Upcoming data protection rulings in the EU: an overview of CJEU pending cases

There has been a surge in questions posed by national courts to the Court of Justice of the EU (CJEU) in the past year on how various provisions of the General Data Protection Regulation (GDPR) should be interpreted and applied in practice. They vary from understanding essential aspects of the fundamental right to the protection of personal data, such as the scope of one’s right to access their own data or the appropriate lawful ground for complex processing like profiling and personalized advertising, to systemic questions such as the interplay of competition law and data protection law in digital markets. They also seek to dispel enforcement conundrums, such as identifying and quantifying non-material damages for breaches of the GDPR or clarifying the ne bis in idem principle for cases under the parallel purview of Data Protection Authorities and national courts.  

According to the EU Treaties, EU Member-States’ courts may – or, in case no appeal from their decisions is possible, must – ask the CJEU to rule on the interpretation and validity of disputed provisions of EU law. Such decisions are known as preliminary rulings, by which the CJEU expresses its ultimate authority to interpret EU law and which are binding for all national courts in the EU when they apply those specific provisions in individual cases. 

Since May 2018 – when the GDPR became applicable across the EU -, the CJEU has played an important role in clarifying the meaning and scope of some of its key concepts. For instance, the Court notably ruled that two parties as different as a website owner that has embedded a Facebook plugin and Facebook may be qualified as joint controllers by taking converging decisions (Fashion ID case), that consent for online data processing is not validly expressed through pre-ticked boxes (Planet49 case) and that the European Commission Decision to grant adequacy to the EU-US Privacy Shield framework is invalid as a mechanism for international data transfers, and supplemental measures may be necessary to lawfully transfer data outside of the EU on the basis of Commission-vetted model clauses (in the Schrems II case). 

Ever since the enactment of the 1995 EU Data Protection Directive, the CJEU had a prominent role in expanding the scope of protection afforded to individuals by data protection law, in a way that ultimately influenced the text of the GDPR. Some notable examples include landmark rulings on the definition of personal data (in Breyer and Nowak), the lawfulness of transferring data to countries outside of the EU (in Schrems I) and the so-called “right to be forgotten” (in Google Spain). 

What are the questions that the Court is asked to clarify next? This overview includes a preview of the most interesting cases where the CJEU is expected to weigh in. The analysis focuses on questions that are relevant from the perspective of commercial data use, meaning that novel questions about personal data processing in the context of law enforcement, passenger name records and national elections have not been included in the overview. Table 1 below contains a list of links to the relevant cases as submitted to the CJEU, allowing for a more comprehensive view.

1. Clarifying essential aspects of personal data protection: right of access; lawful grounds for processing data for targeted advertising

Both the very active Austrian Supreme Court of Justice (Oberster Gerichtshof) and the Austrian Federal Administrative Court (Bundesverwaltungsgericht) have sent questions to the CJEU about the information that controllers are required to hand over in response to data subjects’ access requests. 

In March 2021, the former asked the EU’s highest court, in a case involving the Austrian Postal Office, whether under their right of access data subjects must be informed about the categories of recipients of their personal data even in the cases where specific recipients have not yet been determined, but disclosures to those recipients are planned for the future. Or should they only be informed about the categories of recipients with whom personal data was already shared? 

More recently, in August 2021, the Federal Administrative Court sought clarifications from the CJEU regarding what obtaining a “copy of the personal data undergoing processing” means. In this respect, the Bundesverwaltungsgericht asks whether such a right entails receiving entire documents/database excerpts in which the personal data are included or a mere “faithful reproduction” of the personal data processed by the controller. If the latter is the case, the referring court also wishes to know if there are exceptions to the rule, for the benefit of data subjects’ comprehension. Lastly, Austrian judges also query whether the information that should be made available to data subjects in a “commonly used electronic format” is only the “copy” of the personal data or also all the elements of Article 15(1) GDPR (e.g., information about the purposes of the processing and data retention periods). 

Two very complex sets of questions in cases involving processing of data for targeted advertising purposes on social media have also reached the CJEU in 2021. The Court’s answers are likely to shape the future of how social media companies and online advertising businesses process personal data in the EU. 

The first one, from April, comes from the Higher Regional Court of Düsseldorf, Germany (Oberlandesgericht Düsseldorf), in a first case of its kind, combining antitrust and data protection enforcement (see also Section 3 below). In a case involving Facebook, the German court asks the CJEU if data collection through user interfaces placed on third party websites or apps that relate to Article 9(1) GDPR protected attributes (e.g., political party or health-related outlets) counts as processing special categories of data. Should people that visit such websites or apps or use the company’s plugins therein (e.g. “Like” buttons) be considered to have manifestly made their sensitive data public? As the European Data Protection Board (EDPB) has already provided guidance on these matters, it will be interesting to see to what extent the CJEU will endorse the EDPB’s interpretation or diverge from it. 

The Oberlandesgericht Düsseldorf also seeks to clarify whether personal data may be lawfully collected and combined by the company when obtained from other Facebook Group services and third-party websites/apps to offer personalised content and advertising, under the “contract” or “legitimate interests” legal bases. In parallel, the court asks the CJEU to rule on whether GDPR-compliant consent may be effectively and freely expressed by users “to a dominant undertaking”.

These last questions resemble others that were posed more recently by the Austrian Oberster Gerichtshof. On July 20, 2021, the court essentially asked the CJEU (see an unofficial translation of the questions) to clarify whether the social media platform can rely on “contract” as lawful ground for processing personal data for personalized advertising, or whether it should rely on consent of its users under the GDPR (by asking against which of these two lawful grounds should the wording of its terms and conditions be assessed).

In addition to the consequential question about the appropriate lawful ground in this particular context, the Austrian court also invited the CJEU to clarify how the data minimisation and purpose limitation principles as provided by the GDPR should apply in the context of personalised online advertising, in particular when it comes to sensitive data.

2. Accountability and due diligence

The German Federal Labour Court’s (Bundesarbeitsgericht) reference of October 2020 invites the CJEU to shed light on the circumstances that may lawfully lead organisations to dismiss their appointed Data Protection Officers (DPOs). The EDPB DPO guidelines state that “a DPO could still be dismissed legitimately for reasons other than for performing his or her tasks as a DPO (for instance, in case of theft, physical, psychological or sexual harassment or similar gross misconduct)”. With this reference, the German court seeks to understand whether the CJEU shares the same view and, if so, whether Article 38(3) GDPR would preclude a German provision that forbids employers from terminating the employment relationship with their DPOs in all cases, including for reasons other than the performance of the latter’s tasks. 

Additionally, the referring court asks the CJEU whether the GDPR limitations on dismissal also apply to those DPOs who are appointed pursuant to a domestic law obligation, where the GDPR itself does not require their appointment. 

Looking at a different accountability-related obligation, in a June 2021 reference, the Bulgarian Supreme Administrative Court (Varhoven administrativen sad) wishes to know if the mere occurrence of a data breach is sufficient to ascertain that the controller has not implemented appropriate technical and organisational measures to prevent the breach. In case of a negative answer, the CJEU is asked to further provide a benchmark against which national courts may assess the appropriateness of the implemented measures.

3. Administrative enforcement: How far can DPAs go and do antitrust authorities play a role?

In a set of questions from March 2021, the Budapest Regional Court (Fővárosi Törvényszék) aims to ascertain how far the GDPR-prescribed independence and corrective powers of Data Protection Authorities (DPAs) go. While it seems to be clear that individuals and companies have a right to lodge a judicial appeal against DPAs’ decisions or their inaction (see Article 79 GDPR), the Hungarian court highlights situations where both DPAs and courts are simultaneously called by individuals to assess the lawfulness of the same data processing operations. 

Should DPAs have priority competence to determine GDPR infringements? Or should both DPAs and Courts independently examine the existence of an infringement, possibly arriving at different conclusions? May a DPA find a GDPR breach where, in parallel proceedings, a court has found that there was no such breach? The CJEU is thus expected to clarify how the ne bis in idem principle manifests under the complex enforcement system of the GDPR. 

In another case already mentioned above (see Section 1), the Oberlandesgericht Düsseldorf seeks to clarify the fundamental question of how antitrust law enforcement and data protection rules interact and whether antitrust regulators may play a role in safeguarding data protection law as part of antitrust proceedings. 

This case started from a 2019 decision of the German federal antitrust authority (Bundeskartellamt) against Facebook. The authority found a breach of German competition law with regard to abuse of market dominance by also relying on GDPR provisions in its assessment. These findings primarily concerned rules around valid consent for combining personal data across several services of the social media company. One of the measures imposed by the authority was a prohibition to collect user and device related data obtained from the use of its affiliated services, as well as from visits to third-party websites or apps without valid consent from users. 

Facebook appealed the decision before German courts, with the court of appeal (Oberlandesgericht Düsseldorf) expressing doubts on the legality of the decision of the antitrust regulator, and deciding to suspend its effects as an interim measure until the matter is decided on substance. In return, the German Federal Court of Justice’s antitrust division overturned this interim measure of the court of appeal, and decided that the prohibition ordered by Bundeskartellamt can be enforced while judicial proceedings are ongoing, before sending the case back to Düsseldorf to be decided on substance. 

The court in Düsseldorf suspended proceedings and asked the CJEU to clarify a number of essential questions (see also Section 1 above). In this context, can the Bundeskartellamt determine a GDPR breach by the company investigated in antitrust proceedings and order its correction, given that the regulator is not a supervisory authority under the Regulation, let alone the lead one? The referring Court noted that the Irish Data Protection Commissioner – as the lead DPA of the company – was already investigating alleged GDPR breaches relevant for this case. 

4. Judicial redress: Can competitors engage in representative actions? And do “worries” and “fears” count as non-material damages?

An interesting question posed by the Austrian Supreme Court of Justice in December 2020 relates to whether persons other than harmed data subjects may initiate judicial proceedings for GDPR breaches against the infringer. The Austrian court wishes to know if Article 80(2) GDPR allows competitors, associations, entities and Chambers to sue, regardless of invoking specific data subjects’ rights infringements and the latter’s mandate, in cases where such bodies are entitled to initiate proceedings under national consumer law. 

On such matters, the literature argues that Article 80(2) leaves it up to Member-States to determine whether non-profits with public interest statutory objectives and which are active in the defense of data subjects’ rights may bring own-initiative proceedings in their territory. Thus, it will be particularly interesting to see how the CJEU views the ability of competitors to sue other companies in putative defense of data subjects’ collective interests, notably in the absence of alleged infringements of individuals’ rights. 

