ByteDance was forced by the US congress to sell TikTok within six months for data security concerns in March 2024. Didi Chuxing (Didi Global) delisted from New York Stock Exchange in 2022 after it was fined RMB¥8.026 billion (US$1.2 billion) by the Cyberspace Administration of China for violations of data security law (e.g. collection 64.7 billion of personal information), which accounted for around 4.7 percent of Didi 2021 sales. Meanwhile, two senior executives Will Cheng Wei and Jean Liu Qing at Didi were each fined RMB 1 million (US$138,337). In Europe, Meta was fined €1.2 billion (US$1.29 billion), Amazon Europe fined Ꞓ746 million (US$804.56 million) and WhatsApp Ireland Ltd Ꞓ225 million (US$242.66 million) for breaking GDPR. In the US, Google paid $93 million to settle a violation of consumer protection laws for its location-privacy practices in 2023. International firms, particularly those big Tech firms with operations in major markets such as China, EU and the US, are facing an increasingly challenging task in the evolving data security and personal information protection regulatory environment. This article briefly describes the data security/protection in EU, China and US and provides recommendations for compliance.
European Union
Following cases Google v Spain on the ‘right to be forgotten’ and Facebook v Ireland on Safe Harbour, General Data Protection Regulation (GDPR), effective on 24 May 2018, provides legal protection of the fundamental data rights in Europe (EU). GDPR fines a breach up to maximum of 4% of annual worldwide turnover or Ꞓ100 million (US$107.86 million) to protect fundamental data privacy rights (e.g., the right to be informed, the right to access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, rights in relation to automated decision making and profiling). This heavy sanction approach is used by EU to build consumer trust in digital technologies. GDPR and a series of acts (e.g. Digital Markets Act, Digital Services Act, and Data Act) serve as common regulatory frameworks to safeguard values and standards in response to digitisation and digital markets.
China
There are more than 930.8 million active users of social medias in China, such as Wechat and Sina Weibo. According to White Paper on China Financial Technology Ecology (2023) by the China Academy of Information and Communications Technology, the amount of volume of Cross-Border Interbank Payment System (CIPS) is around ¥96.7 trillion (US$13.4 trillion). The size of Chinese digital economy is US$7.1 trillion, accounting for almost 40% GDP in China. So, data security and personal information security is an increasingly important for growth of digital economy.
A series of laws (e.g. Cybersecurity Law, Data Security Law, Personal Information Protection Law) were already enforced in China. For example, the new data security law requires to enhance risk management and data firewall for key data sets, key data facilities with censorship and background check on individuals holding key positions. Oversea/domestic listed firms with more than one million records (threshold) of individual personal information are required to be censored by the Chinese Cyber Space Security Administration Office, due to cross-border data transfer and national security interests. The potential fine under the personal information protection law is up to 5 per cent of annual revenues.
Effective June 1, 2023, firms can register with Cyberspace Administration of China and use standard contracts to transfer data to oversea recipients under those circumstances: 1) no key information infrastructure operator; 2) less than one million of individual information in process; or 3) less than 100,000 accumulated individual sensitive information starting from January 1, 2022; or 4) less than 10,000 accumulated individual sensitive information starting from January 1, 2022. The standard contracts shall be renewed if there is a change of data security law or regulation oversea or there is a change of purpose, scope, sensitivity and data custody by oversea recipients. When considering to use standard contracts of transfer data oversea, firms should get consensus of individuals, assess the oversea regulation and impact of data transfer and ensure the oversea recipients with adequate security measures to protect data security/privacy.
The United States
There was “no single, comprehensive federal law regulating how most companies collect, store, or share customer data” in the US (New York Time, September 6, 2021). The US did not have a singular federal law that covers the privacy of all types of data. Only three states (California, Virginia and Colorado) had comprehensive consumer privacy data protection laws. In the US, there were at least 54 different state-level laws on individual aspects of data privacy. For example, Missouri has its e-book privacy rules; the Illinois Biometric Information Privacy Act (BIPA) governs privacy rights over their biometric data (e.g. fingerprint or face scans). There is a mix of laws that are designed to target only specific types of data in special and often outdated circumstances, including Health Insurance Portability and Accountability Act; Fair Credit Reporting Act; Family Educational Rights and Privacy Act; Gramm-Leach-Bliley Act; Electronic Communications Privacy Act; Children’s Online Privacy Protection Rule; Video Privacy Protection Act. However, American Data Privacy and Protection Act were introduced June 21, 2022, if enacted into law, to change “patchwork” state-level privacy laws.
As a consequence of the evolving landscape of data protection and privacy regulation, senior management of international firms, including banks and big Tech firms, shall address the issue of data security and personal information privacy. We provide several recommendations to enhance compliance. First, firms shall appoint data protection officers (DPO) with expertise in the area of data security and personal information privacy. Moreover, firms with key datasets/infrastructures shall conduct background checks of personnel, who can access to those key datasets/infrastructures. Second, firms shall follow existing international data/information security standards ISO 27001 Security Control Framework, ISO 27002 Information security, cybersecurity and privacy protection — Information security controls and ISO 27701 privacy information management, which adopt a systematic approach to manage sensitive information and protect its integrity by identifying the risks and implementing measures to manage those risks. Third, firms shall work out policies and principles of data security and data governance (e.g. data collection and sharing rights; opt-in consent, data minimization and non-discrimination). With data governance in place, employee trainings are crucially important to get ready for the evolving landscape of data security/protection regulations.