, however, have the two countries completed the procedural steps required to bring the Agreement into force. On July 21, 2022…
On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers. These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.
These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework. The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.…
After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL. In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of personal information outside of China, namely: (i) successful completion of a government-led security assessment, (ii) obtaining certification under a government-authorized certification scheme, or (iii) implementing a standard contract with the party(-ies) outside of China receiving the data. The most recent developments in relation to these mechanisms concern the standard contract and certification.…
Continue Reading Cross-Border Data Transfer Developments in China
On Episode 16 of Covington’s Inside Privacy Audiocast, Dan Cooper, Yan Luo and Zhijing Yu discuss the implications of China’s Personal Information Protection Law (PIPL) for companies with data or doing business in China. The law, which entered into force on November 1, is the first comprehensive personal information protection law in China and…
On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea. Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.
The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR. In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR.
Continue Reading EDPB Adopts Overall Favorable Opinion on European Commission’s Draft Adequacy Decision for South Korea
There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog.
Continue Reading 12 Eye-Catching Proposals In The UK Government’s Plan To Reform UK Data Protection Law
On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) opened a public consultation to solicit stakeholder input regarding the UK’s approach to regulating international transfers of personal data under the UK General Data Protection Regulation (“UK GDPR”) (see here). To kick off this initiative, the ICO published a consultation paper setting out various policy options that the UK is considering, as well as:
The ICO has requested that interested stakeholders submit their feedback by no later than October 7, 2021. In this blog post, we summarize these documents and tools, and identify topics that interested stakeholders may want to address when preparing their submission to the public consultation.…
On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies: Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).
According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.” This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020. Per the announcements, these apps are prohibited from registering new user accounts during the review period.
Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here). It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.
This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information. …
Continue Reading China Initiates Cybersecurity Review of Didi ChuXing and Three Other Chinese Mobile Applications
On June 24, 2021, Australian parliament passed legislation establishing a framework for its enforcement agencies to access certain electronic data held by companies outside of Australia for law enforcement and national security purposes. The law paves the way for the establishment of a bilateral agreement with the United States under the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act.
Similar to the function of the CLOUD Act, the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 enables Australian enforcement authorities to compel companies covered by the statute to provide data, regardless of where the data is stored. The legislation introduces international production orders, a form of legal process for compelling real-time interception of communications or the production of stored communications and telecommunications data, which can be served directly on communications providers in foreign countries with which Australia has an agreement.
Continue Reading Australia Passes Cross-Border Data Access Law, Creates a Pathway for CLOUD Act Bilateral Agreement
