Dr. Gabriela Zanfir-Fortuna - Future of Privacy Forum

The First Japan Privacy Symposium: G7 DPAs discussed their approach to reign in AI, and other regulatory priorities

The Future of Privacy Forum and S&K Brussels hosted the first Japan Privacy Symposium in Tokyo, on June 22, 2023, following the G7 Data Protection and Privacy Commissioners roundtable. The Symposium brought global thought leadership on the interaction of data protection and privacy law with AI, as well as insights into the current regulatory priorities of the G7 Data Protection Authorities (DPAs) to an audience of more than 250 in-house privacy leaders, lawyers, consultants and journalists from Japan and the region.

The program started with a keynote address from Commissioner Shuhei Ohshima (Japan’s Personal Information Protection Commission), who shared details about the results of the G7 DPAs Roundtable from the day before. Two panels followed, featuring Rebecca Kelly Slaughter (Commissioner, U.S. Federal Trade Commission), Wojciech Wiewiórowski (European Data Protection Supervisor, EU), Philippe Dufresne (Federal Privacy Commissioner, Canada), Ginevra Cerrina Feroni (Vice President of the Garante, Italy), John Edwards (Information Commissioner, UK), and Bertrand du Marais (Commissioner, CNIL, France). Jules Polonetsky, FPF CEO, and Takeshige Sugimoto, Managing Partner at S&K Brussels and FPF Senior Fellow, hosted the Symposium.

The G7 DPA Agenda, built on three pillars: Data Free Flow with Trust, emerging technologies, and enforcement cooperation

The DPAs of the G7 nations started to meet annually in 2020, following the initiative of the UK’s Information Commissioner Office during UK’s G7 Presidency that year. This is a new venue for international cooperation of DPAs, limited to Commissioners from Canada, France, Germany, Italy, Japan, the United Kingdom, the United States, and the European Union. Throughout the year, the DPAs maintain a permanent channel of communication and implement a work plan adopted during their annual Roundtable.

In his keynote at the Japan Privacy Symposium, Commissioner Shuhei Oshshima laid out the results of this year’s Roundtable, held in Tokyo on June 20 and 21. The Commissioner highlighted three pillars guiding the group’s cooperation this year: (I) Data Free Flow with Trust (DFFT), (II) emerging technologies, and (III) enforcement cooperation.

The G7 Commissioners’ Communique expressed overall support for the DFFT political initiative, welcoming the reference to DPAs as stakeholders in the future Institutional Arrangement for Partnership (IAP), a new structure the G7 Digital Ministers announced earlier in April to operationalize the DFFT. However, in the Communique, the G7 DPAs emphasized that they “must have a key role in contributing on topics that are within their competence in this Arrangement.” It is noteworthy that, among their competencies, most G7 DPAs have the authority to order the cessation of data transfers across borders if legal requirements are not met (see, for instance, this case from the CNIL – the French DPA, this case from the European Data Protection Supervisor, or this case from the Italian Garante).

The IAP seems to provide a key role for governments themselves currently, in addition to stakeholders and “the broader multidisciplinary community of data governance experts from different backgrounds,” according to Annex I of the Ministerial Declaration announcing the Partnership. The DPAs are singled out only as an example of such experts.

In the Action Plan adopted in Tokyo, the G7 DPAs included clues as to how they see the operationalization of DFFT playing out: through interoperability and convergence of existing transfer tools. As such, they endeavor to “share knowledge on tools for secure and trustworthy transfers, notably through the comparison of Global Cross-Border Privacy Rules (CBPR) and EU certification requirements, and through the comparison of existing model contractual clauses.” (In an analysis touching broadly beyond the G7 jurisdictions, the Future of Privacy Forum published a report earlier this year emphasizing many commonalities, but also some divergence, among three sets of model contractual clauses proposed by the EU, the Iberoamerican Network of DPAs, and ASEAN).

Arguably, though, DFFT was not the main point on the G7 DPAs agenda. They had adopted a separate and detailed Statement on generative AI. In his keynote, Commissioner Shuhei Ohshima remarked that “generative AI adoption has increased significantly.” In order to promote trustworthy deployment and use of the new technology “the importance of DPAs is increasing also on a daily basis,” the Commissioner added.

Generative AI is not being deployed in a legislative void, and data protection law is the immediately applicable legal framework

Top of mind for G7 data protection and privacy regulators is AI, and generative AI in particular. “AI is not a law-free zone,” said FTC Commissioner Slaughter during her panel at the Symposium, being very clear that “existing laws on the books in the US and other jurisdictions apply to AI, just like they apply to adtech, [and] social media.” This is apparent across the G7 jurisdictions: in March, the Italian DPA issued an order against OpenAI to stop processing personal data of users in Italy following concerns that ChatGPT breached the General Data Protection Regulation (GDPR); in May, the Canadian Federal Privacy Commissioner opened an investigation into ChatGPT jointly with provincial privacy authorities; and, in June, Japan’s PIPC issued an administrative letter warning OpenAI that it needs to comply with requirements from the Act on the Protection of Personal Information, particularly regarding the processing of sensitive data.

At the Japan Privacy Symposium, Ginevra Cerrina Feroni, VP of the Garante, shared the key concerns guiding the agency’s enforcement action against OpenAI, which was the first such action in the world. She highlighted several risks, including a lack of transparency about how OpenAI collects and processes personal data to deliver the ChatGPT service; uncertainty regarding a lawful ground for processing personal data, as required by the GDPR; a lack of avenues to comply with the rights of data subjects, such as access, erasure, and correction; and, finally, the potential exposure of minors to inappropriate content, due to inadequate age gating.

After engaging in a constructive dialogue with OpenAI the Garante suspended the order, seeing improvements in previously flagged aspects. “OpenAI published a privacy notice to users worldwide to inform them how personal data is used in algorithmic training, and emphasized the right to object to such processing,” the Garante Vice President explained. She continued, noting that OpenAI “provided users with the right to reject their personal data being used for training the algorithms while using the service, in a dedicated way that is more easily accessible. They also enabled the ability of users to request deletion of inaccurate information, because – and this is important – they say they are technically unable to correct errors.” However, Vice President Cerrina Feroni mentioned that the investigation is ongoing and that the European Data Protection Board is currently coordinating actions among EU DPAs on this matter.

The EDPS added that purpose limitation is among his chief concerns with services like ChatGPT, and generative AI more broadly. “Generative AI is meant to advance communication with human beings, but it does not provide fact-finding or fact-checking. We should not expect this as a top feature of Large Language Models. These programs are not an encyclopedia; they are just meant to be fluent, hence the rise of possibilities for them to hallucinate,” Supervisor Wiewiorowski said.

Canadian Privacy Commissioner Philippe Dufresne emphasized that how we relate to generative AI from a privacy regulatory perspective “is an international issue.” Commissioner Dufresne also added, “a point worth repeating is that privacy must be treated as a fundamental right.” This is important, as “when we talk about privacy as a fundamental right, we point out how privacy is essential to other fundamental human rights within a democracy, like freedom of expression and all other rights. If we look at privacy like that, we must see that by protecting privacy, we are protecting all these other rights. Insofar as AI touches on these, I do see privacy being at the core of all of it,” Commissioner Dufresne concluded.

The G7 DPAs’ Statement on Generative AI outlines their key concerns, such as lack of legal authority to process personal data at all stages

In the aforementioned Generative AI Statement, the G7 data protection regulators laid out their main concerns in relation to how personal data is processed through this emerging type of computer program and service. First and foremost, the commissioners are concerned that processing of personal data lacks legal authority during all three relevant stages of developing and deploying generative AI systems: for the data sets used to train, validate and test generative AI models; for processing personal data resulting from the interactions of individuals with generative AI tools during their use; and, for the content that is generated by generative AI tools.

The commissioners also highlighted the need for security safeguards to protect against threats and attacks that seek to invert generative AI models, and that would technically prevent extractions or reproductions of personal data originally processed in datasets used to train the models. They also advocated for mitigation and monitoring measures to ensure personal data created by generative AI is accurate, complete, and up-to-date, as well as free from discriminatory, unlawful, or otherwise unjustifiable effects.

It is clear that data protection and privacy commissioners are proactive about ensuring generative AI systems are compatible with privacy and data protection laws. Only two weeks after their roundtable in Tokyo, it was reported that the US FTC initiated an investigation against OpenAI. And this proactive approach is intentional. As UK’s Information Commissioner, John Edwards, made clear, the commissioners are “keen to ensure” that they “do not miss this essential moment in the development of this new technology in a way that [they] missed the moment of building the business models underpinning social media and online advertising.” “We are here and watching,” he said.

Regardless of the adoption of new AI-focused laws, DPAs would remain central to AI governance

The Commissioners also discussed the wave of legislative initiatives targeting AI in their jurisdictions. AI systems are not built and deployed in a legislative void: data protection law is largely and immediately relevant, as is consumer protection law, product liability rules, and intellectual property law. In this environment, what is the added value of specific, targeted legislation addressing AI?

Addressing the EU AI Act proposal, European Data Protection Supervisor Wiewiórowski noted that the EU’s initiation of the legislation is not because the legislator thought there was a vacuum. “We saw that there were topics to be addressed more specifically for AI systems. There was a question whether we approach it as a product, service, or some kind of new phenomenon as far as legislation is concerned,” he added. As for the role of the DPAs once the AI Act will be adopted, he brought up the fact that in the EU, data protection is a fundamental right: which means that all legislation or policy solutions governing processing of personal data in a way or another must be looked at through this lens. As supervisory authorities tasked with guaranteeing this fundamental right, DPAs will continue playing a role.

The framework ensuring the enforcement of the AI Act is still under debate, as EU Member States are tasked with designating competent national authorities, and the European Parliament hopes to create a supranational collaborative body to play a role in enforcement. However, one thing is certain: in the proposal, the EDPS has been designated the competent authority to ensure that EU agencies and bodies comply with the EU AI Act.

The CNIL seems to be eyeing the designation as EU AI Act enforcer as well. Commissioner du Marais pointed out that “since 1978, the French Act on IT and Freedom has banned automated decisions. We have a fairly long and established body of case law.” Earlier this year, the CNIL created a dedicated department including data and computer scientists among staff to monitor how AI systems comply with legal obligations stemming from data protection law. “To be frank, we don’t know yet what will come out of the legislative process, but we have started to prepare ourselves. We have also been designated by domestic law as supervisory and certification authority for AI during the 2024 Olympic Games.”

The Garante has a long track record of enforcing data protection law on algorithmic systems and decision-making that impacted the rights of individuals. “The role of the Garante in safeguarding digital rights has always been prominent, even when the issue was not yet widely recognized by the public,” said Vice President Cerrina Feroni. Indeed, as shown by extensive research published last year by the Future of Privacy Forum, European DPAs have long been enforcing data protection law in cases where automated decision-making was central. The Garante led impactful investigations against several gig economy apps and their algorithms’ impacts on people.

Canada is also in the midst of legislating AI, introducing a bill last year that is currently under debate. “There is similarity with the European proposal, but [the Canadian bill] focuses more on high impact AI systems and on preventing harms and biased outputs and decision-making. It provides significant financial fines,” Commissioner Dufresne explained. As part of the bill, enforcement is currently assigned to the relevant ministry in the Canadian government. The Privacy Commissioner explained that the regulatory activity would be coordinated with his office, but also with the competition, media, and human rights regulators in Canada. When contributing recommendations during the legislative process, Commissioner Dufresne noted that he suggested “privacy to be a key principle.” In light of his vision that privacy as a fundamental right is essential for the realization of other fundamental rights, the Commissioner had a clear message that “the DPAs need to be front and center” of the future of AI governance.

UK Commissioner Edwards echoed the value of entrenched collaboration among digital regulators, adding that the UK already has an official “Digital Regulators Cooperation Forum,” established with its own staff. The entity “is important to provide a coherent regulatory framework,” he said.

Children’s privacy is a top priority across borders, with new regulatory approaches showing promising results

One of the key concerns that the G7 DPAs have in relation to generative AI is how the new services are dealing with children’s privacy. In fact, the regulators have made it one of their top priorities to broadly pursue the protection of children’s privacy when regulating social media services, targeted advertising, or online gaming, among others.

Building on a series of recent high-profile cases brought by the FTC in this space, Commissioner Slaughter couldn’t have been clearer: “Kids are a huge priority issue for the FTC.” She reminded the audience that COPPA (Children’s Online Privacy Protection Act) has been around for more than two decades, and it is one of the strongest federal privacy laws in the US: “The FTC is committed to enforcing it aggressively.” Commissioner Slaughter explained that the FTC’s actions, such as their recent case against Epic Games, include considerations related to teenagers as well, even if they are not technically covered by COPPA protections, but are covered by the “unfair practices” doctrine of the FTC.

UK Commissioner John Edwards gave a detailed account of the impact of the UK’s Age Appropriate Design Code in the design of online services provided to children, which was launched by his office in 2020. “We have seen genuine changes, including privacy settings being automatically set to very high for children. We have seen children and parents and carers being given more control over privacy settings. And we have seen that children are no longer nudged to lower privacy settings, with clearer tools and steps in place for them to exercise their data protection rights. We have also seen ads blocked for children,” Commissioner Edwards said, pointing out that these are significant improvements for the online experience of children. These results have been obtained primarily through a collaborative approach with the service providers, who have implemented changes after their services were subject to audits conducted by the regulator.

Children’s and teenagers’ privacy is also top of mind for the CNIL. Among a series of guidance, recommendations, and actions, the French regulator is adding another layer to its approach – digital education. “We have made education a strategic priority. We have a partnership with the Ministry of Education and we have available a platform to certify digital skills for children, as well as with resources for kids and parents,” Commissioner du Marais said. Regarding regulatory priorities, he emphasized attention to age verification tools. Among the principles the French regulator favors for age verification are no direct collection of identity documents, no age estimates based on web browsing history, and no processing of biometric data to recognize an individual. The CNIL has asked websites not to carry out age verification themselves, and to instead rely on third-party solutions.

The discussions of the G7 DPA Commissioners who participated in the first edition of the Japan Privacy Symposium laid out a vibrant and complex regulatory landscape, centered around new challenges posed to societal values and rights of individuals by AI technology, but also making advancements in perennial topics like cross-border data transfers and children’s privacy. More meaningful and deeper enforcement cooperation is to be expected among the G7 Commissioners, whose Action Plan espoused their commitment to move towards constant exchanges related to enforcement actions and to revitalize existing global enforcement cooperation networks, like GPEN (Global Privacy Enforcement Network). Next year, the G7 DPA Commissioners will meet in Rome.

Editor: Alexander Thompson

FPF Paper, “The Thin Red Line …,” Receives the Council of Europe’s 2023 Stefano Rodotà Award

On Friday, June 16th, members of the FPF team joined the 44th Plenary meeting of the Council of Europe’s Committee of Convention 108 in Strasbourg, France to accept a tremendous research honor. On this occasion, Katerina Demetzou, Senior Counsel for Global Privacy, Dr. Gabriela Zanfir-Fortuna, VP for Global Privacy, and Sebastião Barros Vale, former Senior Counsel for Europe at FPF, received the 2023 Stefano Rodotà Data Protection award in the category of ‘best academic article’ for their paper, “The Thin Red Line: Refocusing Data Protection Law on Automated Decision-Making, A Global Perspective with Lessons from Case-Law.” Demetzou and Barros Vale were present in Strasbourg during the Plenary meeting to present the paper and lift the award.

