In recent months, the global privacy landscape has begun to shift. Several countries have started to draft and implement sweeping national privacy legislation. Among these include China and the United Arab Emirates (UAE). Both laws are broadly modeled after the European Union’s General Data Protection Regulation (GDPR), with a few key differences that greatly affect compliance efforts. China’s new law, the Personal Information Protection Law (PIPL), includes numerous challenges that have led massive tech companies to exit the market, while the UAE’s law, the Personal Data Protection Law (PDPL), has largely been welcomed by the international market. So what does this mean for businesses or advertisers operating within either of these jurisdictions? And why is the United States so behind when it comes to regulation? What kinds of implications may this have on both business and the perception of privacy in the United States?
First and foremost, a company will be subject to the requirements of PIPL if it provides any kind of product or service to Chinese residents or analyzes their behavior, even if there is no direct business presence within China itself. PIPL’s definition of personal information includes any information related to an identified or identifiable person, not including anonymized data. China’s PIPL drew a significant amount of language directly from the GDPR, so companies that have already established a framework to comply with GDPR have a good foundation with which to utilize going forward. For instance, both pieces of legislation detail the requirement to obtain user consent for data processing and regarding data sovereignty, including future domestic and international transfers. They also both include rights to access, correction, deletion, and withdrawal of consent. In some instances, the language, when translated, is so strikingly similar that it is almost the same. Similarly, PIPL outlines standard clauses which should be present in service contracts or agreements between companies that process data. Both laws require companies to achieve certain requirements, such as having a clear and reasonable purpose for data processing, as well as implementing data protection procedures.
First, the concept of controlling data throughout its entire life cycle is now an absolute requirement. Data must be classified in a dynamic fashion into categories, with special consent and handling requirements for data classified as sensitive. Chinese data localization requirements will also apply. PIPL also requires the appointment of a local representative to handle compliance. There are also significant requirements regarding authorization – companies must pass a security assessment conducted by state authorities. Companies are additionally required to make their own risk and impact assessments regularly. Furthermore, any organization that transfers personal data internationally is required to obtain certification from professional institutions and consent from the Chinese government. Notably, this may create conflict with international criminal laws, such as the US CLOUD, thus holding the potential to heighten tension.
The UAE’s data protection law, PDPL, is much less contrived. A significant portion of it is very similar to the GDPR, including familiar concepts such as the classifications of personal data, controllers, processors, and the act of processing, as well as core data protection principles, the requirement for a data protection officer, and data subject rights such as access, correction, and deletion. PDPL’s scope contains exclusions such as government data, health, banking, and credit data subject to sector-specific regulation, and companies located in free zones with their own data protection laws, such as the Dubai International Finance Centre and the Abu Dhabi Global Market. Areas of divergence from GDPR include a more detailed record of requirements for processing, a lack of a specific privacy notice requirement, less onerous transparency requirements, more limited legal bases with a primary focus on consent, and a lack of a need for legitimate interest.
Notably, the United States is one of the only developed nations in the world without its own piece of federal privacy legislation. Why is this the case? Much of it is due to a culture committed to deregulation and broadly laissez-faire economics, leaving businesses to monitor themselves rather than be subject to governmental regulation. Also, there are a few laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA) which govern smaller sectors of online activity, which might need to be amended should federal privacy legislation be enacted, though other developed nations have been able to do so with relative ease. Several pieces of privacy legislation have been put forward over the past twenty years, with very few being bipartisan. The CEOs of major technology companies have, especially recently, been required to appear before Congress for questioning, though it is clear Congress understands very little about how data technology works, and little has actually resulted from these inquiries apart from increasing distrust of major corporations among the public. People feel commodified, dehumanized – and yet the federal government still takes no action. The extremely polarized political climate in the United States is also partially to blame. This has halted progress in many areas of consumer protection law development, and all citizens have felt the effects of this impasse. Citizens have lost faith in major companies and in the government. As more and more countries, as well as individual US states, begin implementing their own privacy laws, businesses will need to remain informed and vigilant regarding their compliance efforts.