On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.
This audiocast episode is repurposed from a
On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.
The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.
Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent. The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same. But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.
In October 2019, the UK and U.S. Governments signed an agreement on cross-border law enforcement demands for data from Communication Service Providers (the “Agreement”, which we described in our earlier post here). Only now, however, have the two countries completed the procedural steps required to bring the Agreement into force. On July 21, 2022
On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law.
In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”). With a very tight implementation schedule, the Measures will take effect on September 1, 2022. The full text of the Measures can be found here (currently available only in Mandarin Chinese).
In this blog, we highlight a few key takeaways from the final Measures.
The UK Government recently published its long-awaited response to its data reform consultation, ‘Data: A new direction’ (see our post on the consultation, here).
As many readers are aware, following Brexit, the UK Government has to walk a fine line between trying to reduce the compliance burden on organizations and retaining the ‘adequacy’ status that the European Commission granted in 2021 (see our post on the decision, here).
While we’ll have to wait to review the detail of the final legislation, we outline below some of the more eye-catching proposals for reform.
On June 30, 2022, the European Data Protection Board published draft guidelines on certification as a tool for transfers. These guidelines complement the EDPB’s earlier guidelines on certification and identifying certification criteria.
These guidelines and the guidelines on codes of conduct as tools for transfers appear to be part of the EDPB’s broader response to the Schrems II decision issued by the Court of Justice of the European Union (“CJEU”), which invalidated the EU-US Privacy Shield framework. The approval of certification schemes expands the toolbox available under Art. 46 GDPR for lawfully transferring personal data outside the EEA.
On June 23, 2022, the German Federal Office for Information Security (“Office”) published technical guidelines on security requirements for healthcare apps, including mobile apps, web apps, and background systems. Although the technical guidelines are aimed at healthcare app developers, they contain useful guidance for developers of any app that processes or stores sensitive
After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL. In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of personal information outside of China, namely: (i) successful completion of a government-led security assessment, (ii) obtaining certification under a government-authorized certification scheme, or (iii) implementing a standard contract with the party(-ies) outside of China receiving the data. The most recent developments in relation to these mechanisms concern the standard contract and certification.
Continue Reading Cross-Border Data Transfer Developments in China
On June 21, 2022, the Court of Justice of the EU (“CJEU”) decided that that the Passenger Name Record (“PNR”) Directive’s provisions providing for the processing of PNR data by competent Member State authorities are compatible with the EU Charter of Fundamental Rights (“Charter”). However, the CJEU also decided that the PNR Directive limits the way in which Member State laws transpose some of its provisions, particularly in relation to the collection of passenger information for intra-EU flights. Its decision will require Belgium to amend its law transposing the PNR Directive, mainly in relation to the PNR data competent authorities may receive and how they can process this data. It is likely to indirectly impact air carriers and tour operators operating in Belgium, as it will reduce the amount of data they need to share with competent authorities under such a revised legal framework.
The CJEU decision also considers, as well, Member State laws transposing (1) the Council Directive 2004/82/EC on the obligation of carriers to communicate passenger data (API Directive) and (2) Directive 2010/65/EU on reporting formalities for ships arriving in and/or departing from ports of the Member States.
The case was lodged on October 31, 2019, by the non-profit organization Ligue des Droits Humainsbefore the Belgian courts in relation to the Belgian law transposing the PNR and API Directives. The Belgian Constitutional Court referred certain questions to the CJEU.