The risks of falling short on privacy compliance are greater than they have ever been. New laws are going into effect around the world and in the states, enforcement agencies are exercising their authority and media organizations have teams devoted to identifying data protection failures. Legal judgments can run into the billions. And most important, consumers are increasingly empowered and active in responding when they believe their rights are trampled. Companies are hiring compliance staff and investing in privacy management tools and trying to become more sophisticated about measuring performance.
Businesses are increasingly monitoring quantitative and qualitative metrics to track, measure, and improve existing privacy programs. According to a Privacy Benchmark Study by Cisco, 93% of organizations currently track and provide analysis on at least one privacy metric, and 14% use five or more. These privacy metrics provide businesses and other organizations with key information that allows them to enhance trust and relationships with customers, ensure that personal data remains safe in data transfers, and confirm legal and regulatory privacy compliance.
FPF recently convened policy, academic, and industry privacy experts to discuss privacy metrics and their benefits, and published a report based on their discussions. Through these discussions, we learned that beyond demonstrating compliance, privacy metrics have emerged as a key measure to improve privacy program performance and maturity in terms of customer trust, risk mitigation, and business enablement. Privacy leaders can use these metrics to benchmark the maturity of their organization’s privacy program against its strategy and goals and demonstrate how privacy contributes to its strategy and bottom line.
Privacy metrics can be used to measure a variety of data points. Simple operational and compliance metrics measure activities like the number of data subject requests, where privacy executives can track and improve the efficiency of existing organizational processes. More advanced metrics that are customer and business enablement focused measure things like the amount of time needed to respond to requests.
Privacy metrics can be grouped into six categories:
Individual rights: Individual rights metrics measure the rate of consent for data sharing and email marketing, data subject requests, customer satisfaction rates, and more. This information is useful in determining the trust customers have in the privacy program and how well the program protects customer data.
Training & awareness: Training & awareness metrics compile the number of privacy trainings offered to staff as well as the number of staff trained and their engagement with the privacy program. Having staff engaged with privacy-related issues, businesses and organizations can better ensure legal compliance. This information can show gaps in organizational privacy knowledge, improve an organization’s public image, and create operational excellence in privacy.
Commercial: Commercial metrics measure how many customers have signed data processing agreements, external vendor reviews of an organization’s privacy program and how many privacy attestations have been completed. This information focuses on customer and business engagement, tracking a privacy program’s ability to support an organization as new technology is adopted. These metrics can drive additional investments from stakeholders, increasing the value of an organization.
Accountability: With accountability metrics, utilizing privacy, data protection and transfer impact assessments, organizations are able to track projects that have received privacy advice and ensure that privacy policies and procedures are current. This allows organizations to demonstrate their ability to comply with relevant laws while keeping their organization competitive and reputable.
Privacy stewards: Privacy stewardship is responsible for turning data policies into common organization practices. These metrics measure the scope of an organization’s privacy products, including the number of personal information management systems, data privacy impact assessments, and any data FAQs that are created.
Policy: Policy metrics measure an organization’s compliance with potential privacy legislation, working to improve the organization’s environmental, social, and governance ratings. This allows organizations to increase public trust, knowing the organization will use and handle their data ethically.
Evaluating the effectiveness and value of privacy initiatives has become a core aspect of many organizations’ strategies. Ignoring privacy issues can create unnecessary risks. The utilization of privacy metrics can help organizations accomplish many objectives including benchmarking against industry standards, ensuring compliance with privacy laws and regulations, increasing customer trust, and asserting the value of existing privacy programs.
If you are interested in learning more, sign up for our monthly briefing, join us at one of our upcoming events, or follow us on Twitter and LinkedIn.
FPF Statement on the EU/US Transatlantic Data Agreement
March 25, 2022 — This morning the European Union and the United States came to a breakthrough agreement in principle, which allows Europeans’ personal data to flow to the United States.