In May 2021, the Oberster Gerichtshof (Austria) asked important questions to the CJEU related to non-material damages under the GDPR: can courts attribute compensation to data subjects where a GDPR provision has been infringed, but the data subjects have not suffered harm? And, if demonstrating harm is necessary, does Article 82 GDPR require data subjects’ non-material damages to go beyond the mere nuisance or discomfort caused by the infringement? 

Just a month later, the Bulgarian Supreme Administrative Court went further and asked whether data subjects’ worries, fears and anxieties caused by a confidentiality breach involving personal data qualify as non-material damages which entitle them to compensation, even where data misuse by third parties has not been established and/or data subjects have not suffered any further harm. 

According to its 2020 Annual Report, the average length of proceedings at the CJEU was 15.4 months in the past year. Therefore, it will take a while before the Court clarifies the questions summarized above – and it should be expected that for the very complex ones that raise novel issues, like the interaction between antitrust and data protection law, the proceedings will be longer than average. This overview of questions for preliminary rulings in any case indicates that while there are many GDPR provisions that need clarification, some of the most intricate issues raised by complex personal data processing and how data protection law applies to them have now reached the top court in the EU.

Table 1 — Pending data protection questions sent to the CJEU

Subject-Matter	Date	Requesting court	Relevant provision(s)
Online publication of private interests declarations	April 28, 2020	Vilniaus apygardos administracinis teismas (Lithuania)	Article 6(1) and (3) GDPR; Article 9(2)(g) GDPR
Internet search engine de-referencing	September 24, 2020	Bundesgerichtshof (Germany)	Article 17(3) GDPR
DPO independence and employment termination	October 21, 2020	Bundesarbeitsgericht (Germany)	Article 38(3) GDPR
Publication of beneficial owners’ information under the AML Directive	November 13, 2020	Tribunal d’arrondissement (Luxembourg)	Article 5(1)(a), (b), (c) and (f) GDPR; Article 25(2) GDPR; Chapter V GDPR
Ability of competitors and associations to sue for GDPR breaches, without a data subject mandate	December 22, 2020	Oberster Gerichtshof (Austria)	Article 80(1) and (2) GDPR; Article 84(1) GDPR
Employee data processing under national law	January 20, 2021	Verwaltungsgericht Wiesbaden (Germany)	Article 88(1) and (2) GDPR
Purpose/storage limitation and parallel databases	February 8, 2021	Fővárosi Törvényszék (Hungary)	Article 5(1)(b) and (e) GDPR
Publication of subscribers’ data in public directories: consent, erasure and accountability	March 2, 2021	Hof van beroep te Brussel (Belgium)	Articles 12(2) and 2(f) ePrivacy Directive; Articles 5(2), 7, 17(1) and (2), 24 and 95 GDPR
Conflicts between parallel supervisory authority and court decisions	March 3, 2021	Fővárosi Törvényszék (Hungary)	Articles 77(1) and 79(1) GDPR; Articles 51(1), 52(1) and 58(2)(b) GDPR
Disclosing recipients in the context of access requests	March 9, 2021	Oberster Gerichtshof (Austria)	Article 15(1)(c) GDPR
Monitoring of GDPR breaches by competition authorities; special category data “manifestly made public” by the data subject; legal basis for social media providers collecting 3rd party data; definition of “legitimate interests”	April 22, 2021	Oberlandesgericht Düsseldorf (Germany)	Chapter VI GDPR, with a specific mention to Article 56(1); Article 9(1) and (2)(e) GDPR; Article 6(1), 4(11) and 9(2)(a) GDPR
Compensation in the absence of harm	May 12, 2021	Oberster Gerichtshof (Austria)	Article 82 GDPR
Data (confidentiality) breaches and liability; concept of non-material damage	June 2, 2021	Varhoven administrativen sad (Bulgaria)	Articles 5(2), 24 and 32 GDPR; Articles 82(1), (2) and (3)
Data as remuneration; legal basis for online behavioural advertising; special categories of data	July 20, 2021	Oberster Gerichtshof (Austria)	Article 5(1)(b) and (c) GDPR; Article 6(1)(b) GDPR; Article 9(1) and (2)(e) GDPR
Credit scoring: profiling, legal basis and transparency [the questions to the CJEU have not been published yet]	August 9, 2021	Bundesverwaltungsgericht (Austria)	Article 4(4) GDPR; Article 6(1)(f) GDPR; Article 15(1)(h) GDPR [to be confirmed]
Right to obtain a copy of the personal data pursuant to an access request (see also HERE)	August 9, 2021	Bundesverwaltungsgericht (Austria)	Article 12(1) GDPR; Article 15(1) and (3) GDPR
Processing of health data; cumulation of lawful grounds for processing sensitive data; non-material damages	August 26, 2021	Bundesarbeitsgericht (Germany)	Article 6(1) GDPR; Article 9(2)(h) and (3) GDPR; Article 82(1) GDPR
Is the collection and retention of publicly available data by a credit agency against the lawfulness and storage limitation principles?	August 31, 2021	VG Viesbaden (Germany)	Article 5(1)(a) and (e) GDPR; Article 6(1)(f) GDPR; Article 17 GDPR; Article 40 GDPR; Articles 77 and 78 GDPR.

Joint Project to Explore Limits of Consent in Asia-Pacific Data Privacy Regimes

The Future of Privacy Forum (FPF), a non-profit organization that serves as a catalyst for privacy leadership and scholarship, has partnered with the Asian Business Law Institute (ABLI), a subsidiary of the Singapore Academy of Law (SAL). With this partnership, FPF Asia Pacific and Singapore’s top legal think tank join forces to offer a unique cooperation platform to support the convergence of data protection regulations and best privacy practices in the region.

It is envisioned that this collaboration will result in research, publications, and events. The agreement will build on the substantial work already done by the two think tanks in this area. FPF recently launched an Asia-Pacific office, which aims to advise stakeholders on emerging privacy laws and frameworks in the region.

The first joint activity of this partnership is an online seminar co-hosted by the Personal Data Protection Commission (PDPC) of Singapore. The event titled “Exploring Trends: From ‘Consent-Centric’ Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific” takes place on September 16 from 2-4PM SGT during Singapore’s Personal Data Protection Week. The virtual panel will highlight the limits of the consent-based approach to data protection as it has developed in the region and globally, and the usefulness of developing alternatives, like GDPR-inspired “legitimate interests.” Opening remarks will be made by Yeong Zee Kin, PDPC Deputy Commissioner, with closing remarks by Raymund Liboro, National Commissioner of the Philippines and co-chair of the ASEAN Data Privacy Forum. The panels consist of top data protection and privacy experts in Asian Pacific countries, along with FPF Senior Fellow for India Malavika Raghavan, and FPF Managing Director for Europe Rob Van Eijk.

“In Asia-Pacific as elsewhere, obtaining the user’s consent has long been considered the basis of any regulatory and compliance approach to data protection,” said new Manager of Asia-Pacific, Dr. Clarisse Girot. “Today, this approach has been called into question, and an increasing number of regulators and privacy professionals are promoting accountability over a consent-centric approach to data protection. However, the fragmentation of data protection laws in Asia Pacific is an obstacle to the development of common regional solutions.”

This theme will be one of FPF Asia Pacific’s priorities for the remainder of 2021, in close coordination with the regulators in the region. FPF and ABLI will also release a publication in the coming months that will provide a comparative analysis on the requirements for consent in Asia-Pacific data privacy laws, including recommendations for consistent implementation across the region.

The publication will include insights from highly respected data protection experts across 14 jurisdictions in the Asia-Pacific region. The aim is to propose solutions which are neutral and adapted to the context of each of the jurisdictions covered by this project.

“There are synergies between FPF and ABLI’s work on data privacy,” said Rama Tiwari, Chief Executive at SAL. “This focus on data privacy is especially critical as responses to the COVID-19 situation rely massively on data use and data flows.”

For more information on the Asian Business Law Institute and the Singapore Academy of Law, please visit: https://sal.org.sg/

For more information on FPF Asia Pacific, please visit: https://bit.ly/3kP5jSu

For more information on the event, please visit: https://bit.ly/3BtkFCy

FPF and Mobility Data Collaborative Release Resources to Help Organizations Assess the Privacy Risks of Sharing of Mobility Data

The Mobility Data Sharing Assessment was developed by Chelsey Colbert and Kelsey Finch.

The Future of Privacy Forum (FPF) and SAE’s Mobility Data Collaborative (MDC) have created a transportation-tailored privacy assessment that provides practical and operational guidance to organizations that share mobility data, such as data from the use of ride-hailing services, e-scooters, or bike-sharing programs. The Mobility Data Sharing Assessment (MDSA) will help organizations assess and reduce privacy risks in their data-sharing processes. 

New mobility options are being rapidly adopted in many cities and there is a need to share data so that cities can manage the public right-of-way and for companies to offer or improve services and products. 

“These are practical resources to support mobility data sharing between organizations in both the public and private sectors,” said Chelsey Colbert, Policy Counsel at FPF. “The tool is interoperable with leading industry frameworks, and it is technology-neutral so it may be used for any data sharing methods related to ride-hail and micromobility.” 

The goal of the MDSA is to enable responsible data sharing that protects individual privacy, respects community interests and equities, and encourages transparency to the public. By equipping organizations with an open-source, interoperable, customizable, and voluntary framework with guidance, the barriers to sharing mobility data will be reduced. 

The Mobility Data Sharing Assessment consists of the following components: 

1. A Tool that provides a practical, customizable, and open-source assessment for organizations sharing mobility data. 
   
2. An Operator’s Manual that provides detailed instructions, guidance, and additional resources to assist organizations as they utilize the tool.
   
3. An Infographic that provides a visual overview of the MDSA process. 

“If data from mobility initiatives are going to be used to solve today’s complex mobility challenges, organizations need to be able to conduct thoughtful, in-depth legal and policy reviews,” said Pooja Chaudhari, Head of New Mobility at SAE International and Director of the MDC. “The MDSA can be used by both data providers and recipients to drive innovation in the ever-evolving mobility landscape while ensuring user privacy.” 

Learn more about the Mobility Data Collaborative on its website.

UPDATE: China’s Car Privacy and Security Regulation is Effective on October 1, 2021

The author thanks Hunter Dorwart for his contribution to this blog.

On August 20, 2021, the Cyberspace Administration of China (CAC) released an updated regulation on car privacy and data security that comes into force on October 1, 2021. The CAC initially published a draft on May 12 this year. The regulation is called “Several Provisions on the Management of Automobile Data Security (for Trial Implementation),” hereinafter “enacted regulation”. A press release with answers to reporters’ questions was also published on the same date as the enacted regulation. 

