China’s regulatory scrutiny on platform companies and data has engaged legal departments across the country and beyond to the task of swift compliance. As the new Personal Information Protection Law completes the domestic legislative regime, Chen Yan, general counsel and head of Group Legal Centre at KE Holdings, makes some international comparisons and shares his own company’s experience in adapting and evolving
In the past three years, there has been a noticeable trend toward the strengthening of data legislation and law enforcement in major countries and regions around the world.
Looking at legislation, major jurisdictions have been busy issuing data and personal information-related legislation in the past three years. For example, the EU issued the General Data Protection Regulation (GDPR) in May 2018; in the US, the California Consumer Privacy Act (CCPA) was issued in June 2018; Brazil issued the Lei Geral de Proteção de Dados (General Data Protection Law) in August 2018; and in December 2019, the Personal Data Protection Bill was tabled in India.
In China, the Data Security Law was adopted by the Standing Committee of the National People’s Congress in June 2021, and implemented on 1 September 2021; and the Personal Information Protection Law (PIPL) was also adopted by the standing committee in August 2021, and implemented on 1 November 2021. In addition, countries such as Japan, Canada and South Africa have rolled out relevant legislation in recent years.
Looking at law enforcement, major countries around the world are currently completing the transition from “provision to practice”. Domestically, starting with the joint issuance of the Notice on Launching the Dedicated Approach to Handling the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations – by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation – in January 2019, China officially raised the curtain on the era of comprehensive law enforcement relating to personal information.
In November 2019, the Ministry of Industry and Information Technology issued the Notice of the Ministry of Industry and Information Technology on Launching the Dedicated Rectification Work Relating to the Infringement of User Rights and Interests by Apps, and launched actions that led to the reporting of more than 10 apps that were in violation of regulations.
In the same year, a number of authorities jointly launched sweeping campaigns, such as Qinglang and Wangjian. In July 2020, the Office of the Central Cyberspace Affairs Commission and 13 other ministerial-level authorities jointly established the App Governance Working Group. And in the first half of this year, the Ministry of Public Security, in conjunction with relevant authorities, took down in excess of 1,100 apps that collected and/or used personal information in violation of laws and regulations, and the Ministry of Industry and Information Technology reported a total of 10 batches of apps that infringed users’ rights and interests.
Internationally, the EU is at the vanguard in enforcement of personal data law globally. Since the assessment by France of the first fine of EUR50 million (USD57.8 million) in respect of Google’s personalised ads under the GDPR in January 2019, large enterprises like H&M, British Airways and Marriott have been hit by large fines in the tens of millions of euros.
This year is a big year in the enforcement of personal data law internationally. In July, Amazon faced a EUR746 million fine assessed by the Commission Nationale pour la Protection des Données, Luxembourg’s data protection authority, for violation of the GDPR. And in September, the Irish Data Protection Commission announced a EUR225 million penalty against Facebook’s WhatsApp for not adequately informing about the collection of personal information, and launched an investigation into the processing of the personal data of children and the sending of such data abroad by TikTok.