The Council of Europe (CoE), founded in 1949, is an international organization with 46 Member States and 6 Observer States. All Council of Europe Member States have signed up to the European Convention of Human Rights (ECHR), a treaty designed to protect human rights, democracy, and the rule of law. The European Court of Human Rights (ECtHR) oversees the implementation of the ECHR in the Member States.

Demetzou, Barros Vale, and Dr. Gabriela Zanfir-Fortuna, VP for Global Privacy at FPF, are honored to receive recognition at the birthplace of the CoE’s historic 1981 treaty, the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Convention 108 established the first legally binding international instrument in data protection, and the CoE adopted the modernized Convention 108+ in 2018. A year later, the Convention 108+ Committee established the Stefano Rodotà Award to honor the memory and legacy of Stefano Rodotà (1933-2017), a leading Italian Professor and politician, and one of the founding fathers of data protection law in Europe. The Stefano Rodotà Award is awarded to precedent-setting and innovative research in the field of data protection. The dedicated academic, intellectual, and political influence of President Rodotà lives on through Demetzou, Barros Vale, and Dr. Zanfir-Fortuna’s global exploration of data protection instruments safeguarding individuals against harms from ADM in emerging technologies.

“The Thin Red Line” analyzes the legal protection provided by data protection law to individuals that are being subjected to automated decision making (ADM) on the basis of their personal data. To that end, the authors dedicate the first part of their research to an analysis of European Data Protection Authority (DPAs) enforcement actions of the GDPR on ADM cases. The second section looks to Brazil, Mexico, Argentina, Colombia, China and South Africa to explore protections against harmful ADM found in non-EU general data protection laws. The article concludes that even in cases where a processing operation does not meet the high threshold set by Article 22 GDPR (‘solely by automated means’), DPAs have made use of an array of legal principles, rights, and obligations to protect individuals against ADM practices, nonetheless. With the exception of Colombia, the other non-EU jurisdictions have a specific ADM provision. In all cases studied, the general data protection laws provide a broad material scope, such that any automated processing operation, solely or not, is regulated according to relevant provisions. Additionally, all laws studied include strong transparency and fairness requirements.

While the debate on a European Regulation for AI is ongoing, this paper aims to contribute to the discussion by highlighting that in cases where algorithms and AI systems process personal data, the GDPR is enforceable and protects individuals. Despite extensive legal scholarship on Article 22 GDPR, FPF’s experts identified a gap in previous literature through their global examination of existing enforcements and interpretations from regulators.

After the award ceremony, Demetzou was especially grateful for “the Committee’s warmth, as well as their committed understanding and appreciation for our research.” Dr. Zanfir-Fortuna called on the importance of the article’s findings while reflecting on emerging AI regulatory trends: “Data protection law has proved to be one of the most relevant existing legal frameworks to deal with the risks posed by the mass deployment of new AI tools. Existing legal obligations related to processing of personal data, on all continents, are stringent and more pressing than possible future AI legislation, as they are immediately applicable to existing AI systems.” The authors hope this intervention, as well as the paper’s global scan, will support researchers and policymakers in understanding how existing data protection law protects against potential harms from algorithms and AI systems.

For more, read “The Thin Red Line: Refocusing Data Protection Law on ADM, A Global Perspective with Lessons from Case-Law.”

Nigeria’s New Data Protection Act, Explained

On June 12, 2023, the President of Nigeria signed the Data Protection Bill into law following a successful third reading at the Senate and the House of Representatives. The Data Protection Act, 2023 (the Act) has had executive and legislative support and marks an important milestone in Nigeria’s nearly two-decade journey towards a comprehensive data protection law. Renewed efforts towards a comprehensive law began in September 2022 when the National Commissioner of the Nigeria Data Protection Bureau (NDPB), now the National Data Protection Commissioner (NDPC), announced that the office would seek legal support for a new law as part of the Nigeria Digital Identification for Development Project. The drafting of the law was followed by a validation process that was conducted in October 2022. After validation, the Act was submitted to the Federal Executive Council for approval, which paved the way for its transmission to the National Assembly. The 2022 Data Protection Bill was introduced in both houses of Nigeria’s bicameral legislature as the Nigeria Data Protection Bill, 2023. The Act commenced upon signature by the President.

The Act provides for data protection principles that are common to many international data protection frameworks. It defines “personal data” broadly and it includes legal obligations for “data controllers” and “processors,” defined similarly to the majority of data protection laws around the world. While the structure and content of the Act align with other international frameworks for data protection, the Act contains notable unique provisions:

The Act introduces a new category of “data controllers and processors of major importance,” which seems to be inspired by the tiered approach in the EU’s Digital Services Act and its specific obligations for “very large online platforms and search engines;”
A “duty of care” is among the principles that controllers and processors need to comply with;
Controllers and processors must seek the services of a data protection compliance organization (DPCO) to perform a data protection audit, among other obligations;
The broad extraterritorial provisions under the Act are also notable;
The Act also introduces and places limitations on legitimate interest as a legal basis for personal data processing which is not present under the NDPR and the Implementation Framework;
Data subject rights under the Act are similar to those found in international data protection frameworks, however, with minimal restrictions on their exercise;
The Act provides stronger protections for children and persons without legal capacity, compared to the NDPR. It also introduces a requirement for age verification, where feasible; and
Lastly, the Act sets out structural changes to the existing data protection authority, which will change from a “Bureau” to a Commission, and updates the governing mechanisms for the authority.

Prior to the introduction of the Act, Nigeria’s data protection landscape was governed by the Nigeria Data Protection Regulation, 2019 (NDPR) and the Nigeria Data Protection Regulation 2019: Implementation Framework (Implementation Framework). However, the need to fill in the gaps under the NDPR, create a legal foundation for the existing data protection body, and as a necessary condition for the rollout of a national digital identification program required the creation of a new legislative framework. However, the NDPR and its Implementation Framework shall remain in force alongside the Act. Under Section 64(2)(f) all existing regulatory instruments, including regulations, directives, and authorizations issued by the National Information Technology Development Agency (NITDA) or NDPB shall remain in force as if they were issued by the Commission until they expire, are repealed, replaced, reassembled or altered. Per Section 63 of the Act, the new law shall take precedence in any instance of a conflict with pre-existing provisions.

1. Covered Actors: Novel Categories of Data Controllers and Processors

The Act applies to the processing of personal data by data controllers, data processors, and third parties, which may be individuals, private entities, or public entities that process personal data. A data controller is defined as an individual, private entity, public Commission or agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A data processor is defined as an individual, private entity, public authority, or any other body who or which processes personal data on behalf of or at the direction of a data controller or another data processor. The Act does not define third parties.

The Act introduces a novel category of “data controllers and processors of major importance.” A data controller and processor of major importance is defined as a “data controller or data processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than a such number of data subjects who are within Nigeria.” The Act continues, explaining that “the Commission may prescribe or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society, or security of Nigeria as the Commission may designate.”

While the practical thresholds of this definition are set to be further clarified by the Commission, they will be based on the number of data subjects whose data are processed and the value or significance of the processed data. This categorization has commonalities with the EU’s Digital Service Act’s designation of entities as Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) and may be used to create unique and additional obligations for such controllers and processors. The Act currently requires qualifying entities to meet special registration requirements, appoint a data protection officer, and pay different penalty amounts for violations. Future obligations will relate to processes relating to filing of compliance returns (Section 61(2)(g)), as well as any others that may be prescribed through regulations later issued by the Commission.

2. Covered Data: Broad Categories of Sensitive Personal Data

The Act covers both personal and sensitive personal data. It defines personal data as “any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.” The definition closely tracks Article 4(1) of the GDPR.

It further defines sensitive personal data as personal data relating to an individual’s:

genetic and biometric data, for the purpose of uniquely identifying a natural person;
race or ethnic origin;
religious or similar beliefs, such as those reflecting conscience or philosophy;
health status;
sex life;
political opinions or affiliations; and
trade union memberships.

Section 30(2) of the Act envisions a broad, flexible definition for sensitive personal data by authorizing the Commission to prescribe further categories of sensitive personal data. The Act also prohibits the processing of sensitive personal data unless specified conditions are met. Notable allowances for processing of sensitive personal data include:

Where the processing is necessary for reasons of “substantial public interest,” on the basis of a law (Section 30(1)(f)). Substantial public interest is not defined under the Act; and
Where the data subject has consented to such processing (Section 30(1)(a)).

These proposed rules closely track Article 9 of GDPR’s restrictions for the processing of “special category” data. Unlike the GDPR, which envisions situations where the prohibition on processing sensitive personal data may not be lifted on the basis of consent, the consent exception under Nigeria’s Act is only restricted to situations where a data subject has given and then withdrawn such consent. Additionally, the Act only applies an “explicit consent” requirement to the potential sharing of sensitive personal data by a “foundation, association, or other not-for-profit body with charitable, educational, literary, artistic, philosophical, religious, or trade union purposes,” while the GDPR’s Article 9(2)(a) requires “explicit consent” for all excepted processing. However, the Act does permit the Commission to potentially create additional regulations that may apply to the processing of sensitive personal data, including regulations expanding categories of sensitive personal data, additional grounds for processing such data, and safeguards to be applied.

3. Territorial Application: Broad Extraterritorial Application of the Act

Section 2(2)(c)) of the Act contains broad extraterritorial authority, covering any form of processing the personal data of a data subject in Nigeria by controllers or processors not established in Nigeria. This provision does not consider the nature of processing being conducted, unlike frameworks such as the GDPR, which include the “targeting” criteria.

Exemptions from Application of the Act: Increased Protections for Exempted Processing Activities

Section 3 of the Act provides several different exemptions from the broader application of the law and makes room for the Commission to expand the processing activities that may be exempted from the Act. Processing personal information “solely for personal or household purposes” is exempt, as long as such processing does not violate a data subject’s right to privacy. This is a stark difference from laws such as the GDPR, which wholly exempts processing of personal data by a natural person in the course of personal or household activity, regardless of whether it touches on the person’s right to privacy or not. Therefore, there are instances where personal data processing activities of a non-professional and non-commercial nature may fall under the ambit of the law. The rationale for this condition is not clear. Other exemptions include processing activities by law enforcement during the prevention, investigation, detection, or prosecution of a crime, processing for the prevention or control of a national public health emergency, national security or public interest purposes, and as necessary for the establishment, exercise, or defense of legal claims that are exempt from most of the obligations under Part V of the Act. Exempt entities must still comply with some specific provisions under Part V including:

The principles of personal data processing – Section 24;
Provisions relating to the lawful basis of processing personal data – Section 25;
Provisions relating to the appointment of data protection officers for data controllers and processors of major importance – Section 32; and
Provisions relating to personal data breaches – Section 40.

While the Act reserves for the Commission authority to prescribe additional exemptions, it includes a greater number of protections for exempt processing activities than the 2022 Bill. In addition to the above-mentioned provisions that exempt entities must comply with, the Act empowers the Commission to issue a Guidance Note on the legal safeguards and best practices for exempted data controllers and processors where such processing violates or is likely to violate Sections 24 and 25 of the law. Some exemptions have been narrowed relative to the 2022 Bill. Entities who were exempted from complying with provisions under the 2022 Bill must now comply with the above-mentioned provisions for exempt entities under the 2023 Act, as well as those relating to data security and cross-border data transfers.

4. Obligations of Data Controllers and Processors: Novel Registration Requirements for Data Controllers and Processors of Major Importance

Some of the Act’s obligations for data controllers and processors are novel, while others have been maintained from the NDPR.

Data Controllers and Processors of “Major Importance”

The designation of “data controllers and processors of major importance” and the Commission’s authority to classify and regulate such entities is a key new development. Section 44 of the Act sets out the process and timelines to which such entities must adhere, including registering with the Commission within six months after the commencement of the Act, or upon meeting the statutory criteria for qualifying as a data controller or processor of major importance. Additionally, the Act empowers the Commission to exempt classes of data controllers and processors of major importance from registration where it considers that such registration is unnecessary or disproportionate. The criteria for exemption may be stipulated through Regulations by the Commission.

Another special obligation for controllers and processors of major importance is the requirement to appoint a Data Protection Officer (DPO), which is imposed by Section 32 on such entities only. This requirement substantially differs from the NDPR and the Implementation Framework; under the NDPR, every data controller must appoint a DPO (Article 4.1.2), while the Implementation Framework stipulates conditions for such an appointment (3.4.1).

Other important obligations of all data controllers and processors include:

Compliance with Data Protection Principles

Data controllers and processors are responsible for complying with the principles provided in the Act. The principles are similar to the FIPPS-based sets found in many comprehensive data protection regimes but also include the duty of care as a principle for controllers and processors (Section 24(3)). Specifically, both controllers and processors owe “a duty of care” with respect to data processing, which is linked to demonstrating accountability related to compliance with other principles provided by the Act.

Filing of Audit Reports

As discussed in greater detail below, controllers and processors must seek the services of a data protection compliance organization (DPCO) to perform a data protection audit, among other obligations. As the Act does not create new criteria for entities required to conduct such audits, provisions under the NDPR and Implementation Framework remain in force. While the Implementation Framework provides that the authority may carry out scheduled audits or perform spot checks, the common practice is for controllers and processors that process personal data of more than 2000 data subjects in 12 months to engage a DPCO to conduct annual audits on their behalf. This practice is expected to continue.

Provision of Information to a Data Subject Prior to Collection of Personal Data

Where a data controller collects personal data directly or indirectly from a data subject, they must supply the data subject with the following information prior to collection:

The identity, residence or place of business of, and means of communication with the controller;
The specific lawful basis of processing under either Section 25(1) or 30(1) of the Act, and the specific purposes of processing;
The categories of recipients of the personal data;
The existence of the data subject rights;
The retention period of the data;
The right to lodge a complaint with the Commission; and
The existence of any automated decision-making, including profiling, its significance, the envisaged consequence of such processing for the data subject, and the right to object to/challenge such processing.

Where personal data is collected indirectly, a controller may be exempted from providing this information to a data subject if it had already been provided or where it would involve a disproportionate effort (Section 27(2)). The transparency obligations imposed by Section 27(1) (listed above) shall form part of the content of a privacy policy that a controller is obliged to have under the law and must be expressed in “clear, concise, transparent, intelligible, and easily accessible form.” In providing this information, a controller is obligated to take into account the intended class of data subjects. This implies that a privacy notice may need to be adjusted to cater to, among other issues, the literacy levels and language differences among data subjects.

Conducting a Data Protection Impact Assessment

Section 28(1) mandates a data controller to conduct a data protection impact assessment (DPIA) prior to the processing of personal data, where such processing may likely result in a high risk to the rights and freedoms of a data subject. The Act does not specify the period within which a DPIA must be conducted prior to such processing. Laws such as Kenya’s Data Protection Act require a DPIA to be conducted 60 days prior to the processing; this obligation may be clarified under future Regulations.