The purpose of the enacted regulation is to regulate automobile data processing activities, protect the legitimate rights and interests of individuals and organizations, safeguard national security and public interests, and promote the rational development and utilization of automobile data, in accordance with the “Network Security Law of the People’s Republic of China” and the “Data Security Law of the People’s Republic of China.”

The enacted regulation for car privacy and security is not the biggest news to come from China. On August 20, 2021, the National People’s Congress (NPC) of China adopted the first Chinese comprehensive data protection law, the Personal Information Protection Law (PIPL), less than a year after the first draft of the law was published. The PIPL will go into effect on November 1, 2021. For more about PIPL, see my colleague’s recent blog post.

The enacted regulation should be read in conjunction with other laws, regulations, and standards in China’s emerging data protection regime. In theory, laws passed by the National People’s Congress (NPC), such as the Personal Information Protection Law (PIPL), take priority over administrative regulations, such as the one detailed in this post and other regulations passed within China’s larger regulatory bureaucracy such as the recent market regulations for the ride-hailing industry. The CAC is technically not a government agency but rather a super-ministerial body directly under the State Council. It drafts regulations with the input and agreement of other agencies but operates largely independently of them.

This post is an update to a post from May 18, where I summarized the draft regulation (“Several Provisions on the Management of Automobile Data Security”). This post compares the draft regulation with the enacted regulation, highlights notable changes between the two regulations, and concludes with a summary of the notable differences.

Updated scope of covered entities: “Automobile data processors”

Automobile data processors are organizations that carry out automobile data processing activities, including automobile manufacturers, parts and software suppliers, dealers, maintenance organizations, and ride-hailing and -sharing companies (出行服务企业).

In contrast, the draft regulation applies to “operators”, which are defined as “automobile design, manufacturing, and service enterprises or institutions, including automobile manufacturers, component and software providers, dealers, maintenance organizations, online car-hailing companies, insurance companies, etc.”

Covered data: Distinction among “personal information,” “important data,” and “sensitive personal information,” plus a new data type “automobile data”

The enacted regulation adds a fourth type of data: “automobile data.” Automobile data covers personal information data and important data involved in the process of automobile design, production, sales, use, operation, and maintenance.

Automobile data processing includes the collection, storage, use, processing, transmission, provision, and disclosure of automobile data.

Personal information refers to information related to the identified or identifiable vehicle owner, driver, passenger, and people outside the vehicle that have been recorded electronically or by other means and does not include anonymized information. This mirrors China’s Personal Information Protection Law’s definition of personal information but narrows the scope to information specific to the use of vehicles.

In contrast, the definition of “personal information” in the draft regulation includes “the personal information of car owners, drivers, passengers, pedestrians, etc., as well as various information that can infer personal identity and describe personal behavior.”​​  

Sensitive personal information refers to personal information that, once leaked or illegally used, may cause discrimination against car owners, drivers, passengers, and people outside the car, or serious harm to personal and property safety, including vehicle location audio, video, images, and biometric data.

The draft regulation’s definition of “sensitive personal information” (found in Article 8) includes “​​data that can be used to determine illegal driving.” The enacted regulation does not have this and instead includes “personal information that once leaked or illegally used, may cause discrimination against car owners, drivers, passengers, and people outside the car, or serious harm to personal and property safety.” 

Important data refers to data that may endanger national security, public interests, or the legitimate rights and interests of individuals or organizations once it has been tampered with, destroyed, leaked, or illegally obtained or used, including:

(1) Geographical information, personnel flow, vehicle flow, and other data in important sensitive areas such as military management zones, national defense science and industry units, and party and government agencies at or above the county level;

(2) Data reflecting economic operation conditions such as vehicle flow and logistics;

(3) Operating data of the car charging network;

(4) Video and image data outside the car including face information, license plate information, etc.;

(5) Personal information involving more than 100,000 personal information subjects;

(6) Other data that may endanger national security, public interests, or the legitimate rights and interests of individuals and organizations as determined by the State Cyberspace Administration and the State Council’s development and reform, industry and information technology, public security, transportation, and other relevant departments.

The definitions of “important data” in the draft and enacted regulation are similar, and both regulations contain specific provisions for automobile data processors processing and sharing this type of data (see below).

Obligations based on the Fair Information Practice Principles (or the Personal Information Protection Principles)

Article 4 requires that the processing of automobile data by auto processors be legal, proper, specific, and clear. Automobile data processing must be directly related to the design, production, sale, use, operation, and maintenance of the vehicle. This Article is similar to language in the draft regulation’s Article 4; however, the enacted regulation has broader language.

Article 5 in both the draft regulation and the enacted regulation is about security and data protection. Automobile data processors must implement network security grade protection, strengthen automobile data protection, and perform data security obligations in accordance with the law.

Article 6 in both the draft regulation and the enacted regulation lists several privacy best practices that automobile data processors are encouraged to follow when processing automobile data (note that this Article applies to “automobile data”). The enacted regulation has four, while the draft had five. In the enacted regulation, the principle of data retention has been moved from Article 6 to Article 7. 

The principles in Article 6 are now:

1. Process automobile data inside the vehicle unless it is necessary to send it outside the vehicle. 
2. Non-collection by default. Unless the driver chooses otherwise, the default is to not collect automobile data.
3. A principle of precision is determined by the capacity of automobile data processors to meet accuracy standards for processing data regarding the range, the coverage, and resolution of cameras, radars, etc. (“Principle of accuracy range application.”)
4. Desensitization treatment, or anonymization and de-identification treatments whenever possible. 

Article 6(3) is notable because it appears to introduce a technical standard, which may be considered outside of the scope of a privacy (or data protection) regulation. However, the press release, which contains answers to reporters’ questions, notes that “[d]uring the formulation of the “Regulations,” both safety and development were emphasized…” and “driving safety” is mentioned throughout the enacted regulations. There may be more information provided through technical or industry standards about what exactly this means for manufacturers. 

Article 7 in both the draft regulation and the enacted regulation applies to “personal information” (not the broader “automobile data”) and requires automobile data processors to notify individuals through manuals, on-board display panels, voice, and other vehicle-related applications. 

The draft regulation lists four things the individual must be made aware of, while the enacted regulation lists seven. As noted above, retention has been moved to Article 7. The complete list of information that must be communicated to individuals is:

(1) The types of personal information processed, including vehicle location, driving habits, audio, video, images, and biometric features, etc.;

(2) The specific circumstances under which various types of personal information are collected and the ways and means to stop the collection;

(3) Purposes, uses, and methods of processing various types of personal information;

(4) Personal information storage location and retention period, or rules for determining the storage location and retention period;

(5) Ways and means of consulting and copying their personal information, deleting the information collected inside of the vehicle, and requesting to delete the personal information that has been provided outside the vehicle;

(6) The name and contact information of the contact person for exercising user rights;

(7) Other matters that should be notified as required by laws and administrative regulations.

While it is not clear from the text, it appears that Article 7 uses “individuals” in a slightly more narrow way than in the definition of “automobile data,” which includes people outside of the vehicle. In Article 7, it appears that “individuals” does not include people outside of the vehicle. This could be because there is a practical challenge of effectively communicating all of the above information to pedestrians, whose interactions with the vehicle may be fleeting. The provisions in Article 7 also appear to focus on types of data collected inside of a vehicle.

Article 8 and 9 in the draft and enacted regulation have been switched. 

Article 8 of the enacted regulation (draft regulation Article 9) is about consent to process personal information. When processing personal information, automobile data processors must obtain consent or comply with other requirements as stipulated by laws and administrative regulations. 

Notably, the new Article 8 mentions safety. This sentence states that (paraphrased and translated):

Due to the need to ensure the safety of driving, automobile data processors that cannot obtain personal consent to collect personal information from outside the vehicle and that share personal information outside of the vehicle should anonymize the data, including deleting the images or videos that can identify natural persons, partial facial information, or contour processing (对画面中的人脸信息等进行局部轮廓化处理等), which appears to mean using the features of someone’s face to create larger outlines of the person).

The draft regulation’s consent provision (Article 9) did not reference vehicle safety and instead recognized that it might be difficult in practice to obtain consent. 

Article 9 of the enacted regulation (draft regulation Article 8) lists requirements for processing “sensitive personal information” and notes that automobile data processors must also meet requirements under other applicable laws, administrative regulations, and mandatory national standards.

Again, one notable difference between the two regulations is that in this particular Article about processing “sensitive personal information”, the draft regulation mentions “driving safety” once, while the enacted regulation mentions “driving safety” thrice. Thus, this further illustrates a greater focus on the importance of balancing vehicle and driving safety with privacy and security.

The five requirements for processing “sensitive personal information” in Article 9 are:

(1) Having the purpose of directly serving individuals, including enhancing driving safety, intelligent driving, navigation, etc.;

(2) Notifying the necessity and impact on individuals through obvious means such as user manuals, on-board display panels, voice, and car use-related applications;

(3) Individual consent should be obtained, and the individual can independently set the time limit for consent;

(4) Under the premise of ensuring the safety of driving, prompt the collection of data in an appropriate manner to provide convenience for individuals to terminate the collection;

(5) If an individual requests deletion, the automobile data processor shall delete it within ten working days.

There are a few differences between the draft and enacted regulations that are worth noting here. 

1. The requirement in 9(1) is almost identical, except that the enacted regulation does not explicitly include the purpose of “entertainment” and instead of “assisting driving,” uses “intelligent driving”. This requirement includes “etc.”, so this is presumably not a closed list, and “entertainment” may still be read in. 
2. The requirement for notice in 9(2) is enhanced in the enacted regulation. The draft regulation (in 8(3)) requires that the individual be informed that sensitive personal information is collected. The enacted regulation requires that individuals be notified of the necessity and the impact on them. 
3. The draft regulation requires that individuals be able to terminate the collection of sensitive personal data at any time (8(4)). Being able to stop the collection of this data at any time could have raised safety concerns if, for example, the driver terminated the collection of this data while the car is in operation without understanding how that data was being used to operate the car. The enacted regulation has updated language, which may address this concern. Individual consent is required, and the individual can set the time limit for consent (9(3)). 
4. Related to 9(3), the enacted regulation states in 9(4) that “Under the premise of ensuring the safety of driving, prompt the collection status in an appropriate manner to provide convenience for individuals to terminate the collection.”
5. The enacted regulation does not include Article 8(5), “Allow vehicle owners to conveniently view and structured inquiries about the collected sensitive personal information.”
6. The draft regulation requires that sensitive personal data be deleted within two weeks upon request by the “driver.” The enacted regulation requires automobile data processors to delete that data within ten working days if requested by an “individual.”