Future of Privacy Forum’s CEO Jules Polonetsky said:
We are encouraged to see progress in the important effort to ensure that cross-border EU-U.S. research, communication, and commerce can continue without disruption. Both the European Commission and U.S. negotiators understand that any deal needs to meet the standard set by the European Court of Justice. Recent U.S. proposals have included significant oversight and extensive redress structures, beyond the Privacy Shield agreement that the European Court of Justice invalidated. We look forward to the details of the latest proposals, including those related to ensuring proportionality of government access to Europeans’ data. We appreciate that the Biden Administration has supported new models of redress and hope that Congress will build on these efforts as it addresses reforms of surveillance legislation in the near future.
We also encourage both the U.S. and EU to recognize the need to ensure surveillance oversight and trusted data flows among democratic allies globally and support the ongoing work of the OECD in this regard.
Read the White House Fact Sheet: the United States and European Commission Announce Trans-Atlantic Data Privacy Framework here. You can also read VP of Global Privacy Dr. Gabriela Zanfir-Fortuna’s analysis here.
ITPI: New OECD-Israel Workshop January 2021 Report
The report was drafted by Limor Shmerling Magazanik, ITPI Managing Director, based on inputs from workshop experts, the OECD Working Party on Health Care Quality and Outcomes, and the OECD Working Party on Data Governance.
The objective of the workshop was to further international dialogue on issues critical for the successful use of health data for the benefit of the public, focusing on the implementation of privacy protection principals and the challenges that arise in the process.
FTC Requires Algorithmic Disgorgement as a COPPA Remedy for First Time
On March 4, the Federal Trade Commission (FTC) and Department of Justice (DOJ) announced a settlement agreement with WW International and its subsidiary, Kurbo (Kurbo by WW), after charging the companies with violating the Children’s Online Privacy Protection Act (COPPA) for improperly collecting health information and other data from children as young as eight years old. Among other penalties, the settlement requires the deletion of all “affected work product”–which includes algorithms–resulting from the companies’ collection of children’s data. Significantly, this is the first time that the FTC has imposed an algorithmic disgorgement penalty in a COPPA enforcement action, a measure that reflects the Commission’s increasing focus on algorithmic fairness.
The COPPA Claim
Aimed at protecting children under 13, COPPA applies to online service providers and commercial websites that (1) are directed to children and collect, use, or disclose children’s personal information; (2) have actual knowledge that children use the provider’s online service; or (3) provide a third party service to websites or online service providers that collect information from children. Among other requirements, services subject to COPPA must:
Giveparental notice before collecting, using, or disclosing child data;
Make reasonable efforts to ensure parents receive direct notice of the collection, use, or disclosure of child data;
Obtain verifiable parental consent (VPC) before the collection, use, or disclosure of child data; and
Retain child data no longer than necessary to further the purpose for which the provider collected the information.
Here, the FTC and DOJ alleged that Kurbo by WW, a service marketed to children under 13, failed to provide adequate notice and obtain VPC before collecting personal information including weight, height, food intake, and physical activity. Specifically, the agencies argued that the measures Kurbo by WW did take, such as an age gate, were insufficient under the rule, and even incentivized children to lie about their birthdate to circumvent the measures. Moreover, the agencies alleged Kurbo by WW retained child data indefinitely, and would only delete upon parent request. The settlement imposes multiple remedies, including injunctive relief, monetary fines, engaging in compliance reporting, and, significantly, a requirement that Kurbo by WW delete all work product resulting from the collection of children’s personal information.