The Commission may designate, by Regulation or Directive, categories of processing or persons that automatically trigger the requirement to conduct a DPIA. To qualify, a DPIA must include:

A systematic description of the envisioned processing and its purpose, including any legitimate interest pursued by the controller, processor, or third party;
An assessment of the necessity and proportionality of the processing related to those purposes;
An assessment of the risks to the rights and freedoms of the data subject;
Measures envisioned to address those risks, along with any safeguards, security measures, and mechanisms in place to ensure the protection of personal data.

Overseeing the Conduct of Data Processors and Sub-Processors

Controllers engaging processors, or processors engaging sub-processors, must take “reasonable measures” to ensure that the engaged party complies with the requirements of the Act set out in Section 29(1). These measures must take the form of a written agreement and ensure that the engaged party:

Assists the data controller or processor, as the case may be, in the fulfillment of the controller’s obligations to honor the rights of a data subject;
Implements appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data;
Provides the controller or processor, where applicable, with information reasonably required to demonstrate compliance with the Act; and
Notifies the engaging controller or processor when a new processor is engaged.

Data Security and Data Breach Notification Requirements

Controllers and processors shall be required to implement security measures and safeguards for personal data. The level of such measures shall take into account several factors, including:

The amount and sensitivity of personal data involved;
The period of data retention; and
The availability, and cost of technologies to be implemented.

The measures that controllers and processors may implement are further described under section 39(2), including pseudonymization, encryption, and periodic assessments of risks to processing systems.

Where a data breach occurs that affects a data processor, the processor will be required to notify the data controller or processor that engaged it as soon as the breached party becomes aware of the incident, and must respond to information requests regarding the breach (Section 40(1)).

Where a data controller suffers a breach that is likely to cause a risk to the rights and freedoms of data subjects as defined by Section 40(7), several steps are required, including:

Notifying the Commission within 72 hours of becoming aware of the breach;
Notifying the data subjects without undue delay. No time specification is made for notifying data subjects.

The requirements for communications to the Commission and to affected data subjects also differ. Communication to the Commission should be as detailed as possible and include a description of the nature of the breach, while notice to data subjects should be in plain and clear language and include steps to take to mitigate any adverse effects. Section 40(4) highlights the common information that should be present in both cases, such as the name and contact details of a point of contact for the data controller. Information relating to a breach may be provided in a phased manner, where it is impossible to provide all information in a single communication.

5. Lawful Grounds for Processing Personal Data, Consent Requirements, and Children’s Personal Data

The Act provides for six lawful grounds for processing personal data similar to those under the GDPR, including:

With consent of a data subject for the processing of personal data for a specific purpose;
For performance of a contractual obligation in which the data subject is a party;
Compliance with a legal obligation to which the data controller or data processor is subject;
For protection of the vital interest of the data subject or another person;
For performance of a task in the public interest or exercise of official authority by a data controller or data processor; and
To fulfill the legitimate interests of a data controller or processor, or by a third party to whom the data is disclosed, considering that a data subject would have a reasonable expectation that personal data would be processed in the stipulated manner and the processing does not override their fundamental rights and freedoms. This basis is, however, not permissible where a controller or processor’s legitimate interests are incompatible with other lawful bases under the Act.

Consent Requirements

The Act requires that consent be freely given, specific, informed, and unambiguous. This is similar to consent requirements under the NDPR and Implementation Framework. The Act prohibits implied consent – i.e., the inference of consent from a data subject’s inactivity or the use of pre-ticked boxes. This corresponds with most of the consent provisions under the Implementation Framework, other than the fact that the Framework provides exceptions for consent relating to cookies. The Framework (5.6) provides that consent for cookies may be implied from the continued surfing of a website and does not mandate explicit consent. This effectively limits the extent of consent to direct marketing that is required under 5.3.1(a) of the Implementation Framework.

Children’s Privacy

The Act expands the protections accorded to children and persons lacking legal capacity compared to the NDPR and its Implementation Framework. It increases the age threshold under which a data subject is considered a “child” to 18 years, in alignment with the Nigeria Child Rights Act (however, not all states have domesticated the Act), and contrasts with the Implementation Framework, which categorizes a child as a person under 13 years of age). The Act also includes specific consent requirements for children and persons lacking the legal capacity to consent. While the NDPR and Implementation Framework are silent on whom to obtain such consent from, under the Act, consent shall be obtained explicitly from parents or legal guardians (Section 31(1)). To effect this, the Act requires controllers and processors to adopt consent verification mechanisms. To guarantee stronger privacy protections for children, the Commission will create Regulations to guide the personal data processing of a child of 13 years and above in the course of their usage of online products and services.

However, there are instances where a controller or processor may process the personal data of children and persons lacking legal capacity without the consent of a parent or legal guardian, such as:

Where the processing is necessary to protect the vital interests of the child or person lacking the legal capacity to consent;
Where the processing is carried out for purposes of education, medical, or social care, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality; or
Where the processing is necessary for proceedings before a court relating to the individual.

Further Protection for Processing of Personal Data Relating to Children and Persons Lacking Legal Capacity

In addition to the consent requirements, the Act further requires controllers and processors to adopt age verification mechanisms. Age verification is required “where feasible,” taking into consideration available technology. Presentation of any government-approved identification documents will be permitted as a verification mechanism.

6. Data Subject Rights: Robust Rights with No Implementation Mechanisms for Data Subjects and Narrow Restrictions on Exercise of Rights

The Act provides for data subject rights, which data controllers and processors must comply with prior to and during the processing of personal data, including the rights to:

Obtain information regarding the personal data held by a controller or processor about the requestor, in a commonly used electronic format;
Know the source of information where the personal data has been collected from a source other than the data subject;
Lodge a complaint with the Commission;
Know the existence of automated decision-making (ADM) and not to be subject to a decision that is solely based on automated processing of personal data, including profiling, and the significance and consequences for the data subjects of such processing;
Correct, and where it is not feasible or suitable, delete inaccurate, out-of-date, incomplete, or misleading information;
Request erasure where the personal data is no longer required in relation to the purpose for which it was collected and where the data controller has no other lawful basis to retain the personal data;
Request the restriction of processing personal data where there is a pending resolution of a request, where a data subject objects to processing, and where a data subject seeks to establish, exercise or defend a legal claim;
Object to the processing of personal data, including where processing is for the purpose of direct marketing;
Data portability. The Act makes it possible for a data subject to receive personal data concerning them from a data controller and transmit it to another controller, or for the data to be directly transferred from one controller to another. The importance of this right, given Nigeria’s thriving fintech ecosystem, has seen the Central Bank of Nigeria issue operational guidelines within the context of open banking; and
Withdraw consent to the processing of personal data at any time.

The Act does not provide comprehensive mechanisms for implementing these rights, such as parameters and modalities to respond to data subject requests. However, the Implementation Framework (2.3.2(c)) requires controllers to inform data subjects on the method to use to withdraw consent before obtaining consent. The Act states that “a controller should ensure that it is as easy for the data subject to withdraw as it is to give consent.”

The Act does not provide general restrictions/limits to the rights except for specific cases such as:

The right to object – where a controller may still process personal data in light of an objection if there is a public interest or other legitimate ground which overrides the fundamental rights and freedoms of the data subject; and
Exceptions to the right not to be subject to ADM systems, including where the processing is necessary for contractual obligations, is authorized under a written law, or based on a data subject’s consent. While a person may not object to processing by ADM systems if it falls under the three exempt conditions, data subjects retain the rights to (i) request human intervention in the ADM system, (ii) have an opportunity to express their point of view, and (iii) contest a decision based on an ADM system. This differs from the 2022 Bill where a controller using an ADM system on the basis of another existing law, did not have to guarantee these three data subject rights.

7. Cross Border Data Transfers: Broad Grounds for Transfers of Personal Data as well as Parliamentary Authorizations to Protect Data Sovereignty

The Act establishes as a rule that personal data should not be transferred outside of Nigeria, allowing for two exceptions. First, personal data can be transferred when the recipient of the personal data (the data importer) is subject either to (1) a law, (2) Binding Corporate Rules (‘BCRs’), (3) contractual clauses, (4) a Code of Conduct, or (5) a certification mechanism that “affords an adequate level of protection” to that provided by the Act. In the absence of such adequate protection through one of the enumerated means, personal data can also be transferred outside of Nigeria in exceptional situations, listed in Section 43 and mapping precisely to the set of derogations under Article 49 GDPR (consent of the individual, or for the performance of a contract, among others).

Controllers are under an obligation to keep a record of the legal basis for transferring personal data outside Nigeria, as well as to record “the adequacy of protection,” according to the criteria described in detail under Section 42 of the Act. This wording suggests that the adequacy of the means of transfers used can be validly assessed by each controller. This is a departure from other existing adequacy regimes, which usually require an official body to declare a specific jurisdiction adequate.

The Commission is tasked with issuing guidelines on how to assess the adequacy of a particular means of transfer, under the criteria established by Section 42 of the Act. This section explains that an adequate level of protection means “upholding principles that are substantially similar (n. – our emphasis) to the conditions for processing personal data” under the Act. The criteria relevant for adequacy include “access of a public authority to personal data,” potentially complicating such assessments in line with the broader global debate on “government access to data held by private companies.”

Of note, the Commission is given the possibility under the Act to determine whether “a country, region, or specified sector within a country, or standard contractual clauses, affords an adequate level of protection.” In this sense, it is important to recall that the NDPR and Annex C of the Implementation Framework already provide a white list of 41 countries whose laws are considered adequate. Interestingly, the Act specifically allows the Commission to make an adequacy determination under the Nigerian law based on an adequacy decision “made by a competent authority of other jurisdictions,” if such adequacy is based on similar criteria to those listed in Section 42 of the Act. This opens the door for Nigeria to potentially equivalate adequacy decisions made by foreign bodies, like the European Commission, making an “adequacy network effect” functional. The Commission is also empowered to approve BCRs, Codes of Conduct, and certification mechanisms for data transfers.

Finally, and particularly interesting in the context of emerging certification frameworks like the Global Cross Border Privacy Rules (CBPR) framework, the Act requires that any specific “international, multinational cross-border data transfer codes, rules, or certification mechanisms” relating to data subject protection or data sovereignty must be approved by the National Assembly of Nigeria. This provision on data sovereignty aligns with the Nigeria National Data Strategy, 2022, which incorporates data sovereignty as one of its enabling pillars. Under the Strategy, data sovereignty will facilitate data residency and ensure that data is treated in accordance with national laws and regulations.

In this sense, the Act also empowers the Commission to “designate categories of personal data that are subject to additional specified restrictions on transfer to another country.” This designation would be based on “the nature” of such personal data and on “risks” to data subjects. This provision opens the door to potential future data localization requirements for specific categories of personal data.

8. Enforcement: Legal Foundation for the Nigeria Data Protection Bureau, Creation of a Governing Council and Expected Regulations

Establishment of the Commission

Originally created through an Executive Order in February 2022, the NDPB has now been renamed the “Nigeria Data Protection Commission” and will operate as an independent and impartial body to oversee the Act’s implementation and enforcement. Previously, data protection enforcement in Nigeria was conducted under the auspices of the Nigeria Information and Technology Development Agency. However, concerns that the NITDA lacked powers to oversee data protection in the country may have necessitated the creation of a new agency. The Commission will function as a successor agency, and all persons engaged in the activities of the Commission shall, upon enactment of the Act, have the same rights, powers, and remedies held by the NDPB before the commencement of the law (Section 64(1)). All regulatory instruments issued by the NITDA, including the NDPR, shall remain in force, and shall have the same weight as if they had been issued by the Commission until they expire, are repealed, replaced, reassembled, or altered (Section 64(2)(f)).

Functions and Powers of the Commission

Some of the key functions and powers of the Commission include:

Accrediting, Licensing, and Registering Suitable Bodies to Provide Data Protection Compliance Services (Section 5(c)).

Section 28 of the Act provides the Commission with the power to delegate the duty to monitor, audit, and report on compliance with the law to licensed data protection compliance organizations. This model was introduced under the NDPR and allows the data protection authority to delegate some functions under existing regulations to monitor, audit, and report on compliance by data controllers and data processors. Detailed provisions on the operation of DPCOs can be found under the NDPR and Implementation Framework and shall continue to apply to controllers and processors.

Designating, Registering, and Collecting Fees from Data Controllers and Processors of Major Importance (Section 5(d)).

Following successful registration of a controller or processor of major importance, the Commission is tasked to publish a register of duly registrants on its website. The Commission is also expected to prescribe fees and levies to be paid by this class of controllers and processors.

Participating in international fora and engaging with national and regional authorities responsible for data protection to develop efficient strategies for the regulation of cross-border transfers of personal data (Section 5(j)).

Currently, the Commission’s predecessor, the NDPB, continues to fulfill this mandate, as seen in its recent participation in initiatives such as the Cross Border Privacy Rules Forum.

Issuing Regulations, Rules, Directives, and Guidance.

The Commission is expected to develop certain regulations as prescribed under the law and as detailed above, including in relation to designating new categories of sensitive data, adequate steps for data breach notification, conducting DPIAs, or issuing data localization regulations for specific categories of personal data.

Other functions of the Commission include promoting public awareness and understanding of personal data protection, the rights and obligations imposed under the law, and the risks to personal data; receiving complaints alleging violations of the Act or subsidiary legislation; and ensuring compliance with national and international personal data protection obligations and good practice.

In a bid to ensure that the services of the Commission are accessible beyond urban areas, the Commission is allowed to establish its offices in other parts of Nigeria (Section 3(b)). This is important as part of creating awareness of the importance of data protection across the country.

The Commission will be governed by a “Governing Council” (the Council), whose members will be appointed by the President on the recommendation of the Minister on a part-time basis, drawn from the public and private sector to serve for a term of 5 years that is renewable once. This rule exempts the National Commissioner, who will serve as the Secretary to the Council.

The Council is tasked with providing overall policy direction of the affairs of the Commission, approving strategic and action plans, budgeting support programs submitted by the National Commissioner, as well as providing advice and counsel to the National Commissioner.

9. Offenses, Sanctions, and Compensation: Higher Penalties for Data Controllers and Processors of Major Importance

The Act provides a data subject who has suffered injury, loss, or harm arising from a violation of the law with a private right of action that allows recovery of damages in a civil proceeding. Where a controller or processor violates the provisions of the Act or subsidiary legislation, the Commission may issue a compliance order requiring them to take specific measures to remedy the situation within a specified period as well as inform them of their right to a judicial review. The Commission may also impose an enforcement order or a sanction. In issuing an enforcement order or a sanction, the Commission may:

Require the data controller or processor to remedy the violation;
Order for the compensation of data subjects;
Order the controller or processor to account for profits realized from the violation; or
Impose a penalty.

However, it is not clear from the Act what conditions may trigger an enforcement order, sanction, and thus a penalty or any other such measure. In laws such as Section 62 of Kenya’s Data Protection Act, failure to comply with the requirements of an enforcement order (referred to as a compliance order under the Act) triggers a penalty notice. The Act does not specify the period within which complaints may be heard and concluded.