The enacted regulation also includes a purpose and necessity requirement for the collection of a particular type of sensitive personal information: biometric data (such as fingerprints, voiceprints, human faces, heart rhythms). This appears to replace the draft regulation’s Article 10, which focuses on biometric data. Note that the press release states that “[r]egarding personal biometric information, it is clear that the car data processor has the purpose of enhancing driving safety and is necessary to collect it,” underscoring the sensitivity of biometric data and the high bar required to process this type of data.

Article 10 of the enacted regulation adds a new requirement for automobile data processors who process “important data.” In this situation, automobile data processors must conduct risk assessments in accordance with regulations and submit risk assessment reports to the provincial, autonomous region, and municipal network information departments and relevant departments.

The risk assessment report shall include the type, quantity, scope, storage location and period, use of the important data processed, the status of data processing activities and whether it is provided to a third party, the data security risks faced, and countermeasures, etc.

This appears to replace Article 11 of the draft regulation, which requires operators to report to the provincial network information department and relevant departments similar information about important data, but does not use the term “risk assessment.”

“Important Data”

Both the draft and enacted regulations contain several Articles pertaining to “important data”. (Articles 11-17 in the draft regulation and Articles 10-14 in the enacted regulation).

As noted above, automobile data processors are required to conduct a risk assessment when processing important data (Article 10).

Article 11 requires important data to be stored in China unless it is necessary to provide it overseas for business purposes. In this situation, there must be a security assessment (“exit safety assessment”) conducted by the State Cyberspace Administration of China with the relevant departments of the State Council.

Automobile data processors should not exceed the purpose, scope, method, type, and scale of important data specified in the exit safety assessment when this data is shared overseas (Article 12). The national cybersecurity and informatization department, in conjunction with relevant departments of the State Council, will verify the matters specified in the exit safety assessment by means of random inspections.

Article 13 requires automobile data processors who process important data to report the following automobile data security management information to the provincial, autonomous region, and municipal network information department and relevant departments before December 15 of each year:

(1) The name and contact information of the person in charge of automobile data security management and the contact person for processing user rights;

(2) The type, scale, purpose, and necessity of processing automobile data;

(3) Safety protection and management measures for automobile data, including storage location, period, etc.;

(4) Providing automobile data to domestic third parties;

(5) Car data security incidents and handling conditions;

(6) User complaints and handling of automobile data;

(7) Other automobile data security management conditions specified by the State Cyberspace Administration in conjunction with the State Council’s industry and information technology, public security, transportation, and other relevant departments.

In addition to the above requirements in Article 13, if automobile data processors share important data overseas there are additional reporting requirements found in Article 14. Articles 13 and 14 replace Articles 17 and 18 in the draft regulation.

Article 15 states that anyone participating in the exit safety assessment must not disclose the trade secrets or other confidential information learned during the assessment or use any information for purposes other than the assessment.

Article 16 appears to be an affirmation that China supports intelligent and connected vehicle operations and will cooperate with automobile data processors to strengthen and secure the network.

Article 17 requires auto data processors to establish appropriate complaints and reporting portals to handle user complaints.

Article 18 replaced article 20 in the draft regulation but has similar language regarding violations and penalties.

In summary, the processing and sharing overseas of “important data” may trigger the requirement of five separate assessments, reports, or inspections.

1. Risk assessment: All automobile data processors who process important data should complete a risk assessment. Risk assessments are submitted to the provincial, autonomous region, and municipal network information departments and relevant departments (Article 10).
2. Exit security assessment: If an automobile data processor finds it is necessary to share important data outside of China for business purposes, the automobile data processor must pass a security assessment organized by the national network information department in conjunction with the relevant departments of the State Council (Articles 11 and 12).
3. Random inspection: The State Cyberspace Administration and relevant departments of the State Council will conduct random inspections to verify the information automobile data processors record in their exit security assessment (Article 12).
4. Annual report: All auto data processors that process important data must file an annual automobile data security report (Article 13).
5. Annual supplementary report: If an automobile data processor finds it is necessary to share important data outside of China for business purposes, the automobile data processor must supplement the annual report referenced in Article 13 with additional information (Article 14).

Summary of the Main Differences between the Draft Regulation and the Enacted Regulation

1. The enacted regulation has a new defined term: “automobile data.” This term appears to be a shorthand to refer to both “personal information” and “important data”.  “Sensitive personal information” is a subset of “personal information.”
   
2. The definition of “personal information” has been updated.
   
3. “Sensitive personal information” is explicitly defined and somewhat clarified. The draft regulation’s definition of “sensitive personal information” includes “​​data that can be used to determine illegal driving”. The enacted regulation does not include this and instead refers to “personal information that once leaked or illegally used, may cause discrimination against car owners, drivers, passengers, and people outside the car, or serious harm to personal and property safety”.
   
4. There is a new risk assessment requirement for processing “important data.”
   
5. The draft regulation applies to “operators,” and the enacted regulation applies to “automobile data processors”. The definitions of both of these terms are different.
   
6. The principle of data retention has been moved from Article 6 (privacy best practices) to Article 7 (requirements to notify individuals).
   
7. More emphasis is placed on “driving safety” in the enacted regulation. For example, see Articles 8 and 9 and the press release. This further illustrates a greater focus on the importance of balancing vehicle and driving safety with privacy and security. This balance or, at times, tension will likely appear in both vehicle and automated vehicle regulations globally.
   
8. The enacted regulation has an updated deletion request timeline for sensitive personal data.
   
9. The enacted regulation has additional requirements and considerations for automobile data processors processing or sharing “important data” overseas.

Conclusion

Some challenges and considerations raised by the enacted regulation are 1) the coming into force date; 2) the introduction of what appears to be technical standards without further detail (e.g., Article 6(3)); and 3) that it is not always clear who exactly “individuals” refers to (e.g., Article 7). The coming into force date is October 1, 2021. Many of the requirements and best practices throughout the regulation likely require software, hardware, and design changes, and the tight deadline could prove challenging for automakers, where the average design and manufacturing span for a vehicle can be two-three years.

The enacted regulation highlights the complexity of the mobility ecosystem in two ways. First is the complexity of the data flows, evidenced by the regulation defining three types of data commonly processed by automobile data processors and introducing a new umbrella data term “automobile data.” Second is the complexity of parties involved, evidenced by the broad definition of “personal information,” which includes the vehicle owner, driver, passengers, and people outside of the vehicle. Similarly, “automobile data processors” is also defined fairly broadly and includes vehicle manufacturers, hardware and software suppliers, dealers, repair shops, and ride-hail companies. 

Also notable are the references to and emphasis on driving safety. As vehicles become more connected and automated, safety standards will increasingly influence data processing and thus privacy and data protection regulations, which will in turn impact vehicle design, operations, and safety. This circle of influence underscores the importance of privacy and data protection experts working closely with product designers and computer scientists. Privacy and data protection are slowly but surely moving from the risk and compliance office and into the product and engineering offices. As we travel along the road of car privacy and security regulations, this trend is sure to speed up. 

Image by Erdenebayar Bayansan from Pixabay 

Read More:

For an overview of China’s recently adopted Personal Information Protection Law, see China’s New Comprehensive Data Protection Law: Context, Stated Objectives, Key Provisions

China’s New Comprehensive Data Protection Law: Context, Stated Objectives, Key Provisions

The National People’s Congress (NPC) of China adopted on August 20, 2021  the first Chinese comprehensive data protection law, the Personal Information Protection Law (PIPL), less than a year after the first draft of the law was published. The NPC  thus concluded its legislative process that saw two additional markups of the law since October of last year. The PIPL will go into effect on November 1, 2021, but many companies within China are already coordinating with relevant enforcement agencies to comply. The adoption of the PIPL occurs in the wake of enhanced scrutiny over the tech sector by the Chinese government, and within a year from the entering into force of the new Civil Code which includes specific provisions for the protection of personal information.

The PIPL represents one pillar of China’s emerging data protection architecture that includes a myriad of other laws, industry-specific regulations, and standards. For instance, the recently enacted Data Security Law (DSL) sets forth a comprehensive list of requirements regarding the security and transferability of other types of data. It also establishes a “marketplace for data” to enable data exchange and digitalization. Additionally, the PIPL explicitly references China’s Constitution to provide a more firm legal basis for the implementation of its data protection goals (Art. 1). As such, the PIPL should not be viewed in isolation but rather examined in relation to these other regulatory tools that serve complimentary, albeit different purposes. 

The PIPL will mainly serve as China’s comprehensive data protection law, following in this respect the European approach which clearly distinguishes the protection of privacy from the protection of individuals with regard to the processing of their personal information (“data protection”). Its officially declared aims are thus: 

1. to protect the rights and interests of individuals (为了保护个人信息权益),
2. to regulate personal information processing activities (规范个人信息处理活动),
3. to safeguard the lawful and “orderly flow” of data (保障个人信息依法有序自由流动),
4. to facilitate reasonable use of personal information (促进个人信息合理利用) (Art. 1).

Throughout the legislative process, experts and privacy professionals have contributed to the work of the legislator, based among other things on their experience resulting from the implementation of EU’s General Data Protection Regulation (GDPR), which served as a reference in this exercise as in the drafting of previous renditions of data protection regulation such as the Personal Information Specification. It should be noted that it is not unusual for Chinese lawmakers to draw inspiration from texts and codes from European continental law traditions, China itself being a civil law jurisdiction.

The PIPL however serves several other objectives, which distinguishes it from the majority of data protection laws adopted to date around the world. Like its previous preparatory versions, the law has a distinct ‘national security’ flavor, particularly around its provisions on localization and cross-border transfers. 

The law also incorporates provisions that affirm China’s intention to defend its digital sovereignty: overseas entities which infringe on the rights of Chinese citizens or jeopardize the national security or public interests of China will be placed on a blacklist and any transfers of personal information of Chinese citizens to these entities will be restricted or even barred. China will also reciprocate against countries or regions that take “discriminatory, prohibitive or restrictive measures against China in respect of the protection of personal information” (Art. 43).