The Significance of This Settlement
The significant part of this settlement is the algorithmic disgorgement penalty: the requirement that the companies delete all algorithms resulting–in part or in whole–from the inappropriate collection of children’s data. The FTC imposed this penalty for the first time in 2019 in a final order against Cambridge Analytica. The agency used the remedy again in the 2021 Everalbum settlement, in which the developers of a photo app were required to delete facial recognition algorithms developed through training on data that was improperly collected. In a significant next step, this is the first time we have seen the agency impose the penalty in a COPPA settlement. Like monetary fines, compliance reporting, and other injunctive relief, algorithmic disgorgement is a measure intended to deter companies from improperly collecting and retaining child data. However, the penalty goes a step further than other COPPA remedies by preventing companies from benefiting from the improperly collected data in the future. In the FTC’s press release for the settlement, FTC Chair Lina Khan remarked, “Our order against these companies requires them to delete their ill-gotten data, destroy any algorithms derived from it, and pay a penalty for their lawbreaking.” This strong language from the FTC Chair signals an interest in doing more to hold companies subject to COPPA accountable.
Recently, child privacy has become a trending topic for both policymakers and enforcement agencies. Historically, the FTC tends to bring only a few COPPA cases per year, but the Kurbo by WW settlement marks the FTC’s second COPPA settlement in just three months. Time will tell whether COPPA enforcement actions become more frequent in the wake of increasing calls to protect children’s privacy. Regardless, this settlement stands to impact future COPPA enforcement by setting a new precedent for the penalties the FTC is willing to impose on companies. It also raises important questions about how companies can obtain effective VPC, an issue FPF’s Youth & Education team is exploring in our report on The State of Play: Verifiable Parental Consent and COPPA. Companies with child audiences should pay close attention to this settlement and its penalties, and ensure their practices are complying with COPPA.
Additional Resources:
FTC Blog Post on the Kurbo by WW settlement for Businesses
For more on COPPA and VPC, see FPF’s Work on Verifiable Parental Consent (VPC) at thestateofplay.org
Future of Privacy Forum Statement on Ukraine
The Future of Privacy Forum is heartbroken about the horrific events unfolding in Ukraine. We stand with the people of Ukraine. FPF will contribute to José Andrés’s World Central Kitchen, serving thousands of meals to Ukrainian families. FPF will also match any donations made by our staff to WCK or another nonprofit organization of their choice to support Ukraine.
The Significance of Inclusion in Clinical Trials and Medical Research Databases
Our colleagues at the Israel Tech Policy Institute (ITPI) published a thoughtful blog on the significance of diversity and inclusion in clinical trials and health and medical research databases.
They discuss the imperative of being represented in data, for one’s existence to be recognized and considered. When such data is the building block for a cure, therapy, and wellness development – representation carries consequences for one’s health prospects. Accordingly, the absence of clinical data and health datasets used for health and medical research entails a lack of representativeness and a lack of diversity in research participants. This is known to have medical and social effects on individuals and communities alike.
The diversity of populations in developed countries (where most medical research is being conducted) that came with global migration movements and the resulting demographic changes, is not faithfully reflected in the composition of participants in clinical trials and in biomedical databases. To date, the majority of participants in clinical trials and medical databases are Caucasians – mostly males of European descent. It is estimated that 78% of the genetic and genomic information available today originates from this population, although the overall proportion of Europeans and their descendants in the world population is barely 16%.
Utah Consumer Privacy Act Passes State Legislature
This week, the Utah legislature passed the Utah Consumer Privacy Act (SB 227). If enacted by Governor Spencer Cox, Utah will follow California, Virginia, and Colorado as the fourth U.S. state to establish a baseline regime for the protection of personal data. The law would come into effect in December 2023.
“While the Utah Consumer Privacy Act would create some new rights for Utah residents, it contains significantly fewer privacy protections than leading state frameworks. A national comprehensive law that sets strong baseline standards will be the only way to ensure that geography doesn’t determine individuals’ basic privacy rights.”
Statement by Keir Lamont, Senior Counsel, Future of Privacy Forum
The Utah Consumer Privacy Act shares a similar structural framework for protecting personal information as legislation enacted in Virginia and Colorado. As such, it would be unlikely to introduce significant new compliance challenges for businesses that are already preparing for those laws, which come into effect in 2023.