The penalty amount depends on whether the violator is a data controller or processor of major importance or not. Penalties against data controllers or processors of major importance shall be the higher of N10,000,000 (approximately 22,000 USD) or 2% of the annual gross revenue of the preceding financial year. Penalties against other data controllers and processors shall be greater than N2,000,000 (approximately 4,300 USD) or 2% of the annual gross revenue of the preceding financial year.

The Commission is empowered to create regulations that create new offenses and that impose penalties not exceeding those prescribed under the Act (Section 56(3)).

Conclusion

As Nigeria continues to make its mark within the global digital economy and rapidly expand its technology ecosystem, this Act represents a continued focus on protecting the personal data of Nigerian citizens, in alignment with common internationally accepted principles of data protection.

However, the Act contains unique provisions that should not be overlooked, including a new classification of data controllers and processors “of major importance” and specific obligations attached to them, as well as broader protections for exempt processing activities. Overall, the Act represents a significant step in Nigerian data protection and notably resolves the long-running dispute regarding the identity and institutional authority of Nigeria’s primary data protection regulator.

Unveiling China’s Generative AI Regulation

Authors: Yirong Sun and Jingxian Zeng

The following is a guest post to the FPF blog by Yirong Sun, research fellow at the New York University School of Law Guarini Institute for Global Legal Studies at NYU School of Law: Global Law & Tech and Jingxian Zeng, research fellow at the University of Hong Kong Philip K. H. Wong Centre for Chinese Law. The guest blog reflects the opinion of the authors only. Guest blog posts do not necessarily reflect the views of FPF.

The Draft Measures for the Management of Generative AI Services (the “Draft Measures”) were released on April 11, 2023, with their comment period closed on May 10. Public statements by industry participants and legal experts provided insight into the likely content of their comments. It is now the turn of China’s cyber super-regulator – the Cyberspace Administration of China (“CAC”) – to consider these comments and likely produce a revised text.

This blog analyzes the provisions and implications of the Draft Measures. It covers the Draft Measures’ scope of application, how they apply to the development and deployment lifecycle of generative AI systems, and how they deal with the ability of generative AI systems to “hallucinate” (that is, produce inaccurate or baseless output). It also highlights potential developments and contextual points about the Draft Measures that industry and observers should pay attention to.

The Draft Measures aim to protect the “collective” interests of “the public” within the territory of the People’s Republic of China (PRC) in relation to the Management of Generative AI Services. The primary risk foreseen by the CAC involves the potential use of the novel technology to manipulate public opinion and fuel social mobilization by spreading sensitive or false information. The Draft Measures also seek to tackle issues arising from high-profile societal events, such as data leaks, frauds, privacy breaches, intellectual property infringements, as well as overseas incidents widely reported in Chinese media, including defamation and extreme cases of suicide following interactions with AI chatbots. Notably, the Draft Measures set high standards for data authenticity and impose safeguards for personal information and user input. They also mandate the disclosure of information that may impact users’ trust and the provision of guidance for using the service rationally.

Meanwhile, concerns have arisen that the Draft Measures may slow down the development of generative AI-based products and services by Chinese tech giants. Companies providing services based on generative AI, including those provided through application programming interfaces (“APIs”), are all subject to stringent requirements in the Draft Measures. The Draft Measures thus concern not only those who have the means to train their own models, but also smaller businesses who want to leverage on open-source pre-trained models to deliver services. In this regard, the Draft Measures are likely to present compliance challenges within the open-source context.

While this blog focuses on the Draft Measures, it is important to note that industrial policies from both central and local governments in China also exert substantial influence over the sector. Critically, the task to promote AI advancement amid escalating concerns is overseen by authorities other than the CAC, such as the Ministry of Science and Technology (“MST”) and the Ministry of Industry and Information Technology (“MIIT”). Recently, the China Academy of Information and Communications Technology (“CAICT”), a research institute affiliated with the MIIT, introduced China’s first-ever industry standards¹ for assessing generative AI products. These agencies, along with their competition and coordination, can and will co-play a significant role with the CAC in the realm of generative AI regulation.

1. Notable aspects of the Draft Measures’ scope of application: Definition of “public” and extraterritorial application

Ambiguity in the definition of “public”

The Draft Measures regulate all generative AI-based services offered to “the public within the PRC territory.”² This scope of application diverges from existing Chinese laws and regulations where intended service recipients are not usually considered. For instance, regulations targeting deep synthesis and recommendation algorithms both apply to the provision of service using these technologies regardless of service recipients being individuals, businesses or “the public.” Looking at its context, Article 6 of the Draft Measures suggests that generative AI-based services have the potential to shape public opinion or stimulate social mobilization, essentially highlighting their impact on “the public.” This new development thus likely signifies the CAC’s goal to prioritize the protection of wider societal interests over individual ones such as privacy or intellectual property which could be protected under previous regulations.

However, the Draft Measures leave “the public (公众)” undefined. This gives rise to ambiguity as to the scope of application for the Draft Measures. For example, would a service licensed exclusively to a Chinese private entity for in-house use fall in the scope? How about a service accessible only to certain public institutes but not to the unaffiliated, or one customized for individual clients who each receive a unique product derived from a common foundation model, or simply an open-source model that is ready to download and install?

Extraterritorial application

The new approach also suggests a more extensive extraterritorial reach. Regardless of where the service is provided, as long as the public within the PRC territory has access to it, the Draft Measures apply. To avoid being subject to Chinese law, OpenAI, for example, has reportedly begun blocking users based in mainland China. This development could further restrict Chinese users’ access to overseas generative AI services, especially since even before the Draft Measures were released, most Chinese users’ access to such services was already geo-blocked – either by the service providers themselves (e.g., by requiring a foreign telephone number for registration), or by the Chinese government through enforcement measures. At the same time, the scale of China’s user market and its involvement in AI development render it a “vital” jurisdiction in terms of AI regulation. OpenAI CEO has recently called for collaboration with China to counter AI risks, a trend we might see more in the future.

2. The Draft Measures adopt a compliance approach based on the lifecycle of generative AI systems

The Draft Measures are targeted at “providers” of generative AI-based services

The Draft Measures take the approach of regulating generative AI-based service providers. As per Article 5, “providers (提供者)” are those “using generative AI to offer services such as chat, text, image, audio generation; including providing programmable interface and other means which support others to themselves generate text, images, audio, etc.” The obligations are as follows:

Model Training
- Pretraining and optimization:³ Providers must ensure the legality of the sources of data used for pretraining and optimization of generative AI products (Article 7). Existing laws and regulations, such as the Intellectual Property Law and the Personal Information Protection Law (PIPL), are thus extended to cover this new field.
- Human annotation (if any): Providers must establish necessary annotation rules, provide training for annotation personnel, and conduct spot checks to verify the validity of annotation content (Article 8).
Pre-Launch
- Security assessment and filing: Providers must submit a security assessment to the CAC and register the algorithms they use (Article 6). The CAC has been developing similar filing systems for recommendation algorithms and is likely to draw upon established practices for generative AI.
- Disclosure requirement: Providers shall provide essential information that may impact user trust or decision-making, including descriptions of pre-training and optimization training data, human annotation, as well as foundational algorithms and technological systems (Article 17).
Service Delivery
- Traceability: Providers must label generated images, videos, and other content in accordance with regulations on deep synthesis (Article 16).
- User guidance: Providers shall guide users to scientifically understand generative AI services and to use generated content rationally and legally (Article 18).
- User accountability: Providers shall take necessary measures against users who misuse generative AI products in ways that violate laws, regulations, ethics, or social norms (Article 19). They also need to require users to provide real identity information in accordance with the Cybersecurity Law (Article 9).
- Report mechanism: Providers shall establish a mechanism for receiving and handling user complaints (Article 13). Users also have the right to report directly to the authorities if they discover noncompliant generated content (Article 18).
Post-Launch
- Non-compliant content: Providers must take down noncompliant content using methods like filtering and must prevent repeated generation through techniques such as optimization training within three months (Article 15).
- Content producer: Providers bear responsibility as the producer of the content generated by the product (Article 5).

Incentivizing providers to allocate risk upstream to developers

By imposing lifecycle compliance obligations on the end-providers, the Draft Measures create incentives for end-providers to allocate risks to upstream developers through mechanisms like contracts. Whether the parties can distribute their rights and obligations fairly and efficiently depends on various factors, such as the resources available to them and the presence of asymmetric information among them. To better direct this “private ordering” with significant social implications, the EU has planned to create non-binding standard contractual clauses based on each party’s level of control in the AI value chain. The CAC’s stance in this new and fast-moving area remains to be seen.

The Draft Measures pose potential challenges for deploying open-source generative AI systems

Open-source models raise a related but distinct issue. Open-source communities are currently developing highly capable large language models (“LLMs”), and businesses have compelling commercial incentives to adopt them, as training a model from scratch is relatively hard. However, many open-source models are released without a full disclosure of their training datasets, due to reasons such as the extensive effort required for data cleaning and privacy issues, especially when user data is involved. Adding to this complexity is the fact that open-source LLMs are not typically trained in isolation. Rather, they form a modification chain where the models build on top of each other with modifications made by different contributors. Consequently, for those using open-source models, several obligations in the Draft Measures become difficult or even impossible to fulfill, including pre-launch assessment, post-launch retraining, and information disclosure.

3. The Draft Measures target the “hallucination” of generative AI systems

The Draft Measures describe generative AI as “technologies generating text, image, audio, video, code, or other such content based on algorithms, models, or rules.” In contrast to the EU’s new compromise text on rules for generative AI, which adopts a technical definition of “foundation models,” the Draft Measures focus on the technology’s function, regardless of their underlying mechanisms. Moreover, according to Article 6 of the Draft Measures, generative AI-based services automatically fall under the scope of Regulations for the Security Assessment of Internet Information Services Having Public Opinion Properties or Social Mobilization Capacity, which mandate security assessment. A group of seven Chinese scholars have proposed removing this provision and applying security assessment only to those that actually possess these properties.

The Draft Measures contain provisions targeted at ensuring accuracy throughout the developmental lifecycle of generative AI systems. These echo the CAC’s primary concern that the technology could be misused to generate and disseminate misinformation. Article 7(4) of the Draft Measures stipulates that providers must guarantee the “veracity, accuracy, objectivity, and diversity” of the training data. Article 4(4) of the Draft Measures requires that all content generated be “true and accurate,” and that providers of generative AI-based products and services must adopt measures in place to “prevent the generation of false information.” Such providers are responsible for filtering out any non-compliant material and preventing its regeneration within three months (Article 15). However, industry representatives and legal practitioners in China have raised concerns about the baseline and technical feasibility of ensuring data authenticity, given the use of open internet information and synthetic data in the development of generative AI.

4. Looking Ahead

The CAC is expected to refine the Draft Measures after gathering public feedback. The final version and subsequent promulgation may be influenced by a broader set of contextual factors. We believe the following aspects also warrant consideration:

Risk-specific digital regulation framework The Draft Measures cannot be fully understood on its own and by its text. It takes its shape from existing laws and regulations with risk-specific concerns in the context of mainland China. As mentioned, the CAC has already targeted recommendation algorithms and deep synthesis, which too owe their existence to high-profile societal events involving algorithmic abuses, adolescent Internet addiction, as well as deepfake-related fraud, fake news, and data misuse that sparked widespread consternation. The Draft Measures also rest on upper-level Cybersecurity Law, Data Security Law, PIPL and the measures that directly implement them.

Dynamic interplay of political, economic, and social factors The implementation and enforcement of the Draft Measures will be deeply influenced by strategies, plans, and policies in a broader context. Most are dedicated to promoting the AI industry. Even though China has an 18-month crackdown on its Big Tech, we shouldn’t forget that these very same “national champions” were encouraged to grow and flourish in the first place. A supportive and nurturing regulatory environment was provided domestically to boost their global competitiveness. Besides, it might be more accurate to view the crackdown as resteering, rather than barring, China’s technology sector growth. It redirects the industry towards a path that the country’s policy makers view as healthier, more sustainable – emphasizing independent and secure supply chains, fostering startups, and encouraging significant breakthroughs in areas such as foundational AI frameworks and models.

Multifaceted interaction between different jurisdictions The regulation of generative AI is a global issue, with many shared concerns and demands across various countries. China interacts with other major jurisdictions, and China’s policy discussions on AI regulation often draw comparisons with regulations in jurisdictions like the EU and the US. However, the degree to which learning occurs remains unclear, as China’s approach is also molded by contextual elements and considerations, as well as the dual forces of competition and coordination between nations. For these reasons, relationships among AI regulations in different jurisdictions defy simplistic categorization.

¹Chinese major players in the AI industry are forming interest groups to channel their influence on policy makers. For example, China’s industry standards for generative AI were drafted by over 40 entities including tech companies such as Baidu, SenseTime, Xiaomi, NetEase. SenseTime also launched an open platform for AI safety governance to shape practices around AI regulatory issues such as cybersecurity, traceability, IP protection.

²A widely circulated translation of Article 2 states: “These Measures apply to the research, development, and use of products with generative AI functions, and to the provision of services to the public within the territory of the People’s Republic of China.” However, we believe this is misleading. A more accurate read of the original Chinese text and its context suggest that “the provision of services to the public” is a cumulative requirement rather than a separate one.

³The Draft Measures seem to exhibit technical sophistication in their terminology. In Articles 7 and 17, the data compliance obligation is split into two phases – pre-training and optimization. However, the choice of terminology is peculiar, as the prevailing terms in machine learning are pre-training and fine-tuning. Optimization is typically employed to describe a stage within the training process, often used in conjunction with forward and backward propagation.

FIRST JAPAN PRIVACY SYMPOSIUM CONVENING G7 REGULATORS FOCUSES ON GLOBAL TRENDS AND ENFORCEMENT PRIORITIES

The Future of Privacy Forum (FPF), a global non-profit focused on data protection and privacy, and S&K Brussels LPC will jointly present the first edition of the Japan Privacy Symposium on June 22, 2023. The event will convene in Tokyo, bringing together leaders in the Japanese privacy community with data protection and privacy regulators from across the globe.

The event coincides with the G7 Data Protection Authorities and Privacy Commissioners’ Summit, and the Symposium will convene leaders in the Japanese privacy community with data protection and privacy regulators from across the globe to discuss key issues on AI governance and data protection law, the future of adtech, global cooperation and enforcement trends. The line-up of speakers includes: Ms. Rebecca Kelly Slaughter (Commissioner, U.S. Federal Trade Commission), Dr. Wojciech Wiewiórowski (European Data Protection Supervisor), Mr. Philippe Dufresne (Federal Privacy Commissioner, Canada), Ms. Ginevra Cerrina Feroni (Vice President of the Garante, Italy), Mr. John Edwards (Information Commissioner, UK), with a keynote address from Mr. Shuhei Ohshima (Commissioner, Japan’s Personal Information Protection Commission).

“We’re excited to co-host this valuable event that will bring together data protection and privacy regulators from around the world alongside the Japanese privacy community,” Gabriela Zanfir-Fortuna, FPF’s Vice President for Global Privacy, said. “Data protection and privacy regulators from the G7 economies are meeting in Tokyo to strategize about coordinated approaches to tackle the challenges raised by the advancement of new technologies fueled by data and their impact on society, people, and economy. This Symposium offers a forum for the regulators and the Japanese data protection and privacy community members to exchange ideas, share an overview of the state of play in global regulation and strategize for the future.”