Last but not least, the PIPL clearly states China’s ambition to take a full part in international data protection discussions and thus assert its influence commensurate with the size of its economy and its growing technological capabilities. In particular, PIPL states China’s aims to actively contribute to the setting of global data protection standards ‘with other countries, regions, and international organizations’ (Art. 12). Related provisions of the PIPL echoe the stated ambitions of influencing international negotiations which relate directly or indirectly to international data transfers. The relevant provisions should therefore be read in the broader perspective of the Belt & Road Initiative (BRI) and the provisions relating to data transfers included in the Regional Comprehensive Economic Partnership (RCEP), conceived as a “regional backup” of negotiations on WTO e-trade rules, or so-called JSI negotiations. 

Overview of the PIPL

At a broader level, like most data protection laws modelled after the GDPR and other modern data protection laws, the PIPL sets forth a range of obligations, administrative guidelines, and enforcement mechanisms with respect to the processing of personal information. For instance it applies to very broadly defined “personal information” (PI) – which includes the “identifiable” element from the GDPR, includes lawful grounds for processing after the GDPR model, but with “legitimate interests” notably missing, and applies to “handling” of PI which includes “collection” of PI, meaning that a lawful ground is needed even before touching the data.

Additionally, the PIPL has rules for “handlers”, “joint handling” and “entrusted parties” with handling on behalf of the handlers (controllers, joint controllership, processors), including agreements to be put in place similarly to Art. 26 and Art. 28 agreements in the GDPR. It likewise applies in the public sector, as well as in the private sector, and has data localization requirements with regard to PI processed by state organs, critical infrastructure operators, and other handlers reaching a specific volume of PI processed.

The law regulates personal information transfers outside of China by imposing obligations on handlers before transferring data abroad such as complying with a security assessment by relevant authorities. It also mandates risk assessments (similar to a Data Protection Impact Assessment) for specific processing including automated decision-making and handling that could have “a major influence on individuals.”  Data handlers must also appoint Data Protection Officers (DPOs) in specific situations, depending on the volume of PI processed, and conduct regular compliance training.

Individuals are granted an extensive number of “rights in personal information handling activities”. The PIPL provides for individual rights very similar to GDPR’s “rights of the data subject”, such as erasure and access, and it specifically includes a right to obtain explanation and a right to data portability, the latter being introduced late in the third version of the draft law. 

Finally, the PIPL has a complex system of enforcement, including fines (that can go up to 5% of a company’s turnover) and administrative action (including orders to stop processing, or confiscation of unlawfully obtained profit), individual rights to obtain compensation, and civil public interest litigation cases through a public prosecutor.

The PIPL is divided into eight substantive chapters. Below we summarize the key aspects of the law and provide preliminary analysis.

1. Covered Data: Personal Information, Sensitive Information

The law applies to “handling” of “personal information”, both in the private and public sectors. Unlike the GDPR and its Article 4, the PIPL contains no general provision defining key terms of the law. Rather, notable definitions are scattered throughout the text and sometimes included directly in a more specific provision. Most of the definitions contained in the law are similar to, or using some identical wording to that of the GDPR, with notable variations. 

Broad Definition of Personal Information (个人信息) 

Personal information (PI) refers to “all kinds of electronic or otherwise recorded information related to an identified or identifiable natural person” (Art. 4). This definition largely mirrors the one set forth under the Cybersecurity Law and Chinese Civil Code, which define personal information as “the various types of electronic or otherwise recorded information that can be used separately or in combination with other information to identify the natural person.” Relatedly, it resembles the broad definition of “personal data” in the GDPR as “any information relating to an identified or identifiable natural person.” 

Open List of Sensitive Information (敏感个人信息).

The law further specifies that sensitive information means “personal information that once leaked or illegally used may cause discrimination against individuals or grave harm to personal or property security, including information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, etc.” (Art. 28). Information handlers may only process sensitive personal information for specific purposes and when sufficiently necessary (Art. 28). Handlers shall further obtain specific consent if they rely on individual consent for processing (Art. 29).

Notably, the definition of sensitive information diverges from the GDPR’s “special categories” of personal data, which is a closed list of specific types of personal data (see Article 9). The PIPL has an open list of sensitive data, centering its definition around the notion of harm and the data’s potential discriminatory impact on individuals. Unlike the GDPR, the PIPL contains no specific provision regarding the processing of PI related to criminal convictions and offences. In contrast, financial information and location data are included in the scope of sensitive PI, to the effect of subjecting their handling to obtaining the individual’s specific consent. The extension of the scope of sensitive information to cover financial information has been noted in other jurisdictions like India. 

Finally, the PIPL treats biometric data as sensitive PI. This qualification resonates with the specific provisions in the law on facial recognition (see below). 

De-identification and Anonymization are Defined Separately

“De-identification” and “anonymization” are defined in the very last substantive provision of the PIPL (art. 73), with anonymized PI being specifically excluded from the material scope of the law (Art. 4). 

• De-identification (去标识化) is defined similarly to the GDPR’s pseudonymization and it refers to the “process of personal information undergoing handling to ensure it is impossible to identify specific natural persons without support of additional information” (Art. 73). The PIPL does not define de-identification for any other purpose than to list de-identification among the technical security measures which PI handlers may use to comply with security obligations (Art 51).
• Anonymization (匿名化) refers to the “act of personal information handling to make it impossible to identify specific natural persons and impossible to restore”; PI which has been anonymized is specifically excluded from the scope of the law; in addition, third parties are prohibited to try and re-identify anonymized information they receive from handlers. 

Personal Information Handling (个人信息的处理) Defined Broadly to Cover the Entire Lifecycle of PI 

PI handling includes “the collection, storage, use, processing, transmission, provision, publishing, and other such activities” of personal information (Art. 4). This resembles the definition of processing under the GDPR and it means that the rules proposed in the law apply to the collection of PI as well as to the use of PI. Since the law includes lawful grounds for handling PI (see below), this means that such grounds must be in place before a handler collects the data.

2. Covered Actors, both in the Public and Private sectors

Information Handler or “Controller” (个人信息处理者); “Entrusted parties”/Processors; 

Conventionally the law has rules on controllers, joint controllers and processors. Parties or individuals become personal information handlers when they “independently determine the purposes and means for handling of PI.” (Art. 73). PI handlers appear to function in a similar manner under the Chinese draft law as data controllers under the GDPR.  Note that the law nor any other legislation in China specifically uses the term “controller” (控制者). 

The law also provides rules on joint controllership, “where two or more PI handlers jointly decide on a PI handling purpose and handling method”. Joint handlers have to “agree” on the rights and obligations of each, and the agreement should not affect the possibility for an individual to exercise their rights against any of them; they are also jointly liable for breaches (Art. 21). 

Handlers can entrust handling of PI to third parties under very similar conditions to the controller-processor relationship in the GDPR. They have to conclude an agreement, which has to refer to the purpose of the entrusted handling, the handling method, categories of PI, the rights and duties of both sides etc., including ways to “conduct supervision of the PI handling activities of the entrusted party” (Art. 22); this resembles the audit clause in Art. 28 GDPR agreements. 

Finally, If the data processing agreement with a third party becomes ineffective or invalid or is otherwise terminated, the third party must not store the personal information and either return it to the data handler or delete it (Art. 21). 

Public and Private Sectors Covered 

Similarly to GDPR’s household exemption, the PIPL does not apply to processing by natural persons for their personal or family affairs (Art. 72). The PIPL further applies to processing activities in both the private and public sectors.

No private organization is exempt from the scope of the law; on the other hand, certain companies (“those who provide important Internet platform services, a large number of users, and a complex type of personal information processor”) are subject to reinforced obligations (see below).

In the public sector, all “state organs” (i.e. public authorities and agencies, at central, provincial or municipal levels, including the courts and lawmaking bodies) must abide by a specific set of obligations with regard to the handling of PI in the context of the performance of their statutory duties (Art. 34). These rules apply alongside the wide array of information management rules which apply to the Chinese administration. 

The same obligations apply to organisations which handle PI on behalf of state agencies based on specific laws or regulations (Art. 37). This includes notifying individuals and obtaining their consent when handling PI (for instance to share PI between administrations), unless notification will impede the performance of their statutory obligations, or specific statutory rules impose secrecy (Art. 18 & 35). State agencies must store the PI they process in China and can only transfer such data overseas “if it is really necessary to provide the PI overseas” and after undergoing a security risk assessment that “may require support and assistance from relevant departments” (Art. 36). 

State agencies that fail to comply with the law will be subject to oversight from a superior authority and will have to make corrections in their processing activities (Art. 68). The individuals directly responsible or in charge of the agency’s decisions that lead to non-compliance face personal liability for their actions, including termination, suspension, and fines (see below). 

3. Territorial Scope, with Extraterritorial Long Arm 

The PIPL principally applies to organizations and individuals’ handling PI of natural persons within the jurisdiction of China. This applies to any organization or person physically within the borders of China. 

Article 3 of the law extends the territorial scope of the law to processing activities by handlers established outside of China, similarly to the GDPR, if one of the following circumstances is present:

• Where the purpose is to provide products or services to natural persons inside the border;
• Where conducting analysis or assessment of activities of natural persons inside the borders;
• Other circumstances provided in laws or administrative regulations.

This third paragraph has no direct equivalent in GDPR and leaves a margin of discretion to the public authorities to further extend the long-arm jurisdiction of the law in cross-border scenarios.

The law requires handlers outside of China that process personal information of covered persons to establish a dedicated entity or appoint a representative within China to be responsible for matters related to their information processing (Art. 52). Such entities must provide the name and contact method of the representative to the relevant departments responsible for implementing the law. 

4. Lawful Grounds and Personal Information Protection Principles

PI handlers must have a valid legal basis to handle PI from one of the following circumstances (Art. 13):

• Obtaining the individuals’ consent;
• Where necessary to conclude or perform a contract to which the individual is an interested party or where necessary to comply with relevant labor regulations or the execution of a collective contract to implement necessary human resources supervision (e.g., employee data). 
• Where necessary to fulfill statutory duties and responsibilities or statutory obligations;
• Where necessary to respond to sudden public health incidents or protect natural person’ lives and health, or the security of their property, under emergency conditions;
• Handling personal information within a reasonable scope to implement news reporting, public opinion supervision, and other such activities for the public interest;
• Handling personal information publicly disclosed by an individual or other legally disclosed information within a reasonable scope, unless the individual expressly refuses or if there is a major influence on individual rights and interests. 
• Other circumstances provided in laws and administrative regulations.