However, Utah’s law would set significantly narrower individual rights and business obligations than privacy regimes enacted in other states.
Individual Rights: The Act would create new rights for Utah consumers to access their information and delete personal data previously provided to a business. It would also provide individuals with the ability to opt-out of the processing of personal data for targeted advertising and sales. Diverging from existing state privacy laws, the Act lacks a right to correct inaccurate personal data or to opt-out of significant profiling decisions. Finally, unlike Virginia and Colorado, the Act would not require affirmative, opt-in consent for the collection and processing of sensitive data.
Business Obligations: For covered businesses, the Act would create transparency requirements and new data security obligations. However, unlike other state privacy laws, the Act does not include a requirement to conduct data protection assessments. The Act also fails to include protections for civil rights and lacks FIPPs-style requirements for data minimization and limits on secondary use.
Enforcement: The Act would delegate exclusive enforcement authority to the Utah Attorney General but would require a consumer complaint process, routed through the Division of Consumer Protection in the Utah Department of Commerce, prior to initiating an enforcement action.
The Utah Consumer Privacy Act is poised to secure some important new protections for Utah residents, such as access and deletion of certain personal information. However, given its limitations, the Act would not meaningfully advance individual privacy interests relative to approaches taken in other jurisdictions. The ultimate significance of the Utah Consumer Privacy Act may be that it represents an overall trend of U.S. states toward adopting privacy frameworks that are based upon the Virginia and Colorado laws, rather than following the lead of California.
On November 16, 2021, the Future of Privacy Forum (FPF) and the Brussels Privacy Hub of Vrije Universiteit Brussel (VUB) hosted the Brussels Privacy Symposium 2021 – The Age of AI Regulation: Global Strategic Directions. The event, convened by Jules Polonetsky, CEO of FPF, Christopher Kuner and Gianclaudio Malgieri, Co-Chairs of the Brussels Privacy Hub (BPH), brought together policymakers, academic researchers, civil society organizations and industry leaders from the European Union (EU), the Organization for Economic Cooperation and Development (OECD), the United States, Brazil, and Singapore to discuss the most recent trends in the governance of Artificial Intelligence (AI), with a focus on addressing the risks posed by AI systems to fundamental rights, while fostering their responsible development and uptake. A new report from FPF’s Sebastião Barros Vale, Katerina Demetzou and Lee Matheson summarizes and offers context to the discussions at the event.
The 2021 Brussels Privacy Symposium was the fifth-annual academic program jointly presented by the BPH and FPF. In this context, the Symposium’s panelists debated the proposal for a legal framework that the European Commission (EC) published in April 2021 (AI Act), a first-of-its-kind comprehensive law for AI systems, which comprises a risk-based approach by scaling legal obligations to the severity of risks that specific AI systems pose. Furthermore, speakers drew comparisons between the proposed EU model and different approaches to AI regulation that are surfacing elsewhere – such as the US, Brazil, Singapore, and China.
