With data protection rules constantly changing and being updated, it’s important to keep a finger on the pulse. Here are the most notable updates and news stories on data protection from around the world.
New Data Laws in China
One of the largest changes to personal data protection in China has come into effect on November 1, 2021.
The Personal Information Protection Law (PIPL) covers the use, collection, and storage of sensitive data for its citizens and private businesses, as well as regulating its transferral to foreign entities. Like the EU’s General Data Protection Regulations (GDPR), the PIPL allows individuals a degree of control over their data but covers a wider range of information at the same time. Personal data defined under this law includes health data, financial information, location tracking, and biometric identifiers. Naturally, the law has been enacted with the strictest capacity - multinational corporations intending to use or transfer data outside of the country need to be assessed and certified by both professional institutions and state authorities before being allowed to do so.
This goes in hand with another law recently passed in China - the Data Security Law (DSL). The main aim of this new law is to protect the legal rights of Chinese citizens and businesses, whilst safeguarding the country’s national security, sovereignty, and developmental interests. It applies to data handling and security regulations for both individuals and organizations within China and whilst operating outside its territory.
With China tracking most of its citizens' activities as part of its Social Credit system, the country is understandably protective about what precious data is transferred outside of their nation.
European Union
Cookie Notices & Policies
In France, the deadline for bringing mobile sites and applications into compliance with cookie tracking rules ended on March 31, 2021. The Centre Nationale de l’Informatique et Libertés (CNIL) in France published its guidelines previously and warned it would be fully committed to auditing businesses in the days after.
Only a month later, CNIL confirmed that it had issued twenty formal warnings to businesses about cookie policies and notices, stating that web users should be able to refuse cookies just as easily as they accept them.
Although the first round of businesses that received warnings complied with the requests promptly, the following ones weren’t so quick and were fined for their inaction. One was even fined around €50,000 by CNIL for cookie noncompliance.
There were similar situations in other parts of Europe: both Spain and Norway’s data protection authorities (DPAs) issued fines for malpractice of tracking technologies. Again, the emphasis was on the businesses’ lack of respect for users' rights and their choice to accept or refuse cookies. Also in July, Finland’s Traficom and Italy’s Garante released updated guidelines for cookie compliance, resulting in more clarity for implementing tracking technologies.
An EU non-profit organization - noyb - created its own tool to monitor cookie compliance and banner policies. The organization was founded by Max Schrems, who was at the center of the EU-US Privacy Shield issue last year, and released a statement accusing many businesses of attempting to terrorize users with confusing cookie banners. In May, the non-profit announced it had drafted over 500 complaints to businesses and, by August, followed through and made formal complaints to local DPAs in the EU.
New Standard Contractual Clauses (SCCs)
International data transfers have also been a talking point for the EU (and third-countries trading with it) ever since the landmark Schrems II court verdict.
To recap, the Court of Justice of the European Union ruled that the EU-US Privacy Shield - which set the framework for transferring data between the two regions - was invalidated due to concerns about the US government's surveillance efforts. This caused massive repercussions for all sides, but after a long period of uncertainty, we’re finally seeing progress on the matter.
In June this year, new standard contractual clauses (SCCs) for data transfers between EU and non-EU countries were published by the European Commission. In addition, we’ve also received the European Data Protection Board’s final recommendations and protective measures to support data transfer whilst remaining compliant with EU regulations. These standards have helped businesses get back on track and the new SCCs have now replaced all previous ones on September 27, 2021.
Local Enforcement
As it’s an ongoing issue, local European DPAs are continuing to monitor the situation by auditing businesses to ensure compliance, issue guidance where needed, and taking action against non-compliant transfers. These new SCCs also apply to data transfers through cloud services, which are also being carefully monitored and the European Data Protection Supervisor has started assessing how European institutes transfer data in the cloud with respect to the new laws.
Whilst the new SCCs apply to all of the EU, supplementary guidelines have been published and specific procedures have been adopted in a handful of countries. Local DPAs have also acted accordingly when breaches have been discovered.
For example, the Comissão Nacional de Proteção de Dados in Portugal halted their 2021 census data from being transferred to the US from their National Institute for Statistics. The Centre Nationale de l’Informatique et Libertés in France has scrutinized the use of an unnamed collaborative software used in local universities. This was due to the personal data of their students, professors, researchers, and staff being transferred to the US as standard via the cloud service. Likewise in Germany, Hamburg’s DPA has formally warned the Senate Chancellery against the use of Zoom for a similar reason, citing the lack of protection for such personal data being transferred.
Hopes for the Future
So, whilst each European country is tackling the matter accordingly, the new guidelines are felt more strongly in some countries than others. And with local DPAs handling it on a case-by-case basis, a balance between protecting users’ data and providing practical data transfer solutions for businesses needs to be found.
Of course, a new framework just like the former Privacy Shield would help resolve these issues and talks are underway between the EU and US for a solution, but progress is slow. US national security laws and its surveillance agencies seem to be at ends with the EU’s data protection requirements but both sides are in discussion.
Tracking COVID-19 Health Data & Vaccine Passports
The EU Digital COVID Certificate was officially formalized to help re-open Europe and facilitate safe traveling for the vaccinated population. From the start of July, the certificate was released across the region, with Denmark, Greece, Bulgaria, Croatia, the Czech Republic, Germany, and Poland using it straight away.
Since the certificate holds vital but personal information, the need for data protection is also an essential requirement, especially when workplaces require such information on their staff. Multiple countries have issued their own guidelines on staff going back to the workplace safely and responsibly.
However, this should not mean that staff is negatively affected by their employers who request vaccination information and other sensitive data. The Italian officials claimed the relationship between staff and their employers should not cause an imbalance in the processing of vaccination-related information.
Other countries have expressed similar opinions. Guidance from the Republic of Ireland’s DPA announced that unless a public health authority has made a requirement for such data, then collecting vaccination data is unnecessary and without a legal basis.
The United Kingdom
The United Kingdom has also been wrangling its relationship with the EU for data transfer and on June 28 this year, the European Commission adopted two adequacy decisions for the United Kingdom - one under the GDPR and the other under the Law Enforcement Directive. The UK's new data protection systems are based on the previous rules (such as GDPR) that were applicable when it was a member state and will allow data to be transferred freely from the European Union to the United Kingdom.
These adequacy decisions will run for a four-year period, after which, they will either be renewed or updated accordingly, being open to future crossover between UK and EU laws. Since the UK has already recognized the EU’s laws as more than suitable, data transfers are now being performed in both directions.