Like in GDPR, the seven legal grounds to process PI in Art. 13 are provided on an equal basis, meaning that there is no preferred order in which they should be relied on. This provision is significant because it distinguishes the PIPL from the data protection provisions previously applicable to the collection and processing of PI in China, including in the Cybersecurity Law and Civil Code, which are mainly centered on consent. This evolution will be welcomed by practitioners and legal scholars alike, who in China as elsewhere criticized overly relying on consent as an insufficient and artificial protection of the individual. The consent-centric framework was also criticized as being too rigid, with companies long advocating for additional legal bases, such as performance of a contract or legitimate interests, e.g. for anti-fraud purposes. 

However, this list does not include the broad concept of the data handler’s “legitimate interests” as it has existed for more than twenty years in the EU data protection framework, and now in a significant number of data protection laws in Asia Pacific and other regions. It is nonetheless possible that further administrative regulations will add a similar ground for processing. The insertion in the final version of PIPL of specific provisions relating to the processing of employee data, in order to exempt the processing of their PI from the collection of their consent (Art. 13(2)), would be indicative of this development in the mind of the legislator. This  provision built on precedents  found in local regulations like the recent Shenzhen data regulation, which expand exceptions to consent for employers to process employees’ data for certain purposes. 

Focus on Consent

Despite the evolution seen in relation to the addition of several other lawful grounds for handling data, consent is present throughout the law outside the legal bases provision. For example, the law includes a prohibition for handlers to disclose the PI they are processing, unless they obtain specific consent (Art. 25). When processing publicly available PI, handlers should only process them in a way that reasonably conforms with the purpose for which they were published and if they are processed for different purposes, the individual needs to be notified and asked for consent. Consent also plays a role in further uses of facial recognition installed in public venues, which is allowed as a matter of principle only for the purpose of ensuring public security (Art. 26). 

The conditions for validity of consent are that it must be informed (given under a “precondition of knowledge” about the processing), and it must be given “in a voluntary and explicit statement of wishes” (Art. 14).  Laws or administrative regulations may require “specific consent” or “written consent” for specific processing of PI (Art. 14).

Similar to the GDPR, individuals have the right to withdraw consent (Art. 15). Inspired by the “freely given” validity condition under the GDPR, the PIPL also provides that handlers may not refuse to provide products or services on the basis that an individual does not consent to the processing of PI or withdraws their consent, except in those situations where the PI is “necessary” for the provision of products or services (Art. 16).  Handlers must provide a convenient way for individuals to withdraw consent and the withdrawal will not affect any processing activity that took place before consent was revoked (Art. 15)

Stringent Rules for Children PI

Handlers that process PI of children younger than 14 must obtain consent from parents (Art. 31). This marks a departure from earlier drafts that mandated obtaining consent only when the processor knew or should have known that the data subject was 14 or under. This provision was notably introduced in the 2018 PI Security Specification. The inclusion of a more strict standard also reflects the fact that such information now constitutes sensitive information under the PIPL and thus handlers must comply with additional requirements (see above). Lawmakers in China have recently concentrated on the online protection of minors: they have passed a revised Law on Minors with more stringent restrictions for companies that offer online services to minors and even taken recent enforcement actions in this space. 

Personal Information Protection Principles 

The PIPL recognises key data protection principles very similar to the Fair Information Protection Principles (FIPPs) and other data protection principles included in the GDPR: 

• There is a principle of “sincerity” or “good faith”– which most likely is akin to the principle of fairness. The law further recognizes principles of lawfulness and necessity (Art. 5).
• There are rules on purpose limitation (Art. 6), including a requirement to process PI with a clear, reasonable and directly related purpose. There is also a minimization provision (Art. 6). 
• The law references openness and transparency as overarching goals of personal information processing (Art. 7).
• The law also stipulates accuracy and accountability as guiding indicators (Art. 8-9). 
• There is a provision that references storage limitation (Art. 19). Retention periods shall be the shortest period necessary to realize the purpose of the personal information handling.

5. Automated Decision-Making (自动化决策) and Facial Recognition

The PIPL contains specific provisions governing the use of Automated Decision-Making (ADM). Under the law, ADM refers to “activities that use personal information to automatically analyze, assess, and decide via computer programs, individual behaviors and habits, interests and hobbies, or situations relating to finance, health, or credit status.” (Art 73(2)).

The law mandates specific processing obligations: 

• When conducting ADM with PI, handlers must guarantee transparency, fairness and reasonability of the result (Art. 24). If an individual believes ADM creates a major influence on their rights and interests, they may demand an explanation and refuse the sole use of such automated decision-making.  
• Entities that use ADM to make targeted marketing offerings should simultaneously provide an option for individuals to receive information not based on personal characteristics or offer a convenient method of refusal (Art. 24). 
• No unreasonable differences in transaction price or treatment may be imposed on individuals through ADM (Art. 24). 
• Handlers must conduct a DPIA before offering such services through automated means (Art. 55). 

Facial Recognition Rules for Public Areas

In public areas, the installation of image collection or personal identity recognition equipment must be used to safeguard public security and observe relevant State regulations (Art. 27). Safeguarding public security is the only legally recognized purpose for such activities and individuals must be notified of the information collection process. Information gathered in this way cannot be published or disclosed, except where individuals’ specific consent is obtained, or laws and regulations provide otherwise.

The provisions mirror a growing public awareness in China of the need to regulate the private use of facial recognition technology in public areas more strictly. For instance, in a famous case that received widespread attention both within and outside of China, a lawyer successfully sued a zoo for using the technology in order to monitor and admit guests. Although the plaintiff won on a theory of breach of contract, he was unable to change the zoo’s policy but plans to appeal the case to the highest court.  

In addition, several cities have passed regulations limiting or banning the use of these technologies including Tianjin, Nanjing, and Xuzhou. 

6. Rights for Individuals Over Their PI (Access, Erasure; Specific Right to Explanation, Portability)

Under the law, individuals should receive explicit notice “before handling” occurs and be provided with relevant information including the identity and contact method of the personal information handler, any subsequent third party handlers, the purpose and methods of PI handling, the categories of handled PI, the retention period, and procedures for individuals to exercise their individual rights under the law (Art. 17).  Notably, Art. 18 specifies that handlers do not need to notify individuals if a state secrecy law is in place or under “emergency” circumstances, which could include threats to public security, health or safety. 

The law stipulates that personal information handlers establish mechanisms to accept and process applications from individuals to exercise their rights (Art. 50). If the information handlers reject the request, they must explain the reason for doing so. The law recognizes the following rights:

• Right to know, decide, refuse, and limit the handling of their personal information by others, unless laws or regulations stipulate otherwise (Art. 44).
• Right to access and copy their personal information in a timely manner, except when the laws and regulations require confidentiality (Art. 45).
• Right to correct or complete inaccurate personal information in a timely manner (Art. 46).
• Right to deletion of (i) the agreed retention period has expired, or the handling purpose has been achieved; (ii) personal information handlers cease the provision of services; (iii) the individual rescinds consent; (iv) the information is handled in violation of laws, regulations or agreements (Art. 47).
• Right to request handlers explain their handling rules (Art. 48).
• Right to data portability to a designated handler (Art. 45, para. 3). Specific conditions for porting data will be determined by state cybersecurity and information departments. 

These rights extend beyond an individual’s death and can be exercised by close relatives of the decedent, unless otherwise arranged by the decedent during their lifetime (Art. 49).

7. Obligations of Data Handlers related to Accountability: “DPIAs”, “DPOs”, Data Breach Notification, Training Obligations; Large Scale Distinctions 

Chapter V provides for a number of obligations of PI handlers. Art. 52 stipulates that handlers that handle information reaching quantities outlined by the competent authorities must appoint persons responsible for PI protection and publish the name and contact details of such persons. When the handler discovers a personal information leak, they must immediately adopt remedial measures and notify competent authorities (Art. 57). Where adopted measures can effectively avoid data breach harms, information handlers do not have to notify individuals. 

Handlers must conduct a personal information protection influence assessment to determine whether the handling purposes and methods are lawful, the influence such processing has on individuals, and whether the adopted security measures are adequate to ensure compliance (Art. 55). The assessment should take into account the handling of sensitive personal information, automated decision making, subsequent processing done by third parties, cross-border transfers, and other processing activities that have a significant impact on personal rights and interests. 

Data handlers must also adopt corresponding technical security measures such as encryption, de-identification, etc.; determine operational limits for information handling, regularly conducting security education and training for employees, and regularly conducting compliance audits with specialized entities (Art. 54).  Additionally, they must formulate and organize the implementation of incident response plans.

One of the new provisions of the law, introduced just before its adoption, targets large online platforms with specific obligations. Dedicated rules for large or very large online platforms are also the object of draft legislative measures in the EU (in particular the Digital Services Act). These new provisions in the PIPL require data handlers that provide platform services to a “large” number (用户数量巨大) of users and have complex business types (类型复杂) to (i) establish an independent organization to supervise processing activities; (ii) follow the principles of openness, fairness and justice; (iii) immediately cease their service offerings when in serious violation of the law; and (iv) regularly publish reports on social responsibility of PI handling (Art. 58). While the threshold amount under this article remains undefined, the most recent version of the law makes a clear distinction between large-scale Internet platforms and small-scale handlers. 

8. Cross-Border Transfers and Data Localization

Transfers of PI outside the borders of China are regulated in Chapter III, with the stated objective of ensuring that the transfer of data outside of China must be protected to the same extent as under Chinese law. This chapter is emblematic of the diversity of the objectives pursued by the text as described earlier. In these provisions, the legislator seeks both to promote responsible data transfers that respect the rights and interests of Chinese citizens, on the model of other provisions relating to transfers in “traditional” data protection laws, and to defend China’s strategic interests. 

All transfers must pass a necessity test (they must be “necessary for business or other needs”, undefined). In addition, handlers must provide specific further notice to individuals, regardless of what mechanism for transfers is used (see below), and following this notice handlers have to obtain the individual’s specific consent (Art. 39). 

Transfers must further meet at least one of the following conditions (Art. 38): 

• Undergoing a security assessment organized by the state cybersecurity and informatization departments in accordance with Art. 40, which states that operators of Critical Information Infrastructure (CII) and entities that transfer a large volume of PI must locally store personal information collected in China and undergo a further security assessment to transfer if necessary. This provision resembles article 37 of the Cybersecurity Law which similarly imposes restrictions of CII operators.
• Obtaining certification conducted by a specialized body according to provisions by the cybersecurity and information departments. This provision in Art. 38(2) mirrors the equivalent provision on “approved certification mechanisms” in EU GDPR (Art. 46(2)(f)). Other similar mechanisms exist in both the Cybersecurity Review Measures and the Multi-Layer Protection System (MLPS) certification scheme under the Cybersecurity Law.
• Concluding a contract with a foreign receiving party, specifying both parties’ rights and obligations, and supervising their activities to ensure they comply with standards provided in the law. The relevant state cybersecurity and information departments will provide standard contractual clauses (SCCs) to handlers for reference when entering into cross-border transfer agreements (Art. 38). 
• Complying with other conditions provided in laws or administrative regulations or by the State cybersecurity and informatization department (catch-all provision).