The keynote panel, which covered the EU’s road ahead to the proposed AI Act and was moderated by Gianclaudio Malgieri, BPH Co-Director and Associate Professor of Law at EDHEC Augmented Law Institute (Lille), counted on:
Brando Benifei, Member of the European Parliament, President of the Spinelli Group
Lucilla Sioli, Director for Artificial Intelligence and Digital Industry (CNECT.A), DirectorateGeneral CONNECT at the European Commission
The following panel saw a Global Comparative Discussion on Approaches to AI Regulation, Governance and Oversight, moderated by Dr. Gabriela Zanfir-Fortuna, Vice President for Global Privacy at FPF and Affiliated Researcher at the VUB’s Research Group on Law, Science, Technology & Society (LSTS). Speakers included:
Simon Chesterman, Dean and Provost’s Chair Professor of the National University of Singapore Faculty of Law and Senior Director of AI Governance at AI Singapore
Luca Belli, Professor of Internet Governance and Regulation at Fundação Getúlio Vargas (FGV) Law School
Audrey Plonk, Head of Digital Economy Policy Division – Directorate for Science, Technology and Innovation, OECD
Elham Tabassi, Chief of Staff, Information Technology Laboratory of the U.S. National Institute of Standards and Technology (NIST)
The last panel was titled Should Certain Uses of AI Be Banned?, and it was moderated by Ivana Bartoletti, Global Chief Privacy Officer at Wipro and Co-Founder of the Women Leading in AI Network. Speakers included:
Theodore Christakis, Professor of International and European Law at University Grenoble Alpes
Frank Pasquale, Professor of Law at Brooklyn Law School
Cornelia Kutterer, Senior Director, EU Government Affairs, AI, Privacy and Digital Policies, Microsoft
Ursula Pachl, Deputy Director General at the European Consumer Organisation (BEUC)
If you have any questions about the Report, contact Dr. Gabriela Zanfir-Fortuna at [email protected] or Dr. Rob van Eijk at [email protected].
Privacy Harms, Global Privacy Regulation, and Algorithmic Decision Making are Major Topics During Privacy Papers for Policymakers Event
For the 12th year, the Future of Privacy Forum (FPF) hosted its Privacy Papers for Policymakers event, honoring the 2021 Privacy Papers for Policymakers Award winners. This year’s event featured an opening keynote by Colorado Attorney General Phil Weiser and facilitated discussions between the winning authors – Daniel Solove, Ben Green, Woody Hartzog, Neil Richards, Joris van Hoboken, Ronan Ó Fathaigh, Jie Wang, Shikun Zhang, and Norman Sadeh – and leaders from the academic, industry, and policy landscape, including Maneesha Mithal, Sarah Holland, Travis Hall, Quentin Palfrey, Dr. Clarisse Girot, and John Howard, Ph.D.
In his keynote, AG Weiser outlined his approach for fostering conversations in the privacy space that bring together policymakers and academics while ensuring the integrity of the discussions, an approach Weiser called the “true north” of his career. Weiser spoke to the lack of dialogue within Congress and offered examples of how his home state of Colorado has facilitated productive conversations at the state level around data privacy. Weiser pointed to the recently passed Colorado Privacy Act as a testament to how bipartisanship is “still alive and well at the state level.”
AG Weiser stated that states considering privacy legislation must bring together “those who are practicing on the ground as well as those who are very gifted scholars.” With so many entities in the field, it is challenging to utilize a one size fits all solution or approach. Weiser noted, “we want to create a regulatory regime that is adaptable, and that can both protect data and consumers’ privacy while not getting in the way of innovation.” Through respectful and thoughtful collaboration, advances in data protection, security, and privacy can be achieved at the state and federal levels.
Weiser stressed the importance of collaboration and respect in conversations around privacy. He highlighted the Ginsburg/Scalia Initiative, a bi-partisan gathering of state AGs honoring the friendship of the two late Supreme Court Justices, which convenes to engage in dialogue to solve pressing issues. Weiser concluded his keynote by congratulating FPF on creating an event that followed in the spirit of Justices Scalia and Ginsburg. FPF’s PPPM event encourages all attendees to “think differently, to take different sorts of thoughts seriously, and to look at issues from different angles.”
Colorado Attorney General Phil Weiser
Following Attorney General Weiser’s keynote address, the event shifted to moderated discussions between the authors and leaders from the academic, industry, and policy communities. Click the links below to read each of the winning papers, or read the 2021 PPPM Digest, which includes summaries of the papers and more information about the authors and judges.