Takeshige Sugimoto, Managing Director and Partner at S&K Brussels LPC, FPF’s Senior Fellow for Global Privacy, and Co-Founder and Board Member of Japan DPO Association, added: “S&K Brussels is delighted to co-host the inaugural Japanese privacy symposium to bring together esteemed privacy and data protection leaders from G7 countries. Opportunities for collaboration in the global data protection and privacy community are vital, and we hope that the Japan Privacy Symposium will set the stage for important participation and dialogue for years to come.”

FPF is focused on the expansion of its international reach in Asia, with its August 2021 Asia Pacific office opening in Singapore and the announcement of a new FPF APAC Managing Director, Josh Lee Kok Thong, last July.

For more information about the event, the agenda, and speakers, visit the FPF site.

###

About Future of Privacy Forum (FPF)

The Future of Privacy Forum (FPF) is a global non-profit organization that brings together academics, civil society, government officials, and industry to evaluate the societal, policy, and legal implications of data use, identify the risks and develop appropriate protections.

FPF believes technology and data can benefit society and improve lives if the right laws, policies, and rules are in place. FPF has offices in Washington D.C., Brussels, Singapore, and Tel Aviv. Follow FPF on Twitter and LinkedIn.

About S&K Brussels LPC

S&K Brussels LPC is a Japanese law firm composed of lawyers and foreign lawyers whose main practice area is data protection and privacy laws in five jurisdictions i.e., EU, UK, US, China and Japan, which opened in Brussels, Belgium in 2019. We focus on Future Proof efforts to read the shape of future regulations, including AI regulations and other data-related regulations as regulations closely related to data protection legislation.

— データ保護とプライバシーに焦点を当てた世界的な非営利団体であるフューチャー・オブ・プライバシー・フォーラム（Future of Privacy Forum（FPF））と弁護士法人S&K Brussels法律事務所は、2023年6月22日に第1回日本プライバシーシンポジウムを共同で開催します。当イベントは、日本のプライバシーコミュニティのリーダーたちと、世界中のデータ保護およびプライバシー規制監督当局が一堂に会し、東京で開催されます。

G7データ保護監督当局・プライバシーコミッショナーのサミットと同時期の開催となる当シンポジウムでは、日本のプライバシーコミュニティのリーダーたちと世界中のデータ保護・プライバシー規制監督当局が一堂に会し、AIガバナンスとデータ保護法、広告技術の未来、グローバル協力、執行動向に関する重要課題について議論する予定です。当シンポジウムでは、レベッカ・ケリー・スローター（Rebecca Kelly Slaughter）氏（米国連邦取引委員会委員）、ヴォイチェフ・ヴィエヴィオロフスキー（Wojciech Wiewiórowski）氏（欧州データ保護監督官）、フィリップ・デュフレーヌ（Philippe Dufresne）氏（カナダ連邦プライバシーコミッショナー）、ジネーヴラ・チェリーナ・フェローニ（Ginevra Cerrina Feroni）氏（イタリアデータ保護監督当局（Garante）副委員長）、ジョン・エドワーズ（John Edwards）氏（英国情報コミッショナーオフィス情報コミッショナー）にパネリストとして御登壇頂くとともに、大島周平（Shuhei Ohshima）氏（日本個人情報保護委員会委員）に基調講演に御登壇頂きます。

FPFのグローバルプライバシー担当副社長であるガブリエラ・ザンフィル＝フォルトゥナ（Gabriela Zanfir-Fortuna）氏は、「世界中のデータ保護およびプライバシー規制監督当局と日本のプライバシーコミュニティが集まるこの貴重なイベントを共催できることを大変嬉しく思います」、「G7経済圏のデータ保護およびプライバシー規制監督当局が東京に集まり、データによって促進される新しい技術の進歩や、それらが社会、人々、経済に与える影響によって生じる課題に取り組むための協調的なアプローチについて戦略を練っています。当シンポジウムは、規制監督当局と日本のデータ保護およびプライバシーコミュニティのメンバーが意見を交換し、世界の規制の現状を共有し、将来に向けて戦略を立てるための場を提供するものです。」と述べています。

弁護士法人S&K Brussels法律事務所代表パートナー、FPFのグローバルプライバシー担当シニアフェロー、一般社団法人日本DPO協会の共同設立者兼理事である杉本武重（Takeshige Sugimoto）氏は「S&K Brusselsは、G7諸国の尊敬すべきプライバシーとデータ保護のリーダーたちが集まる、第1回日本プライバシーシンポジウムを共同開催することができて嬉しく思います。世界のデータ保護とプライバシーコミュニティにおける協力の機会は不可欠であり、日本プライバシーシンポジウムが、今後何年にもわたって重要な参加と対話の舞台となることを期待しています。」と述べています。

FPFは、2021年8月にアジア太平洋オフィス（FPF APAC）をシンガポールに開設し、昨年7月には新しいFPF APACマネージングディレクターのジョシュ・リー・コク・トン（Josh Lee Kok Thong）氏の就任を発表するなど、アジアでの国際展開に力を入れています。

当イベントの詳細、アジェンダおよび登壇者については、FPFのウェブサイトを御覧下さい。

###

Future of Privacy Forum（FPF）について

Future of Privacy Forum（FPF）は、学術関係者、市民社会、政府関係者、産業界が集まり、データ活用の社会的、政策的、法的な意味を評価し、リスクを特定し、適切な保護を開発するための世界的な非営利団体です。FPFは、適切な法律、政策および規則が整備されれば、技術とデータは社会に利益をもたらし生活を向上させることができると考えています。FPFはワシントンD.C.、ブリュッセル、シンガポールおよびテルアビブにオフィスを構えています。TwitterとLinkedInでFPFをフォローしてください。

S&K Brussels法律事務所について

S&K Brussels法律事務所は2019年にベルギーのブリュッセルで開業したEU、英国、米国、中国及び日本の5つの法域のデータ保護法制を主な取扱分野とする弁護士・外国弁護士によって構成される日本の法律事務所です。データ保護法制に密接に関連する規制としてのAI規制をはじめとするデータ関連規制を含め、将来の規制の形を読むFuture Proofの取組みに力を入れています。

FPF at CPDP 2023: Covering Hot Topics, from Data Protection by Design and by Default, to International Data Transfers and Machine Learning

At this year’s annual Computers, Privacy and Data Protection (CPDP) conference in Brussels, several Future of Privacy Forum (FPF) staff took part in different panels, organized by FPF, as well as academic, industry, and civil society groups. This blogpost provides a brief overview of these exciting events, and CPDP will publish recordings of them shortly.

May 24: EU Commission and ASEAN launch Joint Guide to Model Clauses for Data Transfers

On the conference’s first day, FPF Vice President for Global Privacy Gabriela Zanfir-Fortuna joined a panel organized by Haifa Center for Law and Technology (Faculty of Law, University of Haifa) on the GDPR’s effectiveness, alongside Tal Zarsky, Dean and Professor of Law at the University of Haifa’s Faculty of Law, Raphael Gellert, assistant professor in ICT and private law at Radboud University, Sam Jungyun Choi, associate in the technology regulatory group of Covington & Burling LLP, and Amit Ashkenazi, research student and adjunct lecturer on cyber law and policy at the University of Haifa. The panel contributed to current reflections on the effectiveness of the GDPR, five years after its enactment, by focusing on challenges arising from the regulatory design it sets forth. Gabriela noted that data protection law is much broader than the GDPR because it has a fundamental element behind it, meaning that the right to the protection of personal data is protected as a fundamental right at a constitutional level in the EU. She also stressed that ongoing adoption of the GDPR has catalyzed more societal interest in law, technology, and data protection rights and concepts.

Photo: CPDP Panel on Exploring the Many Faces of the GDPR – in Search of Effective Data Protection Regulation, 5/24/2023

Later that day, Gabriela moderated a panel organized by the EU Commission, which served as a platform to launch a “Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses.” The Guide identifies commonalities between the two sets of model clauses and aims to “assist companies present in both jurisdictions with their compliance efforts under both sets of clauses.” The panel was joined by Denise Wong, Deputy Commissioner-designate, Personal Data Protection Commission Singapore, and Assistant Chief Executive-Designate of the Infocomm Media Development Authority, Alisa Vekeman, European Commission, International Affairs and Data Flow team, and Philipp Raether, Group Chief Privacy Officer, Allianz. The panelists noted that model clauses are the most used mechanisms for international data transfers and that efforts like the Joint Guide are a promising solution for a global regime underpinning flows of personal data across different jurisdictions, while providing safeguards for individuals and their data. Officials in the panel noted that the Guide is just the first step in this EU-ASEAN collaboration on model clauses, noting that a set of best practices from companies who use both is to be expected in the near future.

To wrap up the first day of the conference, FPF’s Policy Councel for Global Privacy, Katerina Demetzou, joined a panel on the constitutionalization of data rights in the Global South, along with Mariana Marques Rielli, Institutional Development Coordinator at Data Privacy Brazil, Laura Schertel Mendes, law Professor at the University of Brasilia (UnB) and at the Brazilian Institute for Development, Education and Research (IDP) and Senior Visiting Researcher at the Goethe-Universität Frankfurt am Main with the Capes/Alexander von Humboldt Fellowship, and Risper Onyango, advocate of the High Court of Kenya, currently serving as a Digital Policy Lead under the Digital Economy Department at the Lawyers Hub. In her intervention, Katerina explored how the GDPR has been applied by Data Protection Authorities in Europe to emotion recognition AI systems and to Generative AI. Her examples emphasized that discussions about AI governance and AI regulation should examine existing data protection law applications to these systems and develop in response to gaps in these legal systems.

Photo: Panel on From Theory to Practice: Digital Constitutionalism and Data Justice in Movement in the Global South, 5/24/2023

May 25: High Level Discussion Spurred by FPF’s Data Protection by Design and by Default Case-Law Report

On May 17, FPF launched a comprehensive Report on the enforcement of the EU’s GDPR Data Protection by Design and by Default (DPbD&bD) obligations, which are outlined in GDPR Article 25. The Report is informed by extensive research covering more than 92 decisions from Data Protection Authorities (DPAs) and national Courts, and it offers specific Guidance and other policy documents issued by regulators.

On May 25, FPF organized a panel moderated by the Report’s co-author Christina Michelakaki, FPF Policy Fellow for Global Privacy, on the enforcement of Article 25 GDPR and the uptake of Privacy Enhancing Technologies (PETs). Marit Hansen, State Data Protection Commissioner of Land Schleswig-Holstein, Jaap-Henk Hoepman, Professor, Radboud University Nijmegen/University of Groningen, Cameron Russell, Primary Privacy Advisor on Global Payments Matters at eBay, and Stefano Leucci, Legal and Technology expert at the European Data Protection Supervisor joined the panel. The speakers offered their perspectives on the Article 25 GDPR enforcement, delving into topics such as the interrelation between dark patterns and by default settings, the role of Article 25 GDPR in preventing harms from AI systems, and the maturity of PETs.

Photos: CPDP workshop on State-of-Play of Privacy Preserving Machine Learning (PPML), and CPDP Panel on the Enforcement of Data Protection by Design & Default: Consequences for the Uptake of Privacy-Enhancing Technologies, 5/25/2023

Photo: CPDP Panel on the Enforcement of Data Protection by Design & Default: Consequences for the Uptake of Privacy-Enhancing Technologies, 5/25/2023

FPF’s Managing Director for Europe, Rob van Eijk, organized and facilitated a workshop exploring how to clear the path towards alternative solutions for processing of (personal) data with Machine Learning. Four data scientists, Lindsay Carignan (Holistic AI), Nigel Kingsman (Holistic AI), Victor Ruehle (Microsoft Research), and Reza Shokri (National University of Singapore) joined the workshop. The group introduced an easy to understand privacy auditing framework that quantitatively measures privacy risks in ML systems, while also exploring the relationship between bias and regulations in legislation such as the EU AI Act. You can watch the recording of the workshop here.

The same day, Rob also joined a panel on PETs, consumer protection, and the online ads ecosystem with Marek Steffen Jansen, Privacy Policy Lead – EMEA/Global at Google, Anthony Chavez, VP of Product Management of Google, Marie-Paule Benassi, lawyer, economist, data scientist, and Head of Enforcement of Consumer Law and Redress at the European Commission, Stefan Hanloser, VP Data Protection Law at ProSiebenSat.1 Media SE, and Christian Reimsbach-Kounatze, Information Economist and Policy Analyst at the OECD Directorate for Science, Technology and Innovation. You can watch the recording of the panel here.

May 26: Reflections on automation, compliance and data protection law

Finally, Gabriela participated in a day-long “philosopher’s seminar” on compliance and automation in data protection law organized by CPDP, ALTEP-DP, COHUBICOL under the leadership of Prof. Mireille Hildebrandt, which will flow into a series of published research papers later on in 2023.

While celebrating the five years anniversary of the GDPR becoming applicable, at a pivotal moment of growth and change for emerging technologies, CPDP 2023 in Brussels gave the FPF team an extraordinary opportunity to engage with and facilitate collaborative dialogues with leading academics, technologists, policy experts, and regulators.

New FPF Report: Unlocking Data Protection by Design and by Default: Lessons from the Enforcement of Article 25 GDPR

On May 17, the Future of Privacy Forum launched a new report on enforcement of the EU’s GDPR Data Protection by Design and by Default (DPbD&bD) obligations, which are outlined in GDPR Article 25. The Report draws from more than 92 data protection authority (DPA) cases, court rulings, and guidelines from 16 EEA member states, the UK, and the EDPB to provide an analysis of enforcement trends regarding Article 25. The identified cases cover a spectrum of personal data processing activities, from accessing online services and platforms, to tools for educational and employment contexts, to “emotion recognition” AI systems for customer support, and many more.

The Report aims to explore the effectiveness of the DPbD&bD obligations in practice, informed by how DPAs and courts enforced Article 25. For instance, we analyze whether DPAs and courts find breaches of Article 25 without links to other infringements of the regulation and what provisions enforcers tend to apply together with Article 25 the most, including the general data protection principles and requirements related to data security under Article 32. We also look at what controls and controller behavior are and are not deemed sufficient to comply with Article 25.

The GDPR’s DPbD&bD provisions in Article 25 oblige controllers to: 1) adopt technical and organizational measures (TOMs) that, by design, implement data protection principles into data processing and protect the rights of individuals whose personal data is processed; and 2) ensure that only personal data necessary for each specific purpose is processed. Given the breadth of these obligations, it has been argued that Article 25 makes the GDPR “stick” by bridging the gap between its legal text and practical implementation. GDPR’s DPbD&bD obligations are seen as a tool to enhance accountability for data controllers, implement data protection effectively, and add emphasis to the proactive implementation of data protection safeguards.

Our analysis on the enforcement, and ultimately the effectiveness, of Article 25 is all the more important, given the increasing development and deployment of novel technologies involving very complex personal data processing, like Generative AI, and rising data protection concerns. Understanding how Article 25 obligations manifest in practice and the requirements of DPbD&bD may prove essential for the next technological age.