Each of these provisions deliberately opens up space for international negotiations on the interoperability of China’s PI overseas transfer framework, in the spirit of international cooperation that Art. 12 is intended to irrigate in the text: “the State Promotes mutual recognition of PI protection rules [or norms], standards etc. with other countries, regions and international organizations.” 

This emphasis on mutual recognition appears to leave room for China to pursue its own bilateral and multilateral data transfer facilitation mechanism with other trading partners, such as those along the Belt and Road Initiative (BRI).  Mutual recognition may take the form of recognition of SCCs, certification mechanisms from other jurisdictions, or other international agreements with relevant digital trade or protection provisions. 

Interestingly, there is no adequacy regime mentioned in the cross-border data transfers chapter. This choice was no doubt carefully considered by the drafters of the text and can be traced to the work of influential Chinese academics who have presented the regulatory models of data transfers of the EU on the one hand, and the US on the other hand, as “exclusionary blocks” of transborder data flows that would be based on geography (“adequate” jurisdictions for one, and APEC economies participating in the CBPR system for the other). 

The counterpart of these provisions that can anchor cooperation with other international actors is a series of provisions aimed at defending the strategic interests of China.

Notably, if it is necessary to transfer PI outside of China for international judicial assistance or administrative law enforcement, information handlers must file an application with the relevant competent authority for approval (Art. 41). The law stipulates that international treaties or agreements that China has become a party to may govern cross-border transfers and supersede the provisions of the law. It is not clear if this provision only concerns international judicial assistance, or also includes general cross-border data transfers. 

The PIPL provides that where a country or region adopts discriminatory prohibitions, limitations or other similar measures against China in the area of data protection, China “may adopt retaliatory measures against said country or region” (Art. 43). This provision mirrors other retaliatory measures in the Data Security and Export Control Law. 

Regardless, parties should take extra measures to comply with the law as foreign organizations or individuals that process PI that infringe Chinese citizens’ rights and interests or endanger China’s national security or public interest may be placed on a publicly available entity list that restricts other handlers from transferring personal information to them (Art. 42).

9. Implementation and Enforcement 

The law does not create an independent authority dedicated to data protection enforcement. The Cyberspace Administration of China (CAC) is the primary body responsible for data protection enforcement, but there are several other regulators that may also administer the law. 

In addition, similar to the PI Specification, the Chinese government may delegate further responsibility to a Technical Committee (e.g., TC260) to develop standards to clarify the meaning of the law and provide more guidance on enforcement.  

The PIPL stipulates penalties for violations and non-compliance, including the suspension or termination of application programs unlawfully handling data. Non-compliance not only involves unlawfully processing personal information but also includes failing to adopt proper necessary security protection measures in accordance with further regulations.

The law makes a distinction between two types of violations. In the first instance, the departments fulfilling data protection duties will order a correction, confiscate unlawful income, and issue a warning.

• If the data handler refuses to correct the violation, it will receive a fine of not more than 1 million RMB ($150,000).
• Persons who are directly responsible and in charge may also receive a fine between 10,000 and 100,000 RMB ($1500–$15,000) (Art. 66).
• In serious violations, the fine may be increased up to 50 million RMB ($7,500,000) or 5% of annual revenue for the prior fiscal year (Art. 66). The law does not specify whether annual revenue will be calculated on the basis of global turnover.

Acts deemed illegal under PIPL will be recorded and made public in the social credit system (Art. 67).

In addition, the PIPL stipulates that engaging in personal information handling activities that harm national security or the public interest also constitute violations (Art. 10) but no specific penalty is provided for such harms. Violations of the law will be publicly recorded and could lead to removal from serving as a director, supervisor, or senior manager of the relevant enterprise for a period of time. 

Importantly, the PIPL provides a mechanism for individuals to receive compensation from data handlers through judicial redress for the loss (damage) they suffered or the benefit the handler obtains “if the processing of personal information infringes upon the rights and interests of the individuals” (Art. 69). If it is difficult to determine actual damages or the benefits unlawfully obtained, a People’s Court may take into account the relevant circumstances and render an appropriate award. The second version of the draft PIPL has reversed the burden of proof for the parties in a tort legal action against PI infringement, so that data handlers that cannot prove they are not at fault for the harm suffered will be liable.  Additionally, when data handlers refuse an individual’s request to exercise data rights, that individual may file a lawsuit in a public court (Art. 50). 

Finally, when a violation of the law infringes on the rights and interests of many individuals, the People’s Procuratorates, and the relevant enforcing agencies and departments may file a lawsuit with a People’s Court.  One such example concerns the Civil Public Interest Litigation mechanism, which effectively operates as civil prosecution of large-scale violators of the law.

Blog Summary: Ethical Concerns and Challenges in Research using Secondary Data

Digital data is a strategic asset for business. It is also an asset for researchers seeking to answer socially beneficial questions using company held data. Research using secondary data introduces new challenges and ethical concerns for research administrators and research ethics committees, like IRBs. 

FPF Senior Researcher, AI & Ethics, Dr. Sara Jordan, analyzes some of these concerns in the post Research Using Secondary Data: New Challenges and Novel Resources for Ethical Governance published on Ampersand: The PRIM&R Blog. 

In the informative analysis, Dr. Jordan examines five key points:

• How can Research Administrators and IRB Members Understand and Manage Risks and Benefits: With the multitude of available secondary research data sources, what can be done to better understand and manage the risks and benefits that are presented with its usage?  
• IRBs, Exemption 4, and Secondary Data Uses: The 2018 Common Rule revision included the expansion of categories that could be deemed as “exempt from review”. With this new revision came the introduction of associated challenges, such as reviewing research data for identifiable information. 
• Determining if Secondary Data is “Publicly Available”: Lack of a distinction in the definition of “public” poses a challenge to research administrators. 
• De-identification, Re-identification, and the Pursuit of Anonymization: Often, research administrators and IRBs will be handed the responsibility of educating researchers on ways to de-identify data and manage the reidentification risks that their uses of data present. 
• Getting Research Teams the Review they Need: Review structures with the resources and remit to review secondary uses of data are limited. FPF will soon launch the Ethical Data Use Committee (EDUC), a multi-expert review committee that offers recommendations to researchers and other organizations seeking to manage risks associated with secondary uses of data. 

Public Responsibility in Medicine and Research (PRIM&R)’s blog Ampersand is a discussion space for thoughtful conversations on research ethics and oversight. Learn more here.

Future of Privacy Forum Launches its Asia-Pacific Office Led by Dr. Clarisse Girot

The Future of Privacy Forum’s Asia-Pacific office launches today in Singapore under the leadership of Dr. Clarisse Girot. As Director of the FPF Asia-Pacific office, she is responsible for developing and implementing FPF’s strategy in the world’s biggest and most populated region.

We have asked Dr. Girot to share her thoughts for FPF’s blog on Asia’s role in the global conversation on data protection law and policy, its key characteristics, as well as the balanced role FPF Asia will hold in the region.

1) What are the key characteristics of data protection law and policy developments in Asia? 

Dr. Girot: The first characteristic of these developments is their intensity, and legal uncertainty as a result: legislative and regulatory activity in data privacy in Asia is happening at an unprecedented pace. The adoption of EU GDPR has been an essential driver behind these developments, but endemic factors also play a role: major data breaches have occurred in most countries, and a series of privacy controversies have confronted citizens, companies, and governments, this region just like elsewhere. At the same time, the massive development of the digital economy, the emergence of unicorns, and local tech champions have sharpened the ambitions of many countries to enhance their status as tech powers, data hubs, etc. 

Major jurisdictions have thus proceeded to a general upgrade of pre-existing laws, including some of the oldest data protection frameworks in the world (New Zealand, South Korea, or Japan, for instance), but also more recent, say “second generation” laws like Singapore’s PDPA. China’s National People’s Congress is expected to adopt the Personal Information Protection Law (PIPL) before the end of the year, while the process of adopting the Data Protection Bill of India could be concluded, after several years of waiting. These texts will be groundbreaking, if only because China and India are the two most populous countries in the world.

The second characteristic, amplified by the first, is the fragmentation of legal systems, with variations that make any regional compliance effort particularly difficult. These variations also create gaps in protection that are prejudicial to individuals, as well as gaps in the capacities of regulators to cooperate. 

The third is that APAC jurisdictions have very diverse cultural norms and economic priorities. Some laws are more explicitly grounded in human rights considerations, some are focused on “digital sovereignty” and national security, and many others are more broadly concerned with advancing consumer protection and building confidence in the digital economy. In practice, recently the three objectives appeared to be more and more often mixed. The Covid-19 crisis has added an additional layer of uncertainty in this region which is at the same time extraordinarily dynamic, contrasted, and therefore very complex to apprehend.

2) How do you see Asia’s role in the global debate on data protection law and policy? 

Dr. Girot: It is always difficult to generalize when speaking of “Asian developments” as we speak of European or US developments, because of the great contrasts which exist from one country to another, moreover in the largest region of the world. It is certain, on the other hand, that Asia in general, and certain countries in particular, will take an increasingly important place in the global privacy debate.

This evolution will happen because of a simple numerical factor. But also because the scope of privacy discussions has, for historical reasons, been defined essentially in “the West”, and many countries in the region now want to contextualize privacy developments and adapt pre-existing models to make them their own. The majority of jurisdictions in the region will find it difficult to subscribe to an approach focused on privacy as a fundamental human right, but an approach exclusively focused on trade and consumer protection will not suit them either. Cultural differences, but even more important differences in economic development will necessarily lead the countries of the region to weigh in on global developments.

3) How can FPF Asia help key stakeholders in the region with finding a balance between the utility of tech and data, on one hand, and the need to protect rights and interests of communities and individuals, on the other hand?

Dr. Girot: The creation of FPF Asia is incredibly timely. In a region crossed by different currents, and in a high voltage world, it can take the discrete but indispensable role of a transformer and “universal adapter.” The needs and expectations are immense, for there is today in the region no platform for cooperation that is at the same time informal, neutral, and endowed with both the expert background and the capacities necessary to build an inclusive regional dialogue on privacy and data protection.