Daniel Solove kicked off the discussion section of the event by talking about his paper, Privacy Harms, with Maneesha Mithal, Cybersecurity Partner at Wilson Sonsini. This paper, co-authored by UVA School of Law Professor Danielle Citron, analyzed how courts define harm in cases involving privacy violations and how the requirement of proof of harm has impeded the enforcement of privacy law due to the dispersed and minor effects that most privacy violations have on individuals. “We think that harm should only be required when the goal is compensating people,” said Daniel Solove. “When the goal is deterrence, really the harm shouldn’t matter. The goal should be what’s the most effective deterrence.”
Daniel Solove and Maneesha Mithal
Next, Woody Hartzog, Northeastern University School of Law and Khoury College of Computer Sciences, Stanford Law School Center for Internet and Society; and Neil M. Richards, Washington University School of Law, Yale Information Society Project, Stanford Center for Internet and Society discussed their paper, The Surprising Virtues of Data Loyalty. The authors were joined by Sarah Holland, Public Policy Manager at Google. Professors Hartzog and Richards’ paper looked into criticisms of data loyalty, arguing that the concept of data loyalty has some surprising virtues, including checking power and limiting systemic abuse by data collectors. “We think that data loyalty actually gets you something that existing law does not. We think it’s able to cover a lot of new problems,” said Woody Hartzog. “We think that data loyalty is a way to firm up existing obligations.”
Woody Hartzog, Neil M. Richards, and Sarah Holland
Next, Ben Green, the University of Michigan at Ann Arbor, Gerald Ford School of Public Policy, Harvard University, Berkman Klein Center for Internet & Society, discussed his paper, The Flaws of Policies Requiring Human Oversight of Government Algorithms, with Travis Hall, Telecommunications Policy Analyst at the National Telecommunications and Information Administration (NTIA). His paper analyzed the use of human oversight of government algorithmic decisions and concluded that humans could not perform many of the desired oversight responsibilities. He argued that by continuing to use human oversight as a check on these algorithms, the government legitimizes the use of faulty algorithms without addressing the associated issues. “The vast majority of evidence shows that people are incapable of reliably performing exactly the roles that these policies are calling for. The problem is the regulation doesn’t actually address the underlying harm,” said Ben Green. “I think that gets us into this really gnarly situation where we have a false sense of security, that these algorithms are appropriate and legitimate to use, when in fact, the underlying concerns haven’t actually been resolved.”
Ben Green and Travis Hall
The next paper discussed was Smartphone Platforms as Privacy Regulators by Joris van Hoboken, Vrije Universiteit Brussels, Institute for Information Law, University of Amsterdam; and Ronan Ó Fathaigh, Institute for Information Law, University of Amsterdam. The authors were joined by Quentin Palfrey, President of the International Digital Accountability Council. The paper analyzed the role of online platforms and their impact on data privacy in today’s digital economy before providing an argument as to what platforms’ role should be in legal frameworks. “What we try to do is to build a disclosure model around the regulatory behavior that these [smartphone] platforms are engaging in,” said Ronan Ó Fathaigh. “We don’t make the claim that platforms are engaging in behavior that is anti-competitive, but there are a lot of different commentators that are making those allegations, and certain app companies are making allegations that privacy is being used as a tool in anti-competitive behavior. We give the platforms the benefit of the doubt.”
Joris van Hoboken, Ronan Ó Fathaigh, and Quentin Palfrey
Jie (Jackie) Wang, W&W International Legal Team, Kinding Partners, spoke next on her paper, Comparison of Various Compliance Points of Data Protection Laws in Ten Countries/Regions, with Dr. Clarisse Girot, Managing Director for Asia Pacific at the Future of Privacy Forum. Her paper compares China’s Personal Information Protection Law (PIPL) with data protection laws in nine regions to assist overseas Internet companies and personnel to better understand the similarities and differences in data protection and compliance between each country and region. “Helping ensure personal data compliance is part of my daily work, ” said Wang. “The best way to learn the PIPL is to digest it by writing an in-depth analysis of it.”
