Merchant

When China’s legislature, the National People’s Congress (“NPC”), enacted the Cybersecurity Law (“CSL”) in 2017, it set into motion a new era of data governance in China.  Three years later, in 2020, the NPC followed up this landmark act with two other legislative milestones in this space: the draft Data Security Law (“DSL”) (see our blogpost here) and draft Personal Information Protection Law (“PIPL”) (see our client alert here).  Both the PIPL and DSL will be finalized this year.  Taken as a whole, these three laws form an over-arching framework that will govern data protection and cybersecurity in China for years to come.

While the DSL and PIPL have remained in draft form over the past year, the Chinese government has not stood idly by – instead, various Chinese regulators have continued to introduce data- and cyber-related rules in  key sectors.  Many of these sectoral rules do not appear to be primarily focused on data protection or cybersecurity, yet they may indirectly impact the collection, use and processing of personal information in specific sectors.  The rollout of these new rules has not been fully coordinated, and the approaches taken in some cases deviate from the over-arching framework mentioned above.  We expect this divergence to remain, even after the finalization of the PIPL and DSL.  Consequently, China’s data and cyber regime will likely present a complex web of regulatory rules for organizations to navigate – both now and in the years ahead.

In this blog series, we examine several recently-introduced data and cyber rules in the areas of e-commerce, finance, healthcare, and artificial intelligence – all of which are rapidly expanding sectors in China where the collection and use of massive amounts of personal information have given rise to a variety of regulatory concerns.  We will also explain, in the last blogpost of this series, China’s recent push to regulate how mobile applications can collect and process user data.

In our first blogpost of this series, we focus on recent developments in China’s e-commerce sector.Continue Reading Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 1: Data Protection in the E-Commerce Sector

Just under a year has passed since the California Supreme Court ruled that asking for a customer’s ZIP code during a credit card transaction violates California’s Song-Beverly Credit Card Act.  According to media reports, the court’s decision in Pineda v. Williams-Sonoma Stores, Inc. has spurred more than 200 suits against California retailers.  A roundup of recent developments in Song-Beverly Act litigation:

  • A case against Brookstone had been dismissed in May 2010 on the ground that a ZIP code is not “personal identification information” within the meaning of Song-Beverly, but a state appellate court ruled [PDF] that the subsequent contrary decision in Pineda applied retroactively and that the suit against Brookstone could therefore proceed. 
  • Both state and federal courts in California have now reaffirmed that Song-Beverly does not apply to online transactions (Gonor v. Craigslist, Inc. [PDF]; Salmonson v. Microsoft Corp. [PDF]).  According to Mehrens v. Redbox Automated Retail LLC [PDF], Song-Beverly does not apply to transactions conducted at self-service kiosks either.  The courts recognized that fraud prevention justifies the collection of ZIP codes in online and kiosk transactions. 
  • A California federal court preliminarily approved a settlement under which Tiffany and Co. agreed to provide a voucher for either $10 off or free engraving to an estimated class of 90,000 customers; $142,000 in attorneys’ fees to class counsel; and $2,000 to the class representative.

Continue Reading Pineda One Year Later

In a report released on September 28, 2011, Verizon concluded that only 21 percent of organizations subject to the payment card industry’s data security standards (PCI-DSS) were fully compliant with PCI-DSS.  Verizon’s prior report found that 22 percent of organizations were fully compliant with PCI-DSS.  The PCI-DSS consist of 12 requirements relating to

In a decision with implications for all California retailers, the California Supreme Court ruled [PDF] yesterday that a customer may not be asked to provide his or her ZIP code during an in-person credit card transaction.  At issue in Pineda v. Williams-Sonoma Stores, Inc. was the scope of California’s Song-Beverly Credit Card Act of 1971, Cal.