My 4-year experience in a comparable position at the Asian Business Law Institute (ABLI) has taught me that cooperation can take many different forms, depending on the current priorities of regulators and countries. They may be information sessions and informal exchanges with regulators, convening different stakeholders to discuss cutting edge data protection issues, providing expertise in emerging technology in a way that is useful for policymakers, facilitating peer-to-peer exchanges for businesses active in the region, providing independent analyses and reports on key policy topics… Asia’s skies are the limit! 

If you have any questions about engaging with The Future of Privacy Forum on Global Privacy and Digital Policymaking contact Dr. Gabriela Zanfir-Fortuna, Director for Global Privacy, at [email protected].

Stay updated: Sign up for FPF Asia-Pacific email alerts.

FPF Launches Asia-Pacific Region Office, Global Data Protection Expert Clarisse Girot Leads Team

The Future of Privacy Forum (FPF) has appointed Clarisse Girot, PhD, LLM, an expert on Asian and European privacy legislation, to lead its new FPF Asia-Pacific office based in Singapore as Director. This new office expands FPF’s international reach in Asia and complements FPF’s offices in the U.S., Europe, and Israel, as well as partnerships around the globe.
 
Dr. Clarisse Girot is a privacy professional with over twenty years of experience in the privacy and data protection fields. Since 2017, Clarisse has been leading the Asian Business Law Institute’s (ABLI) Data Privacy Project, focusing on the regulations on cross-border data transfers in 14 Asian jurisdictions. Prior to her time at ABLI, Clarisse served as the Counsellor to the President of the French Data Protection Authority (CNIL) and Chair of the Article 29 Working Party. She previously served as head of CNIL’s Department of European and International Affairs, where she sat on the Article 29 Working Party, the group of EU Data Protection Authorities, and was involved in major international cases in data protection and privacy.
 
“Clarisse is joining FPF at an important time for data protection in the Asia-Pacific region. The two most populous countries in the world, India, and China, are introducing general privacy laws, and established data protection jurisdictions, like Singapore, Japan, South Korea, and New Zealand, have recently updated their laws,” said FPF CEO Jules Polonetsky. “Her extensive knowledge of privacy law will provide vital insights for those interested in compliance with regional privacy frameworks and their evolution over time.”
 
FPF Asia-Pacific will focus on several priorities by the end of the year including hosting an event at this year’s Singapore Data Protection Week. The office will provide expertise in digital data flows and discuss emerging data protection issues in a way that is useful for regulators, policymakers, and legal professionals. Rajah & Tann Singapore LLP is supporting the work of the FPF Asia-Pacific office.
 
“The FPF global team will greatly benefit from the addition of Clarisse. She will advise FPF staff, advisory board members, and the public on the most significant privacy developments in the Asia-Pacific region, including data protection bills and cross-border data flows,” said Gabriela Zanfir-Fortuna, Director for Global Privacy at FPF. “Her past experience in both Asia and Europe gives her a unique ability to confront the most complex issues dealing with cross-border data protection.”
 
As over 140 countries have now enacted a privacy or data protection law, FPF continues to expand its international presence to help data protection experts grapple with the challenges of ensuring responsible uses of data. Following the appointment of Malavika Raghavan as Senior Fellow for India in 2020, the launch of the FPF Asia-Pacific office further expands FPF’s international reach.
 
Dr. Gabriela Zanfir-Fortuna leads FPF’s international efforts and works on global privacy developments and European data protection law and policy. The FPF Europe office is led by Dr. Rob van Eijk, who prior to joining FPF worked at the Dutch Data Protection Authority as Senior Supervision Officer and Technologist for nearly ten years. FPF has created thriving partnerships with leading privacy research organizations in the European Union, such as Dublin City University and the Brussels Privacy Hub of the Vrije Universiteit Brussel (VUB). FPF continues to serve as a leading voice in Europe on issues of international data flows, the ethics of AI, and emerging privacy issues. FPF Europe recently published a report comparing the regulatory strategy for 2021-2022 of 15 Data Protection Authorities to provide insights into the future of enforcement and regulatory action in the EU.
 
Outside of Europe, FPF has launched a variety of projects to advance tech policy leadership and scholarship in regions around the world, including Israel and Latin America. The work of the Israel Tech Policy Institute (ITPI), led by Managing Director Limor Shmerling Magazanik, includes publishing a report on AI Ethics in Government Services and organizing an OECD workshop with the Israeli Ministry of Health on access to health data for research.
 
In Latin America, FPF has partnered with the leading research association Data Privacy Brasil, provided in-depth analysis on Brazil’s LGPD privacy legislation and various data privacy cases decided in the Brazilian Supreme Court. FPF recently organized a panel during the CPDP LatAm Conference which explored the state of Latin American data protection laws alongside experts from Uber, the University of Brasilia, and the Interamerican Institute of Human Rights.
 

Read Dr. Girot’s Q&A on the FPF blog. Stay updated: Sign up for FPF Asia-Pacific email alerts.
 

FPF and Leading Health & Equity Organizations Issue Principles for Privacy & Equity in Digital Contact Tracing Technologies

With support from the Robert Wood Johnson Foundation, FPF engaged leaders within the privacy and equity communities to develop actionable guiding principles and a framework to help bolster the responsible implementation of digital contact tracing technologies (DCTT). Today, seven privacy, civil rights, and health equity organizations signed on to these guiding principles for organizations implementing DCTT.

“We learned early in our Privacy and Pandemics initiative that unresolved ethical, legal, social, and equity issues may challenge the responsible implementation of digital contact tracing technologies,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “So we engaged leaders within the civil rights, health equity, and privacy communities to create a set of actionable principles to help guide organizations implementing digital contact tracing that respects individual rights.”

Contact tracing has long been used to monitor the spread of various infectious diseases. In light of COVID-19, governments and companies began deploying digital exposure notification using Bluetooth and geolocation data on mobile devices to boost contact tracing efforts and quickly identify individuals who may have been exposed to the virus. However, as DCTT begins to play an important role in public health, it is important to take necessary steps to ensure equity in access to DCTT and understand the societal risks and tradeoffs that might accompany its implementation today and in the future. Governance efforts that seek to better understand these risks will be better able to bolster public trust in DCTT technologies. 

“LGBT Tech is proud to have participated in the development of the Principles and Framework alongside FPF and other organizations. We are heartened to see that the focus of these principles is on historically underserved and under-resourced communities everywhere, like the LGBTQ+ community. We believe the Principles and Framework will help ensure that the needs and vulnerabilities of these populations are at the forefront during today’s pandemic and future pandemics.”

Carlos Gutierrez, Deputy Director, and General Counsel, LGBT Tech

“If we establish practices that protect individual privacy and equity, digital contact tracing technologies could play a pivotal role in tracking infectious diseases,” said Dr. Rachele Hendricks-Sturrup, Research Director at the Duke-Margolis Center for Health Policy. “These principles allow organizations implementing digital contact tracing to take ethical and responsible approaches to how their technology collects, tracks, and shares personal information.”

FPF, together with Dialogue on Diversity, the National Alliance Against Disparities in Patient Health (NADPH), BrightHive, and LGBT Tech, developed the principles, which advise organizations implementing DCTT to commit to the following actions:

Additional supporters of these principles include the Center for Democracy and Technology and Human Rights First.

To learn more and sign on to the DCTT Principles visit fpf.org/DCTT.

Support for this program was provided by the Robert Wood Johnson Foundation. The views expressed here do not necessarily reflect the views of the Foundation.

The Spectrum of AI: Companion to the FPF AI Infographic

In December of 2020, FPF published the Spectrum of Artificial Intelligence – An Infographic Tool, designed to visually display the variety and complexity of Artificial Intelligence (AI) systems, the fields this science is based on, and a small sample of the use cases these technologies support for consumers. Today, we are releasing the white paper: The Spectrum of Artificial Intelligence – Companion to the FPF AI Infographic to expand on the information included in this educational resource, and describe in more detail how the graphic can be used as an aide in education or in developing legislation or other regulatory guidance around AI-based systems. We identify additional, specific use cases for various AI technologies and explain how the differing algorithmic architecture and data demands present varying risks and benefits. We discuss the spectrum of algorithmic technology and demonstrate how design factors, data use, and model training processes should be considered for specific regulatory approaches.

Artificial intelligence is a term with a long history. Meant to denote those systems which accomplish tasks otherwise understood to require human intelligence, AI is directly connected to the development of computer science but is based on a myriad of academic fields and disciplines, including philosophy, social science, physics, mathematics, logic, statistics, and ethics. AI, as it is designed and used today, is made possible by the recent advent of unprecedentedly large datasets, increased computational power, advances in data science, machine learning, and statistical modeling. AI models include programming and system design based on a number of sub-categories, such as robotics, expert systems, scheduling and planning systems, natural language processing, neural networks, computer sensing, and machine learning. In many cases of consumer facing AI, multiple forms of AI are used together to accomplish the overall performance goal specified for the system. In addition to considerations of algorithmic design, data flows, and programming languages, AI systems are most robust for use in equitable and stable consumer uses when human designers also consider limitations of machine hardware, cybersecurity, and user-interface design.

This paper outlines the spectrum of AI technology, from rules-based and symbolic AI to advanced, developing forms of neural networks, and seeks to put them in the context of other sciences and disciplines, as well as emphasize the importance of security, user interface, and other design factors. Additionally, we seek to make this understandable through providing specific use cases for the various types of AI and by showing how the different architecture and data demands present specific risks and benefits.

Across the spectrum, AI is a combination of various types of reasoning. Rules-based or Symbolic AI is the form of algorithmic design wherein humans draft a complete program of logical rules for a computer to follow. Newer AI advances, particularly in machine learning systems based on neural networks, are able to power computers that carry out the programmer’s initial design but then adapt based on what the system can glean from patterns in the data. These systems can score the accuracy of their results and then connect those outcomes back into the code in order to improve the success of succeeding iterations of the program.

AI systems operate across a broad spectrum of scale. Processes using these technologies can be designed to seek solutions to macro level problems like environmental challenges: undetected earthquakes, pollution control, and other natural disaster responses. They are also incorporated into personal level systems for greater access to commercial, educational, economic, and professional opportunities. If regulation is to be effective, it should focus on both technical details and the underlying values and rights that must be protected from adverse uses of AI, to ensure that AI is ultimately used to promote human dignity and welfare.

A .pdf version of the printed paper is available here.