This Report outlines and explores the key elements of GDPR Article 25, including the:

Role of the controller;
Qualified nature of the obligation;
Concept of appropriate TOMs;
Stage of the data processing activity in which TOMs should be applied; and
Effectiveness requirement.

Additionally, we analyze the individual concepts of “by Design” and “by Default,” identify divergent enforcement trends, and explore three common applications of Article 25 (direct marketing, privacy preservation and Privacy Enhancing Technologies (PETs), and EdTech). This Report also includes a number of Annexes that seek to provide more information on the specific cases analyzed and a comparative overview of DPA enforcement actions.

Our analysis determines that European DPAs diverge in how they interpret the preventive nature of Article 25 GDPR. Some are reluctant to find violations in cases of isolated incidents or where Article 5 GDPR principles are not violated, while others apply Article 25 preventively before further GDPR breaches or even planned data processing. Our research also finds that most DPAs are reluctant to specify appropriate protective measures and to explicitly outline the role of PETs. Ultimately, the Report shows that despite the novelty of Article 25, and the criticism surrounding its vague and abstract wording, it is a frequent source of some of the highest GDPR fines, highlighting the need for organizations to maintain a firm grasp over the concepts of DPbD&bD.

Download the Report

Vietnam’s Personal Data Protection Decree: Overview, Key Takeaways, and Context

Author: Kat MH Hille

The following is a guest post to the FPF blog from Kat MH Hille, an attorney with expertise in corporate, aviation, and data protection law. She graduated with a J.D. from the University of Iowa, School of Law, and has extensive experience practicing law in both the United States and Vietnam (contact: https://www.linkedin.com/in/katmhh/). The guest blog reflects the opinion of the author only. Guest blog posts do not necessarily reflect the views of FPF.

On April 17, 2023, the Vietnamese Government promulgated the Decree of Personal Data Protection (Decree), which was initially published as a draft on February 9, 2021 and went through several revisions. Before the Decree’s issuance, personal data protection in Vietnam was governed by 19 different laws and regulations, resulting in a fragmented legal framework. The Decree aims to fill these gaps and provide a comprehensive and uniform approach to personal data protection in Vietnam, extending safeguards for personal data to over 97 million people.

This post provides an overview of the Decree, including key dates, context, legal effects, requirements and how they fare with other comprehensive data protection law regimes around the world. Building on this foundation, certain key provisions and notable features of the Decree that warrant attention, including:

A prohibition on the sale and purchase of personal data through any means unless otherwise permitted by law.
The recognition of “Personal Data Controllers and Processors” as a distinct legal entity, with a mixed nature.
A strict purpose limitation principle that doesn’t allow for other uses of personal data than for the “registered purposes”.
Location data, creditworthiness, and financial data are protected as sensitive data, among other categories.
The Decree does not include “legitimate interests” among the lawful grounds for processing personal data, but it includes a permission related to personal data made public through legal means.
A specific clarification that silence or lack of response from the data subject does not constitute valid consent.
Increased transparency notices about personal data processed for advertising and marketing purposes.
Access requests require hefty documentation from data subjects, but they must be responded to within 72 hours – so do correction and deletion requests.
Data Transfer Assessments and a registration with the competent authority are requirements for all cross-border data transfers.
The lack of a prescriptive list of fines and sanctions.
Enforcement entrusted to an existing Government agency.

These provisions will be discussed in detail below.

1. Overview

The Decree is significant despite its lower status in Vietnam’s hierarchy of laws

As personal data protection is a new and developing area of law in Vietnam, Vietnam’s first legislative instrument on personal data protection takes the form of a “decree,” which is ranked lower in Vietnam’s statutory hierarchy than a code or law, and it is the result of executive action. A benefit of enacting a decree is that it can be done so more easily, without the need for approval from the National Assembly. Nevertheless, the Vietnamese Government’s goal is to ultimately enact a comprehensive and robust law for effective and enforceable personal data protection in 2024, according to a Decision issued by the Prime Minister in January 2022.

However, the Decree’s status means that in the event of conflicting regulations on the same issue, codes and laws would take precedence over the Decree. That said, the Decree remains the first comprehensive personal data protection regulation in Vietnam. Despite its lower legal status, the Decree still carries significant weight and impact in regulating personal data protection in Vietnam, and those who fail to comply with its provisions will still face legal consequences.

The Decree incorporates a unique blend of global standards and Vietnamese characteristics

Like other data protection laws inspired by the European Union (EU)’s General Data Protection Regulation (GDPR), the Decree sets out the responsibilities of organizations and individuals that process personal data, as well as the rights of individuals over their personal data.

However, the Decree also includes unique provisions that are specific to Vietnam’s context, such as a prohibition on the sale and purchase of personal data through any means, unless otherwise provided by law (Article 3.4), which may have significant consequences on the activity of data brokers and other businesses engaged in commodification of personal data. Additionally, organizing the collection, transfer, purchase, or sale of personal data without the consent of the data subject or the act of establishing software systems, as well as implementing technical measures for these purposes constitutes a violation of the Decree.

The Decree introduces the concept of “Personal Data Controllers and Processors,” which are entities or individuals that function both as Personal Data Controllers and Personal Data Processors. This definition is unique to the Decree and distinguishes it from other data protection laws around the world that typically only recognize the separate categories of Personal Data Controllers and Personal Data Processors. While the inclusion of Personal Data Controllers and Processors is meant to provide greater clarity and precision in defining the roles and responsibilities of different actors involved in personal data processing, it may actually add unnecessary complexity to the already complex landscape of privacy laws. This is because a single entity could be classified as both a Personal Data Controller and a Personal Data Processor depending on the specific definition being used, making it difficult to navigate and comply with the requirements of different privacy laws across different jurisdictions.

Further, the enacted Decree does not include a specific fine structure for violation of the Decree (the 2021 draft of the Decree proposed specific fines for single violations of the Decree, including fines of up to 5% of a personal data processor’s revenue for the most serious violations). Rather, the enacted Decree outlines a general provision that violators may be subject to disciplinary action, administrative penalties, or criminal prosecution, depending on the seriousness of the offense.

Furthermore, compared with the 2021 draft of the Decree, the final Decree does not provide for the establishment of a personal data protection commission to enforce the regulation. Rather, the Decree assigns responsibility for enforcing its requirements to an existing agency within the Ministry of Public Security (MPS), the Cybersecurity and High-Tech Crime Prevention Department (A05).

While MPS will need to clarify key provisions in subsequent regulations, the Decree creates the first comprehensive foundation to govern data processing activities in Vietnam. The Decree will take effect on July 1, 2023, giving organizations only two months to make the necessary adjustments to their business and operations in order to comply with the new regulations. Significant aspects of the Decree are explored below in greater detail.

2. The (extra)territorial scope introduces a nationality criterion for covered entities

The Decree applies to Vietnamese agencies, organizations, and individuals (whether based within or outside of Vietnam), and to foreign agencies, organizations, and individuals that are either based in Vietnam or that are based overseas and directly participate in or are otherwise involved in personal data processing activities in Vietnam.

Note that “personal data processing” covers a wide range of activities in relation to personal data, including collection, recording, analysis, verification, storage, alteration, disclosure, combination, access, retrieval, erasure, encryption, decryption, copying, sharing, transmission, provision, transfer, and deletion, as well as other related actions (Article 2.7).

There is still ambiguity as to the distinction between being “involved in” and “directly participating in” personal data processing activities, as well as the level of involvement with such activities that would bring a party within the scope of the Decree. Clarity on these issues through further regulations or guidance would be useful, especially considering that many third-party service providers or software vendors may arguably have some involvement in processing personal data.

3. The Decree recognizes a slightly different set of covered actors than other data protection laws

The Decree covers four categories of parties who process personal data:

“Personal Data Controllers” (PDCs) are organizations or individuals that determine the purposes and means of personal data processing. Personal Data Controllers have the most obligations under the Decree.
“Personal Data Processors” (PDPs) are organizations or individuals that process personal data on behalf of a Personal Data Controller under a contract or agreement with the Personal Data Controller.
“Personal Data Controllers and Processors” (PDCPs) are organizations or individuals that are simultaneously Personal Data Controllers and Personal Data Processors.
“Third Parties” (TPs) are any organization or individual authorized to process personal data other than Data Subjects, Personal Data Controllers, Personal Data Processors, or Personal Data Controllers and Processors.

In recognizing a distinction between controllers and processors, the final Decree removes ambiguity that was present in the 2021 draft of the Decree, which only provided for two categories of actors: personal data processors and third parties.

4. New processing principles, such as “no sale and purchase of personal data by any means”

The Decree outlines eight principles that govern data processing activities, which are similar to those recognized by the GDPR, including lawfulness, transparency of processing, purpose limitation, data minimization, accuracy, storage limitation, and appropriate measures to ensure the security of personal data. However, there are some notable differences.

Sale or Purchase of Personal Data: The Decree takes a more stringent stance than the GDPR by explicitly prohibiting the sale and purchase of personal data in any form, unless otherwise permitted by law. However, another provision in the Decree states that the act of “setting up software systems, technical measures or organization of the … purchase and sale of personal data without the consent of the data subject” is a violation (Article 22). Read together, the two provisions appear to imply that the purchase or sale with consent from the data subject could be permissible. Due to its ambiguity, further clarification is needed.

This stringent prohibition is a direct response to the numerous cases of personal data misuse that have occurred in Vietnam in recent years, including identity theft, financial fraud, intrusive advertising, and the exploitation of vulnerable individuals. A report showed that in 2022 alone, more than 17 million pieces of personal data were illegally harvested and sold for fraud and each personal data entry has been traded 987 times per day. However, the inclusion of a strict prohibition may conversely have a significant impact on industries that rely heavily on the use of personal data to drive innovation and business growth. It is possible that future circulars or guidelines may provide more clarity on this issue, including potential exceptions or allowances for certain use cases.

Notwithstanding this broad prohibition, PDCs and PDCPs may still share personal data with others if they obtain the data subject’s consent to do so, except when such sharing could harm national defense, national security, or public order and safety or could affect the safety or physical or mental health of others (Article 14). However, business entities and individuals providing marketing, product launching, and advertising services may only utilize personal data of their customers collected through their own business activities for conducting such services, if they obtain the data subject’s consent (Article 21).

Purpose Limitation: The Decree imposes a stricter purpose limitation compared to the GDPR, which allows for additional processing if it is compatible with the original purpose. Under the Decree, personal data can only be processed for the specific purposes that have been “registered” or “declared” by the PDC, PDP, PDCP, or TP. This requires these entities to ensure that their data processing activities do not deviate from or expand upon the registered and declared purposes. However, it is important to note that the Decree does not provide any guidance on how processing purposes are to be registered.

5. Covered data: broad definition of sensitive personal data, and stricter accountability rules for its processing

The Decree provides a broad definition of personal data, aligned with other comprehensive data protection laws. It defines personal data as any information that is expressed in the form of symbol, text, digit, image, sound or in similar forms in an electronic environment that is associated with a particular natural person or helps identify a particular natural person. Personally identifiable information means any information that is formed from the activities of an individual and, when used with other maintained data and information, can identify such particular natural person.

The Decree categorizes personal data into two groups: basic personal data and sensitive personal data, and includes an additional set of rules for the latter.

Basic personal data includes the following forms of personal data:

A person’s name(s);
A person’s date of birth, death, or having gone missing;
A person’s gender;
A person’s place of birth or residence;
A person’s nationality;
An image of an individual;
A number associated with a person, such as a telephone number or a number in an official document, such as an identity card number, driver’s license number, etc.;
A person’s marital status;
Information about a person’s family relationships;
Information about the individual’s online accounts or activities; and
Any other types of personal data that do not qualify as sensitive personal data.

Sensitive personal data is defined as personal data related to an individual’s privacy, a breach of which would directly affect the individual’s legitimate rights and interests.

The Decree provides a non-exhaustive list of types of personal data that would be considered sensitive, including:

A person’s political or religious views;
Information about a person’s health status or private life that is included in a person’s medical record (other than information about a person’s blood type);
Information relating to a person’s racial or ethnic origin;
Information about an inherited or acquired genetic characteristics of an individual;
Information about an individual’s physical attributes and biological characteristics;
Information about an individual’s sex life or sexual orientation;
Data about crimes and offenses that are collected and stored by law enforcement agencies;
Customer information of credit institutions, foreign bank branches, payment intermediary service providers, and other authorized organizations;
Information about the location of an individual that has been obtained through location services; and
Any other information that is subject to legal requirements to implement specific security measures.

The list of sensitive personal data provided is more extensive than the GDPR’s definition of sensitive personal data. It includes types of data such as customer information from financial institutions and location data obtained through location services. As non-cash transactions and targeted advertising become increasingly prevalent in Vietnam, these types of data are frequently collected by most businesses. As a result, a wider range of entities, including small and medium businesses, may be subject to sensitive personal data protection requirements due to the broad scope of the list.

The Decree imposes more stringent protection measures for sensitive personal data than for basic personal data. For instance, regulated entities that process sensitive personal data must specifically notify data subjects of any processing of their sensitive personal data. Organizations that are covered by the Decree also must designate a department within their organization and appoint an officer which will be responsible for overseeing the protection of sensitive personal data and communicating with the A05.

Nevertheless, it is important to note that small, medium, and start-up enterprises are given a grace period of 2 years from their establishment to comply with these sensitive data requirements, unless such enterprises are directly engaged in processing personal data (Article 43). To qualify for the exemption, companies in agriculture, forestry, aquaculture, industrial, and construction sectors must have fewer than 200 employees and annual revenue below 200 billion Vietnamese dong (equivalent to approximately 8.7 million USD) or total capital below 100 billion Vietnamese dong (approximately 4.3 million USD), while commercial and service sector companies must have fewer than 100 employees and annual revenue below 300 billion Vietnamese dong (approximately 13 million USD) or total capital below 100 billion Vietnamese dong (approximately 4.3 million USD) in accordance with Decree No. 80/2021/ND-CP (2021) on Elaboration of Articles of the Law on Provision of Assistance for Small and Medium Enterprises.

6. Legal bases for processing personal data: no “legitimate interests,” but introducing “publicly disclosed” personal data

The Decree recognizes six legal bases for processing personal data, namely:

Where valid consent for processing personal data is obtained from the data subject;
In cases of emergency where personal data must be processed immediately to protect life or health of the data subject or others;
Where the personal data is publicly disclosed in accordance with the law;
Where a competent state agency processes personal data:
- In a state of emergency relating to national defense and security, social order and safety, major disasters, or dangerous epidemics;
- When there is a risk of threat to national security and defense that has not yet reached the level of declaring a state of emergency; or
- To prevent and combat riots, terrorism, crimes, and violations of the law;
Where personal data is processed to fulfill contractual obligations of the data subject with relevant agencies, organizations, or individuals as provided by law; and
Where personal data is processed to serve the operations of state agencies as prescribed by specialized laws.

Additionally, under Article 18 of the Decree, competent governmental agencies may obtain personal data from audio and video recording activities in public places without the consent of data subjects. However, when conducting recording activities, the authorized agencies and organizations are responsible for informing data subjects that they are being recorded.

