In recent months, the global privacy landscape has begun to shift. Several countries have started to draft and implement sweeping national privacy legislation. Among these include China and the United Arab Emirates (UAE). Both laws are broadly modeled after the European Union’s General Data Protection Regulation (GDPR), with a few key differences that greatly affect compliance efforts. China’s new law, the Personal Information Protection Law (PIPL), includes numerous challenges that have led massive tech companies to exit the market, while the UAE’s law, the Personal Data Protection Law (PDPL), has largely been welcomed by the international market. So what does this mean for businesses or advertisers operating within either of these jurisdictions? And why is the United States so behind when it comes to regulation? What kinds of implications may this have on both business and the perception of privacy in the United States?
First and foremost, a company will be subject to the requirements of PIPL if it provides any kind of product or service to Chinese residents or analyzes their behavior, even if there is no direct business presence within China itself. PIPL’s definition of personal information includes any information related to an identified or identifiable person, not including anonymized data. China’s PIPL drew a significant amount of language directly from the GDPR, so companies that have already established a framework to comply with GDPR have a good foundation with which to utilize going forward. For instance, both pieces of legislation detail the requirement to obtain user consent for data processing and regarding data sovereignty, including future domestic and international transfers. They also both include rights to access, correction, deletion, and withdrawal of consent. In some instances, the language, when translated, is so strikingly similar that it is almost the same. Similarly, PIPL outlines standard clauses which should be present in service contracts or agreements between companies that process data. Both laws require companies to achieve certain requirements, such as having a clear and reasonable purpose for data processing, as well as implementing data protection procedures.
The differences between the two have, for some, led to decisions to exit the Chinese market. Remaining uncertainties surrounding the concept of user consent, which was not defined in PIPL in a concrete manner, has likely been one of the main reasons for the market flee. On the day of the law’s introduction, Yahoo closed its remaining services in China, citing “an increasingly challenging business and legal environment.” LinkedIn mentioned the same following its October withdrawal. So what do smaller businesses need to know?
First, the concept of controlling data throughout its entire life cycle is now an absolute requirement. Data must be classified in a dynamic fashion into categories, with special consent and handling requirements for data classified as sensitive. Chinese data localization requirements will also apply. PIPL also requires the appointment of a local representative to handle compliance. There are also significant requirements regarding authorization – companies must pass a security assessment conducted by state authorities. Companies are additionally required to make their own risk and impact assessments regularly. Furthermore, any organization that transfers personal data internationally is required to obtain certification from professional institutions and consent from the Chinese government. Notably, this may create conflict with international criminal laws, such as the US CLOUD, thus holding the potential to heighten tension.
Accelerated incident response is an absolute necessity. In the case of an error or breach, processors must notify all business and government stakeholders as well as users about the incident itself, remaining risks, and remedial actions taken within three working days. If the data of over 100,000 users is involved, companies are required to report the breach to regulators within eight hours. This timeline is among the tightest in the world and “…state-of-the-art detection, response and resilience capabilities typically seen only in advanced financial and technology companies” will be required. This, of course, places a significant burden on smaller companies without access to such resources. Finally, international companies that do not fall in line with PIPL or are deemed to harm China’s national security may be placed on a government blacklist.
The UAE’s data protection law, PDPL, is much less contrived. A significant portion of it is very similar to the GDPR, including familiar concepts such as the classifications of personal data, controllers, processors, and the act of processing, as well as core data protection principles, the requirement for a data protection officer, and data subject rights such as access, correction, and deletion. PDPL’s scope contains exclusions such as government data, health, banking, and credit data subject to sector-specific regulation, and companies located in free zones with their own data protection laws, such as the Dubai International Finance Centre and the Abu Dhabi Global Market. Areas of divergence from GDPR include a more detailed record of requirements for processing, a lack of a specific privacy notice requirement, less onerous transparency requirements, more limited legal bases with a primary focus on consent, and a lack of a need for legitimate interest.
Additionally, countries may be pre-approved by the UAE Data Office for international transfers, by holding a data protection agreement with the UAE, or where specific exceptions may apply, including situations wherein data transfer clauses are invoked, consent has been provided, or if the transfer is necessary for fulfilling a contract with a data subject. The PDPL officially came into force on 2 January 2022, with details, including violations and penalties, expected to be published by the Cabinet by the end of March. The law itself was developed in consultation with a number of major tech companies, aiming to be a piece of global legislation “…that will provide international companies with a smooth mechanism for cross-border transfers, as well as have a low cost of compliance for SMEs.” Thus, compliance with the law should be smooth and not particularly burdensome.
As more and more countries, as well as individual US states, begin implementing their own #privacy laws, businesses will need to remain informed and vigilant regarding their compliance efforts. #respectdataClick to PostNotably, the United States is one of the only developed nations in the world without its own piece of federal privacy legislation. Why is this the case? Much of it is due to a culture committed to deregulation and broadly laissez-faire economics, leaving businesses to monitor themselves rather than be subject to governmental regulation. Also, there are a few laws, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA) which govern smaller sectors of online activity, which might need to be amended should federal privacy legislation be enacted, though other developed nations have been able to do so with relative ease. Several pieces of privacy legislation have been put forward over the past twenty years, with very few being bipartisan. The CEOs of major technology companies have, especially recently, been required to appear before Congress for questioning, though it is clear Congress understands very little about how data technology works, and little has actually resulted from these inquiries apart from increasing distrust of major corporations among the public. People feel commodified, dehumanized – and yet the federal government still takes no action. The extremely polarized political climate in the United States is also partially to blame. This has halted progress in many areas of consumer protection law development, and all citizens have felt the effects of this impasse. Citizens have lost faith in major companies and in the government. As more and more countries, as well as individual US states, begin implementing their own privacy laws, businesses will need to remain informed and vigilant regarding their compliance efforts.
