Sea change

A wave of new regulations has heightened the data compliance requirements for internet platforms. Ke Holdings general counsel Chen Yan shares his company’s experience of adapting and evolving to fulfil the new obligations

IN THE PAST THREE YEARS, there has been a noticeable trend towards the strengthening of data legislation and law enforcement in major countries and regions around the world.

Looking at legislation, major jurisdictions have been busy issuing data and personal information-related legislation in the past three years. For example, the EU issued the General Data Protection Regulation (GDPR) in May 2018; in the US, the California Consumer Privacy Act (CCPA) was issued in June 2018; Brazil issued the Lei Geral de Proteção de Dados (General Data Protection Law) in August 2018; and in December 2019, the Personal Data Protection Bill was tabled in India.

In China, the Data Security Law was adopted by the Standing Committee of the National People’s Congress in June 2021, and implemented on 1 September 2021; and the Personal Information Protection Law (PIPL) was also adopted by the standing committee in August 2021, and implemented on 1 November 2021. In addition, countries such as Japan, Canada and South Africa have rolled out relevant legislation in recent years.

Looking at law enforcement, major countries around the world are currently completing the transition from “provision to practice”. Domestically, starting with the joint issuance of the Notice on Launching the Dedicated Approach to Handling the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations – by the Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation – in January 2019, China officially raised the curtain on the era of comprehensive law enforcement relating to personal information.

In November 2019, the Ministry of Industry and Information Technology issued the Notice of the Ministry of Industry and Information Technology on Launching the Dedicated Rectification Work Relating to the Infringement of User Rights and Interests by Apps, and launched actions that led to the reporting of more than 10 apps that were in violation of regulations.

In the same year, a number of authorities jointly launched sweeping campaigns, such as Qinglang and Wangjian. In July 2020, the Office of the Central Cyberspace Affairs Commission and 13 other ministerial-level authorities jointly established the App Governance Working Group. And in the first half of this year, the Ministry of Public Security, in conjunction with relevant authorities, took down in excess of 1,100 apps that collected and/or used personal information in violation of laws and regulations, and the Ministry of Industry and Information Technology reported a total of 10 batches of apps that infringed users’ rights and interests.

Internationally, the EU is at the vanguard in enforcement of personal data law globally. Since the assessment by France of the first fine of EUR50 million (USD57.8 million) in respect of Google’s personalised ads under the GDPR in January 2019, large enterprises like H&M, British Airways and Marriott have been hit by large fines in the tens of millions of euros.

This year is a big year in the enforcement of personal data law internationally. In July, Amazon faced a EUR746 million fine assessed by the Commission Nationale pour la Protection des Données, Luxembourg’s data protection authority, for violation of the GDPR. And in September, the Irish Data Protection Commission announced a EUR225 million penalty against Facebook’s WhatsApp for not adequately informing about the collection of personal information, and launched an investigation into the processing of the personal data of children and the sending of such data abroad by TikTok.

Trend towards convergence in personal data legislation in major countries and regions, but with differences. Looking at the three major jurisdictions of China, the EU and the US, each country’s personal data legislation on the whole accords strict protection for data and information that can identify specific individuals, while paying due attention to the rights of individuals to give informed consent in the course of the collection and processing of their data. But their legislations also take noticeably different stances and have different regional characteristics, for example:

• In terms of leniency, China’s PIPL and the EU’s GDPR provide more stringent protection for personal data, whereas California’s CCPA is more relaxed.
• In terms of the scope of application, China and the EU both emphasise the extraterritorial application of personal data protection, whereas in the US the application is mainly domestic.
• In terms of the types of personal data rights protected, China and the EU place more emphasis on the rights of individuals to know, access, delete and take with them their personal information; in contrast, the US places more restrictions on the exercise of such rights.
• In terms of the mode of notification of consent, both China and the EU have adopted the “opt-in” model, while the US has on the whole preferred the “opt-out” model.
• In terms of enterprises’ data security compliance obligations, China and the EU have set out more detailed and stringent compliance requirements in respect of data storage periods, data security incident reporting obligations, personal data protection impact assessments, data encryption and other such security measures, while US compliance requirements are more relaxed and superficial. Furthermore, China’s PIPL also draws on the EU’s legislative efforts by imposing gatekeeper obligations on large internet platform enterprises.
• In terms of regulating the sending abroad of data, China has the most stringent regulation, setting out strict provisions on such things as security assessments to send data abroad, and for the domestic storage of data, whereas the EU sets out regulations for the sending abroad of data that are more in the nature of principles, while additionally enumerating exceptions to the regulation of sending data abroad. Although the US CCPA does not set restrictions on sending data abroad, it actually implements restrictions under specific scenarios, such as critical technologies and information, by way of such legal documents as the Foreign Investment Risk Review Modernisation Act of 2018, and the Export Control Reform Act of 2018.