Notably, the Decree does not provide a “legitimate interests” lawful ground like the GDPR. Nevertheless, legitimate interests are recognized in other provisions of the Decree. In particular, Article 8 stipulates “Prohibited Acts,” including processing personal data to create information that affect “legitimate rights and interests of other organizations and individuals”.

As for “valid consent”, there are several conditions that must be met when obtaining it, pursuant to Article 11 of the Decree:

The consent must be freely given and fully informed.
The consent must be explicitly and specifically expressed. This can be done in writing, orally, or through other clear actions, such as checking a consent box, sending a text message, or selecting technical consent settings. The consent must also be given in a format that can be printed, copied, or verified, meaning that it must be able to be saved and documented for future reference.
When making a request for consent, the PDC and the PDCP must list out the types of personal data, the purposes for which consent is sought, organizations and individuals processing personal data and the rights and obligations of data subjects. The consent applies only to the specific purpose(s) stated. This language suggests that catch-all consent to all purposes is not allowed.
Furthermore, partial or conditional consent is allowed, but silence or lack of response from the data subject does not constitute valid consent. This appears to preclude implied or deemed forms of consent.
Consent for processing the personal data of a missing or deceased person may be obtained from the person’s spouse, children, or parents. If none of these individuals are available, valid consent cannot be obtained (Article 19).

The given consent remains valid until it is withdrawn by the data subject or until a competent state agency requests otherwise in writing. PDCs and PDCPs bear the burden of proof in case of a dispute regarding the lack of consent from a data subject.

Data subjects may request to withdraw their consent to processing of their personal data (Article 12). When a data subject does so, the PDC or PDCP must inform the data subject of any potential negative consequences or harms from the withdrawal of consent.

If the data subject still wishes to proceed, all parties involved in processing the personal data, including the PDC or PDCP and any PDPs or TPs, must cease processing the personal data. There is no set time frame for fulfilling this obligation, but it should be done within a reasonable period of time.

The withdrawal of consent must be in a format that can be printed, copied in written form, or verified electronically. The withdrawal of consent shall not render unlawful any data processing activities that were lawfully performed based on the consent given prior to the withdrawal.

7. The rights of the data subject include transparency and control rights, but also rights to legal remedies

Article 9 of the Decree provides data subjects with 11 rights over their personal data, which are linked to corresponding obligations on entities that process personal data:

Right to be informed about the processing activities involving their personal data.
Right of consentor to withhold consent to the processing of their personal data.
- However, if a data subject chooses to provide consent for the processing of their personal data, the data subject is responsible for ensuring that any information provided is accurate and complete (Article 10).
Right to access their personal data in order to view, correct, or request correction of the data.
Right to withdraw consent to the processing of their personal data.
Right to delete their personal data or request that such data be deleted
Right to restrict processing of their personal data by request.
Right to be provided with a copy of their personal data or port their personal data to another entity.
Right to object to use or disclosure of their personal data for advertising and marketing purposes.
Right to make complaints and denunciations and/or commence legal action according to law.
Right to claim damages according to law where data subjects’ rights under personal data protection regulations have been violated, unless parties agree to the contrary, or as otherwise provided by law.
Right to request orders for protection of their rights under relevant provisions of the Civil Code, the Decree, and other laws. Available orders under Article 11 of Vietnam’s Civil Code include termination of the violating act, public apology or rectification, performance of civil obligations, compensation, or reversal of a violating decision.

Note that all of these rights are subject to exceptions provided by the Decree or other relevant laws.

7.1. Transparency requirements include detailed notices and access rights on a tight deadline

According to Article 11 and 13, before processing a data subject’s personal data, a PDC or PDCP must provide a notification to the data subject containing the following information:

The types of personal data being processed;
The purpose(s) for processing the data;
The means of processing data;
The organizations or individuals involved in processing of the data;
The data subject’s rights and obligations under the Decree;
Potential consequences and harms from processing;
The duration of processing, including the start and end dates; and
Where personal data is processed for advertising and marketing purposes, the content, method, form, and frequency of product marketing (Article 21).

However, such notification is not required when personal data is being processed by a competent state authority or if the data subjects have been fully informed of, and have given valid consent to, the processing of their personal data.

Data subjects have the right to request that PDCs and PDCPs provide them with a copy of their personal data or share a copy of their personal data to a third party acting on their behalf (Article 14). The PDC or PDCP must fulfill such a request within 72 hours of receiving it.

The request must be submitted in the Vietnamese language and made in a standardized format as set out in the Appendix to the Decree. The request must include the requestert’s full name, residential address, national identification number, citizen identification card number, or passport number; fax number, telephone number, and email address (if any); and the form of access and the reason and purpose for requesting the personal data. The data subject must also specify the name of the document, file, or record to which their request pertains (Article 14.6). This requirement can impose a significant burden on data subjects as they may not always be fully aware of which documents or records their personal data is contained within. Additionally, the complexity of data processing can further complicate matters and make it difficult for the data subject to identify the relevant documents.

It is important to note that, unlike the GDPR, the Decree does not require a PDC or PDCP to provide data subjects with comprehensive information about the processing of their personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

Moreover, there are certain circumstances in which a PDC or PDCP are not required to provide the data subject with a copy of their personal data. These include where:

Such provision may threaten national defense, national security, or social order and safety;
Such provision may endanger the safety, physical, or mental health of others; or
The data subject has not given consent for the disclosure or authorized a representative to receive their personal data.

7.2. The Decree provides for an absolute right to object to processing, as well as correction and deletion rights

A PDC or PDCP must promptly fulfill a data subject’s request to access their personal data, correct their personal data, or have their personal data corrected, according to Article 15.

The PDP and any third party shall be authorized to edit the personal data of the data subject only after obtaining written consent from the PDC and PDCP and ensuring that the data subject has given their consent.

If the PDC or PDCP is unable to fulfill the request due to technical or other reasons, the PDC or PDCP must notify the data subject within 72 hours.

If a data subject requests that the processing of their personal data be restricted or otherwise objects to the processing of their personal data, the PDC or PDCP must respond to the request within 72 hours of receiving it (Article 9).

One important difference between this requirement and the one in the GDPR is that the Decree does not provide any exceptions to this requirement. Under the GDPR, a controller may be able to demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or may be able to claim that they need the data for the establishment, exercise, or defense of legal claims.

According to Article 16, the PDC or PDCP must delete personal data about a data subject within 72 hours of a request by the data subject, if:

The personal data is no longer necessary for the purpose to which the data subject consented;
The data subject withdraws consent for processing of the personal data;
There is no lawful reason to continue processing the personal data;
The personal data is processed for a purpose other than one to which the data subject has consent or is otherwise is processed unlawfully; or
Deletion of the personal data is required by law.

Personal data shall be deleted irretrievably by the PDC, PDCP, PDP, and/or TP if it was processed for improper purposes or the consented purpose(s) has been fulfilled, if storage is no longer necessary, or if the entity responsible for the data has dissolved or terminated business operations due to legal reasons.

Like the GDPR, the Decree recognizes certain exceptions to the right to delete personal data, such as where:

The law prohibits deletion of the personal data;
Continued processing of the personal data is necessary for legal, statistical, or scientific research purposes; or
The personal data is processed by a competent government agency for lawful purposes or in emergency situations that threaten life, health, or safety.

However, unlike the GDPR, personal data that has been lawfully made available to the public is also exempt from the right to deletion (Article 18). As a result, the PDC or PDCP may reject a data subject’s request to delete personal data that has become public, regardless of whether there are any other lawful grounds for retaining such data. This differs from the GDPR, which does not provide exceptions based solely on the public availability of data.

8. Obligations of Controllers and Processors, from written processing agreements to data security and accountability obligations

PDPs are under an obligation to only receive personal data from a PDC after signing an agreement on data processing with the PDC and only process the data within the scope of that agreement (Article 39). The Decree also provides that personal data must be deleted or returned to the PDC upon completion of the data processing.

8.1. Data security and data breach notification requirements

The Decree has dedicated data security requirements for PDCs. For instance, Article 38 asks them to implement organizational and technical measures, as well as appropriate security and confidentiality measures to ensure that personal data processing activities are conducted lawfully. They also need to review and update these measures as necessary, and record and store a log of the system’s personal data processing activities.

Appropriate security measures are also relevant in the PDC – PDP relationship, as PDCs must select a suitable PDP for specific tasks and only work with a PDP that has in place appropriate protection measures. Interestingly, both PDCs and PDPs have a distinct obligation to cooperate with the MPS and competent state agencies by providing information for investigation and processing of any violations of the laws and regulations on personal data protection.Organizations and individuals involved in personal data processing must implement measures to protect personal data and prevent unauthorized collection of personal data from their systems and service devices. Article 22 of the Decree also prohibits the use of software systems, technical measures, or the organization of activities for the unauthorized collection, transfer, purchase, or sale of personal data without the consent of the data subject.

Under Article 23 of the Decree, in the event of a violation of personal data protection regulations, both the PDC and the PDP, or PDCP, are required to promptly inform the A05. The notification must be made no later than 72 hours after the violation occurred. If the notification is delayed, the reason for the delay must be provided. The current wording in the Decree is broad and without further clarifications and guidance it could be interpreted as meaning a notification is required for any violation of the Decree, not just for data breaches.

The notification must include a detailed description of the violation, such as the time, location, act, organization or individual involved, types and amount of personal data affected, contact details of those responsible for protecting personal data, potential consequences and damages of the violation, and measures taken to resolve or minimize harm. If it is not feasible to provide a complete notification at once, it can be done incrementally or progressively.

However, Decree 13 does not provide a specific procedure for A05 to handle complaints related to personal data protection violations. Further guidance or clarifications may be issued in the future.

8.2. “Impact Assessment Reports” that have to be made available for inspection

Article 24 of the Decree requires PDCs and PDCPs to compile an impact assessment report (IAR) from the commencement of personal data processing and make the report available for inspection by the A05 within 60 days thereafter.

The IAR must contain:

Information and contact details of the PDC or PDCP and its data protection officer(s);
Details of the types of personal data being processed and the purpose for doing so;
Identities of recipients of the data (including those outside of Vietnam);
The circumstances of any cross-border data transfers of the data;
A description of measures implemented to protect the data;
The time frame for processing and deletion of data; and
An evaluation of the impact and potential risks associated with the processing of personal data.

PDPs are also required to compile an IAR. However, the required content is slightly different, reflecting the difference in roles between PDCs/PCDPs and PDPs. For instance, the Decree requires a PDP to provide a description of the processing activities and types of personal data processed, rather than stating the purpose(s) for processing the data.

9. Cross-Border Data Transfers have a legal definition and a registration requirement

Article 25 of the Decree defines a cross-border transfer of personal data as:

The transfer of personal data of Vietnamese citizens to a location outside of Vietnam; or
The use of a location outside of Vietnam to process the personal data of Vietnamese citizens.

This definition includes the:

Transfer of personal data to overseas organizations for processing; and
Processing of personal data using automated systems located outside of Vietnam (note that Article 2.13 of the Decree defines automated personal data processing as the electronic processing of personal data to analyze, evaluate, and predict the behaviors, habits, preferences, reliability, tendencies, capacities, and locations of an individual).

In the absence of further specification and relying on a literal reading of the wording in Article 25, a possible interpretation of this definition is that processing outside of Vietnam the personal data of Vietnamese citizens who live outside Vietnam would also qualify as a cross-border data transfer under the Decree. If this interpretation is correct, it would mean that all foreign organizations or individuals processing personal data outside of Vietnam would be subject to the Decree’s “cross-border data transfer” requirements even if there is no actual border of Vietnam involved, insofar as they process the personal data of Vietnamese citizens. It should be noted that the scope of the Decree, as stipulated in Article 1.2, only applies to foreign agencies, organizations, and individuals that are in Vietnam or that directly participate or are involved in the personal data processing activities in Vietnam. This ambiguity may be clarified in a guidance document in the future.

Before a covered entity may transfer personal data out of Vietnam, the Decree requires that the entity must:

Undertake a data transfer assessment (DTA);
Apply to the A05 by submitting a copy of the DTA together with a form specified in the Decree to the Department within 60 days from the date of processing;
Provide further information to the A05 if the application is complete or if any information is incorrect; and
Notify the Department after the data transfer has taken place successfully.

The DTA must contain the following information:

Information and contact details of the transferrer and receiver of the personal data of Vietnamese citizens;
The full name and contact details of the organization and/or individual that is in charge of the transferrer;
Descriptions and explanations of the purposes for the transfer;
Descriptions and clarification of the type of personal data to be transferred;
The measures applied to comply with the Decree’s requirements to protect personal data;
Assessment of the impact of personal data processing, the potential consequences and damage, and measures to reduce or eliminate such risk or harm;
Details of the consent of the data subject given with a clear understanding of the feedback mechanism and complaint procedures available in the event of incidents or requests; and
A binding contract between the transferer and the receiver specifying the responsibilities of the parties involved regarding the personal data processing.

In light of the consent disclosure required as part of the DTA and in the absence of further regulatory guidance, it seems that consent is the only basis for cross-border transfers. In addition to all requirements for a valid consent, in the context of cross-border transfers, the consent shall include a clear explanation of the feedback mechanism and the available procedures for lodging complaints in the event of incidents or requests, ensuring a comprehensive understanding for the individuals involved.

The MPS will conduct inspection of the DTA annually unless a violation, data incident, or leakage occurs. The MPS may cease transfers in cases where:

Personal data is found to be used for activities that violate the interests and national security;
The transfer fails to comply with requirements for the DTA; or
Loss or leakage of the personal data of Vietnamese citizens occurs.

It should be noted that data localization is separately governed under Decree No. 53/2022/ND-CP, which implements the Law on Cybersecurity. The decree applies to both domestic and foreign companies operating in Vietnam’s cyberspace, specifically those providing telecom, internet, and value-added services that collect, analyze, or process private information or data related to their service users. According to the decree, these companies must store the data locally and have a physical presence in Vietnam. They are also required to retain the data for a minimum of 24 months. The types of personal data subject to localization include “(i) personal information of cyberspace service users in Vietnam in the form of symbols, letters, numbers, images, sounds, or equivalences to identify an individual; (ii) data generated by cyberspace service users in Vietnam, including account names, service usage timestamps, credit card information, email addresses, IP addresses from the last login or logout session, and registered phone numbers linked to accounts or data; (iii) data concerning the relationships of cyberspace service users in Vietnam, such as friends and groups with whom these users have connected or interacted.” (Article 26, Decree 53). The governing authority responsible for these regulations is A05 as well.

However, it remains unclear from the provided information whether personal data falling within the scope of Decree 53 can be transferred cross-border after fulfilling all requirements, including obtaining valid consents from data subjects. It is possible that the regulations are strictly interpreted to prohibit cross-border transfers for such types of data.

10. Specific Requirements for Children Personal Data

Like the GDPR, Article 20 of the Decree provides special protection for children’s personal data, with a focus on safeguarding their rights and best interests. However, the age threshold for obtaining valid consent differs between the two laws. In Vietnam, the Decree requires the consent of a parent or legal guardian and of children aged seven or older, while the GDPR only allows individuals over 16 to give consent independently for processing of their personal data.