Jie (Jackie) Wang and Dr. Clarisse Girot
Shikun (Aerin) Zhang and Norman Sadeh, Carnegie Mellon University, closed the event discussing their paper, co-authored by Yuanyuan Feng, University of Vermont; Lujo Bauer, Carnegie Mellon University; Lorrie Faith Cranor, Carnegie Mellon University; and Anupam Das, North Carolina State University, “Did you know this camera tracks your mood?”: Understanding Privacy Expectations and Preferences in the Age of Video Analytics. Shikun Zhang and Norman Sadeh were joined by Dr. John J. Howard, Principal Data Scientist at Maryland Test Facility. The paper seeks to determine how individuals should be notified that they are being recorded by studying 123 individuals’ sentiments across 2,328 video analytics deployments scenarios. “People often don’t realize that many of these cameras are connected to video analytic capabilities,” said Professor Sadeh. “We believe that there’s really a need to better understand how people feel about these very diverse scenarios as they’re emerging today, and using that to inform the design idea as mechanisms to notify people and to give them, ideally, the ability to exercise those rights that, in principle, are now being made available to them.”
Shikun (Aerin) Zhang, Norman Sadeh, and Dr. John J. Howard
Thank you to Attorney General Weiser and Honorary Co-Hosts Senator Edward Markey and Congresswoman Diana DeGette for their support and work around this event. We would also like to thank our winning authors, discussants, everyone who submitted papers, and event attendees for their thought-provoking work and support. Learn more about the event on the FPF website and watch a recording of the event on the FPF YouTube channel.
New FPF Report: Demystifying Data Localization in China – A Practical Guide
On February 21, 2022, FPF published a report detailing China’s data governance framework for data localization and cross-border transfers. The report outlines 10 steps organizations can take before deciding to localize or transfer data, with practical advice on how to carry out each of them. By examining provisions of relevant laws and administrative regulations passed by ministerial departments, it aims to give organizations a better understanding of how the transfers framework operates, the expectations of Chinese regulatory authorities with respect to such transfers, and the specific steps controllers can take for better compliance mapping. It is important to note that this report does not contain legal advice.
While the new data protection and data security legal framework solidified and added to pre-existing data localization requirements, it also clarified that data can be transferred or made accessible outside of China if specific conditions are met.
Under Chinese law, data localization is only required in certain circumstances framed around two distinct conceptual pillars: (1) which entity is processing the data; and 2) what type of data is being processed. With respect to the first pillar, certain special categories of controllers must store their data in China due to their importance to China’s national security and economy, and may only transfer data with the approval of regulatory authorities. For the second, controllers must store “important data” in China, and receive approval before transferring such data abroad.
In other circumstances, controllers do not need to store data locally in China but must comply with other transfer requirements. Article 38 of the Personal Information Protection Law (PIPL) sets forth these conditions for lawfully transferring data. Once a controller chooses a transfer mechanism, it must comply with additional transparency obligations. However, it is important to take both the PIPL and the Data Security Law (DSL) requirements into account when deciding whether to localize data or to transfer it.
In order to untangle this complex legal landscape, this Report proposes 10 steps that data controllers can take before deciding to localize or transfer data, with practical advice on how to carry them out:
Step 1 – Determine scope and when data is “transferred” overseas
Step 2 – Evaluate the type of data controller and whether it is a critical information infrastructure operator (CIIO) or a special controller
Step 3 – Determine the type of data to be transferred including whether it is important data
Step 4 – Evaluate whether a security assessment by the CAC is required
Step 5 – Determine whether a cybersecurity review is mandatory
Step 6 – Determine if an exception applies
Step 7 – Choose the transfer mechanism
Step 8 – Check whether an international treaty or agreement is applicable
Step 9 – Obligations for Entrusted Processors (委托处理)
Step 10 (bonus) – Determine whether the transfer is compelled by a foreign judicial or law enforcement body
The Report also contains an annexed Flowchart with a summary of the 10 steps.