It is important to note that in Vietnam, children under the age of 16 are not considered to have legal capacity, meaning that they cannot legally enter into contracts on their own behalf except in exceptional cases. As such, the effect of the child’s consent absent that of a parent or legal guardian is not entirely clear, although the requirement to obtain consent from the child was likely included in the Decree to reflect the child’s opinion on the processing of their personal data.

PDCs, PDPs, PDCPs, and TPs must verify the age of children before processing their personal data. However, the Decree does not explicitly provide an age verification process. Processing of children’s personal data must cease, and the personal data must be deleted irretrievably, where:

The processing is not for a purpose covered by valid consent;
The purpose for processing the personal data has been completed;
The child’s parent or legal guardian withdraws their consent for processing of the child’s data; or
There is a request to do so from a competent state authority that can provide sufficient evidence that the processing has a negative impact on children’s rights and interests.

The Decree states that only the child’s parent or legal guardian can withdraw consent for the processing of the child’s data, leaving it unclear whether the child can revoke their consent and have their data deleted if they wish to do so.

Conclusion

Vietnam’s new Decree on Personal Data Protection marks a significant milestone in protecting personal data in the country. The Decree introduces key concepts and principles of personal data protection, and sets out specific requirements for data processors and controllers. It also establishes a regulatory framework for obtaining consent for data processing activities, cross-border data transfers, and children data protection, which can contribute to safeguarding the privacy and security of individuals’ personal data.

While the Decree addresses many of the current challenges facing personal data protection in Vietnam, there are still gaps that need to be addressed in forthcoming guiding documents, including the lack of a specific procedure for handling complaints related to personal data protection violations, the conflicting provisions on the sale of personal data need to be clarified, the impact of cross-border data transfers and clear guidelines and requirements for such transfers and a more defined fine structure. It should also provide guidance on automated processing and establish regulations for biometric data. As Vietnam continues to develop its data protection laws, it is important for the law to address key issues such as automated personal data processing, biometrics or facial recognition, global data transfer baseline standards, and the need to balance business development with data protection.

In conclusion, the country’s commitment to personal data protection and privacy is a crucial step in the digital age. As Vietnam continues to strengthen its data protection framework, it will be interesting to see how it aligns with, and how it contributes to emerging frameworks in the region and around the world.

Editors: The success of this article would not have been possible without the dedicated efforts of Dominic Paulger, Josh Lee Kok Thong, and Isabella Perera, as well as the tremendous encouragement of Dr. Gabriela Zanfir-Fortuna from the Future of Privacy Forum.

Analysis of a Decade of Israeli Judicial Decisions Related to Data Protection (2012-2022)

Adv. Rivki Dvash with the assistance of Mr. Guy Zomer¹

Background

The Future of Privacy Forum’s office in Tel Aviv (Israel Technology Policy Institute – ITPI) sought to examine the judicial decisions in civil actions under Israel’s Privacy Law, which includes rules that regulate data protection. We examined the extent to which the general public demands protection of the right to privacy through judicial proceedings. We also analyzed the privacy and data protection issues that concern the public enough to appeal to the court, as well as identified any patterns in the appeals.

It is important to note that there is a contradiction inherent in taking civil actions to remedy privacy and data protection violations since appealing to judicial bodies brings attention to and publicly catalogs the disputes. ² As such, there is an occasional interest to not pursue these matters in order to prevent additional publication or exposure of information that could increase the harm of the initial violation of privacy. Accordingly, the data gathered in this analysis does not necessarily reflect the complete interest and desire the public has in protecting privacy, but rather the cases in which individuals chose to seek judicial remedy under the Privacy Law.

In order to examine all of these cases, we asked Mr. Guy Zomer of Octopus – Public Information for All (R.A.) – which works to make public information, including that related to judicial proceedings, accessible through the Tolaat Hamishpat – to compile all the rulings since 2012 that mention privacy violations and retrieve relevant metadata for our analysis.

The overview below highlights the information and insights gathered from the metadata.

Methodology

Collection of rulings from the Nevo website

In order to locate rulings related to privacy violations, we queried all published rulings issued from January 1, 2012, to December 31, 2022 to find those that included reference to Section 2 of the Privacy Law, 5741-1981 (from now on referred to as “the Law”), which defines an invasion of privacy and what constitutes a civil tort (and a criminal offense). The dataset only includes rulings issued in ordinary courts (magistrate, district, and supreme), and not those issued in special courts such as the Family Court and the Labor Court.

Initial screening

Since we wanted to concentrate on civil proceedings to discover common patterns, we removed criminal judgments and appeal proceedings from the dataset. We also chose to examine and compare decisions related to class actions separately from other civil proceedings.

We identified a total of 293 judgments issued in civil lawsuits and 29 judgments in class actions that referred to privacy violations.

Data collection

The dataset of civil claim decisions related to privacy violations initially only contained primary data such as the opening and closing dates of proceedings and the amount of the claims. We then added the following secondary data:

The additional grounds in the civil lawsuit (defamation, spam, etc.), if any;
The specific grounds for which the claim was filed (in other words, which subsection of Section 2 is used), even if the court did not recognize the requested cause or all the grounds for which the claim was filed;
The relationship between the plaintiff and the defendant (neighbor, employer-employee³, family, etc.);
Whether the plaintiff claimed concrete damage or compensation without proof of damage;
Whether the court recognized defense claims (this refers to the acceptance of defense claims in a judicial decision, and not to the fact that the defending party raised them);
Who won the lawsuit;
The amount of compensation mandated due to the violation of privacy;
The amount of expenses that have been mandated; and
The total amount of compensation that was mandated, including expenses or other grounds.

We examined class action cases separately from civil lawsuits since class actions focus more on potential harm to a group of people rather than an individual and the monetary compensation is structured differently with three components: individual winnings, group winnings, and lawyer fees, which are higher than is usually customary and serve as an incentive to file class actions.

Preliminary research findings

1) It should be noted that the data we examined only related to published judgments. We have yet to learn about the number of relevant claims in which the proceedings were stopped for various reasons (such as a settlement or lack of legal proceedings by the plaintiff or closed-door proceeding). Given that there is no labeling of privacy protection procedures in the Net HaMishpat (the computerized system for managing court cases in Israel), it is impossible to locate such information.

2) There is a small number of verdicts related to privacy violations and there are only several dozen privacy cases yearly. In comparison, in 2019, about 200,000 cases were closed in the Magistrates’ and District Courts. ⁴ Furthermore, in 2020, about 192,400 cases were closed in these courts. ⁵ In other words, the judgments in matters of privacy in Israel are a negligible percentage of all civil proceedings.

3) We looked at the approximate weight of published privacy violation claims as a percentage of total published civil lawsuits over several years to see whether there are any patterns. Although this method is not statistically accurate, it is still useful to examine the variable ratio between all judgments and privacy judgments published in Nevo.

However, even in the test mentioned above, we could not locate or indicate a clear trend, as seen below.

Findings

Civil Lawsuits

1. In all the cases, except for one,⁷ the plaintiffs preferred to claim compensation without proof of damage under section 29A of the Law.

2. The most common issue in civil lawsuits is the photographing of a person and placing of cameras in public, and sometimes even private spheres, accounting for 5.1% of claims.

3. We did not find any civil lawsuits for torts from privacy violations in databases. The initial assumption was that such claims are found in class actions (see below).

4. Civil lawsuits for privacy violations were generally connected to legal claims for other torts. Less than 20% of the claims filed for privacy violations were filed as a single damage (17%).

5. 19.8% of plaintiffs chose to file their claim in “Small Claims Courts,” which allow for relatively quick and no-frills compensation in an amount limited to up to NIS 36,400 (roughly USD 10,000).

6. The main ground for civil lawsuits is the “spying on or tracing of a person,” or other harassment. This ground appears in 36.9% of civil court rulings. For context of how dominant this cause is, the second most common ground (photographing a person without their permission) is cited in only 16% of all judgments.

7. The most common relationship between plaintiffs and defendants is a consumer relationship (24%) or a neighbor’s dispute (21.8%). A citizen’s claims against the authorities account for 8.9% of all claims, with the leading cause of action for this type of relationship being a breach of the confidentiality obligation established by the Law (40%).

8. Although privacy violations from media exposure create significant harm due to their broad exposure of information, only a low percentage of filed claims are due to this type of violation (7.5%). Additionally, claims due to this type of violation are always accompanied by a civil lawsuit for other claims such as defamation. Generally, defamation claims appear next to privacy violation claims (52%).

9. 9.9% of privacy claims also involved spam claims filed under Section 30A of the Communications Law. This finding is interesting because during the legislative process for spam regulations, it was determined that they should be incorporated into the Communications Law instead of the Privacy Law. Regardless, even in decisions that recognized both privacy and spam violations, the compensation amounts remained extremely low (no more than a few thousand shekels).

10. In most cases (57.3%), the plaintiff won the claim, compared to 34.4% of cases in which the defendant won (in the other claims, there was no definitive decision). However, a deeper examination of these claims shows that only 46.7% of them were compensated for the privacy violation. In other words, sometimes the plaintiff won the case, but not on the grounds of the privacy violation, or general compensation was provided without specifically referring to the privacy violation.

11. In almost a quarter of the rulings (24.5%), the court recognized legal defense protections under the Law. ⁹ The most recognized protection (40.3%) is in the case of “legitimate personal interest” (section 18(2)(c)).

Class Actions

12. Class actions related to privacy violations (29 cases) account for a small number of all class actions (6493 cases). However, the relative share (4.5%) is larger than the ratio of civil privacy violation claims compared to all civil claims (about 0.09%). This larger relative share is even more significant given that privacy violation class actions in Israel are more limited tools than civil lawsuits since class actions can only apply to the specific types of claims listed in the second addendum to the Class Actions Law, 5766-2006. ¹⁰

13. Most of the class actions that include grounds for privacy violations are also related to consumer protection.

14. Spam violations constitute the additional (or, more precisely, the primary) ground in a significant share of privacy violation class actions (69%). Four cases (15.4%) also mentioned the issue of registering the databases that are the subjects of the claims.¹¹Furthermore, in four cases (15.4%), it was claimed that the information security of the databases in question were compromised.

15. In 17.2% of privacy violation cases the court rejected the motion to file a class action.

16. Of the 29 cases in which a judgment was given (including court rejection to form a class action), in 41.4% of cases, the court approved the settlement, and in 37.9% of cases, the court approved the plaintiff’s motion for leave.

17. 69.2% of claims ended in favor of the plaintiff, and only about 26.9% of the decisions favored the defendant, with plaintiffs liable for expenses in only four cases (15.4%).

Conclusion

Despite the difficulty in getting clear insights into privacy violation civil lawsuits and class actions due to the scarcity of rulings in this area, it is still necessary to examine these decisions.

The small number of claims in this area may indicate the public’s lack of interest in exercising its right to compensation when privacy violations occur. Part of this disinterest is likely due to the desire to prevent additional publication or exposure of information that could increase the harm from the initial privacy violation. Interestingly, the larger amount of privacy violation class actions as a percentage of all class action lawsuits (compared to civil lawsuits) indicates that given a larger financial incentive and decreased risk of exposure of individuals’ personal information, the desire to file lawsuits may increase. This tentative hypothesis is supported by the higher numbers of class action and civil lawsuits related to spam violations, both of which have high compensation potential and do not reveal additional personal information about plaintiffs. However, given the small absolute number of both class action and civil lawsuits related to privacy violations, more research is needed to fully examine the motivations of plaintiffs.

Even with the small number of claims, there are still several interesting findings, including clarity into the types of privacy violations that concern the public. For example, it is evident that plaintiffs mostly bring violations related to neighbor disputes and placement of cameras in public spaces for surveillance. The research also shows that despite the higher potential for privacy violations from state authorities or the greater harm from violations of database-related provisions of the Law, there are almost no lawsuits concerning these issues. One potential hypothesis for the lack of these claims is that there are power gaps between citizens and authorities, as well as data subjects and database owners, that disincentivize lawsuits. Although class actions can strengthen the power of the consumer, they still require proof of damage and also cannot be filed against the state.

In conclusion, it is impossible to point to a change or a clear trend of citizens exercising their right to privacy in civil lawsuits over the past decade.

Editor: Isabella Perera

This text has been translated and adapted into English from the original report published on January 30, 2023, available in Hebrew following this link.

¹ Thanks to Adv. Limor Shmerling-Magazanik, former Director of ITPI, for her comments on this report.

² In Israel, the default is that legal proceedings are published stating the parties’ names.

³ It should be noted that even in civil proceedings in ordinary courts (not the Labor Court), we still found claims related to employee-employer relationships.

⁴See Annual Report 2019 – Court Administration (in Hebrew), pp. 25 and 37. In the district courts, 8,278 civil cases were closed, and in magistrates’ courts, 191,444 such cases were closed.

⁵See Annual Report 2020 – Court Administration (in Hebrew), pp. 25 and 37. In the district courts, 7,578 civil cases were closed, and in magistrates’ courts, 184,874 such cases were closed.

⁶We did not include 2022 because there was a change in the classification of cases in civil lawsuits that altered how the selected group was sampled.

⁷Civil Action (Magistrate court – Haifa) 54043-11-12 Naor v. Clal Pension and Provident Fund Ltd. (11/4/2014) (in Hebrew), in which the plaintiff lost.

⁸ As of January 2023.

⁹ Section 18 of the Privacy Law.

¹⁰ Such as dealers, banking corporations, financial services providers, etc.

¹¹In Israel, there is still an obligation to register databases.

Insights into Brazil’s AI Bill and its Interaction with Data Protection Law: Key Takeaways from the ANPD’s Webinar

The First Japan Privacy Symposium: G7 DPAs discussed their approach to reign in AI, and other regulatory priorities

FPF Paper, “The Thin Red Line …,” Receives the Council of Europe’s 2023 Stefano Rodotà Award

Nigeria’s New Data Protection Act, Explained

Unveiling China’s Generative AI Regulation

FIRST JAPAN PRIVACY SYMPOSIUM CONVENING G7 REGULATORS FOCUSES ON GLOBAL TRENDS AND ENFORCEMENT PRIORITIES

FPF at CPDP 2023: Covering Hot Topics, from Data Protection by Design and by Default, to International Data Transfers and Machine Learning

New FPF Report: Unlocking Data Protection by Design and by Default: Lessons from the Enforcement of Article 25 GDPR

Vietnam’s Personal Data Protection Decree: Overview, Key Takeaways, and Context

1. Overview

2. The (extra)territorial scope introduces a nationality criterion for covered entities

3. The Decree recognizes a slightly different set of covered actors than other data protection laws

4. New processing principles, such as “no sale and purchase of personal data by any means”

5. Covered data: broad definition of sensitive personal data, and stricter accountability rules for its processing

6. Legal bases for processing personal data: no “legitimate interests,” but introducing “publicly disclosed” personal data

7. The rights of the data subject include transparency and control rights, but also rights to legal remedies

8. Obligations of Controllers and Processors, from written processing agreements to data security and accountability obligations

9. Cross-Border Data Transfers have a legal definition and a registration requirement

10. Specific Requirements for Children Personal Data

Conclusion

Analysis of a Decade of Israeli Judicial Decisions Related to Data Protection (2012-2022)

Background

Methodology

Findings

Conclusion