On February 24, 2023, the Cyberspace Administration of China (CAC) released the much-awaited Measures for the Standard Contract for Outbound Transfer of Personal Information (China SCC Measures) together with the issuance of finalized version of the standard contract for outbound transfer of personal information (China SCC), which will officially come into effect on June 1, 2023. For outbound transfers of personal information which have already been carried out before that date, the China SCC Measures require that the rectification shall be completed within six months from its effective date, i.e, before December 1, 2023.
As one of the three “legitimate grounds” for outbound personal information transfer of personal information under the Personal Information Protection Law of China (PIPL), the China SCC shares quite a number of similarities with the EU Standard Contractual Clauses (EU SCCs) under the GDPR, such as the protection of the data subject’s third-party beneficiary rights, the establishment of a “long-arm” jurisdiction for the exporting country through the execution of SCC-based contractual and other mandatory security requirements for the exported personal information. However, the China SCC Measures still vary significantly from the concept of SCCs under the GDPR. Rather than the four-module approach (controller – controller, controller – processor, processor – processor and processor – controller) under the EU SCCs, the China SCC adopts a one-size-fits-all approach towards exporting personal information by the personal information processor (PIP, a concept similar to the “data controller” under the GDPR) to the overseas recipient. There is no differentiation according to the role of the overseas recipient as a controller, processor or sub-processor. This article offers some key highlights of the newly released China SCC Measures.
Continue reading “China SCC Measures Officially Release a Path for Outbound Personal Information Transfer”
In a recent judgment, the Court of Justice of the European Union (the CJEU) has confirmed that Data Protection Officers (DPOs) can maintain other tasks and duties within their role, provided they do not result in a conflict of interest. The CJEU also held that the GDPR allows for EU member states to legislate to give greater protection to DPOs against dismissal than those set out in the GDPR.
Background to Ruling
In October 2020, the Federal Labour Court of Germany, Bundesarbeitsgericht, requested a preliminary ruling from the CJEU relating to proceedings between X-FAB Dresden GmbH & Co. KG (X-FAB) and its former DPO (“FC”) to clarify under what circumstances an organisation may be allowed to lawfully dismiss its appointed DPO. FC had been DPO for X-FAB and several related companies within its group and had held the role of chair of the works council and vice-chair of the central works council for a few group companies, alongside the DPO position for those companies. FC had been dismissed by X-FAB in December 2017 at the request of the state officer for data protection and freedom of information of Thüringen, Germany. Subsequently, on the coming into force of the GDPR in May 2018, X-FAB had repeated this dismissal as a precautionary measure. FC sought a declaration by the German courts that he retain the DPO position. X-Fab argued FC’s dismissal was justified, stating “a risk of a conflict of interests” in performing both functions, i.e., as both DPO and chair/vice-chair of the works council, on the grounds of incompatibility between the roles. The courts at both first instance and appeal upheld FC’s claim.
Continue reading “CJEU Rules on Dismissal of DPOs and Conflict of Interest”
Meta Ireland (Meta) has recently been issued with two fines by the Irish Data Protection Commission (DPC) for breaches of the EU General Data Protection Regulation (GDPR) relating to advertisements run on its Facebook and Instagram services. The decisions highlight some fundamental issues for all data controllers in respect of identifying the appropriate legal basis for their data processing operations and the need to be transparent about how personal data is used. The decisions also reveal some core differences in approach between the DPC, the Irish national privacy regulator in this case, and the European Data Protection Board (EDPB). It signals the likelihood of ongoing wrangling between the various European data regulators as they seek to interpret the decisions and as they are (inevitably) challenged through the courts.
The penalty imposed against Meta Ireland
The substantial fines of €210m (approximately $223m) with respect to Facebook and €180m (approximately $191m) with respect to Instagram reflect the consolidated turnover of the Meta group and the level of fines which, in the EDPB’s view, are required to be effective, proportionate and dissuasive in accordance with Article 83(1) of the GDPR. Meta now has 3 months to take corrective action and amend its privacy policies (including identifying an appropriate legal basis for processing) and its operations to bring its data processing in line with the GDPR.
Continue reading “Meta Fines Expose EU Regulators’ Differences and Highlight Fundamental Issues for Data Controllers”
In October 2022, the U.K. Medicines and Health products Regulatory Agency (MHRA) published its Guidance, Software and AI as a Medical Device Change Programme – Roadmap, setting out how it will regulate software and AI medical devices in the U.K. by balancing patient protection and providing certainty to industry.
Background to the Reforms
The MHRA initially announced the Software as a Medical Device (SaMD) and Artificial Intelligence as a Medical Device (AIaMD) Change Programme in September 2021, designed to ensure that regulatory requirements for software and AI are clear and patients are kept safe. This builds on the broader reform of the medical device regulatory framework detailed in the Government response to consultation on the future regulation of medical devices in the United Kingdom, which recently saw its timetable for implementation extended by 12 months to July 2024.
Continue reading “Update: AI Regulation in the U.K. — New Government Approach”
On July 18, 2022, the U.K. Government published a paper on its proposals for AI regulation “Establishing a pro-innovation approach to regulating AI” (the AI Paper). This was published alongside the Government’s AI Action Plan, the first update provided since the Government published its National AI Strategy in September 2021.
The AI Paper provides for an alternative approach to AI regulation in the U.K. when compared with the recently proposed draft legislation for AI regulation in the EU (the EU AI Act). The U.K. Government favours a more decentralised and less regimented approach: guidance, rather than legislation; sector-based, rather than cross-sector application; regulated at sector level, rather than centrally; and with a looser definition of what constitutes AI for the purposes of regulatory application. This is intended to make the U.K. an attractive environment for AI innovation, with more flexible and pragmatic regulation, although AI businesses operating in multiple sectors will potentially need to review and comply with more than one set of principles and address conflicts between them.
Continue reading “AI Regulation in the U.K. — New Government Approach”
The UK government has recently published proposals to amend UK data protection legislation with moves towards divergence from EU rules and regulation following the UK’s decision to leave the EU (“Brexit”). The Data Protection and Digital Information Bill (“DPDI Bill”) proposes to make significant changes to existing UK data protection legislation, including the UK General Data protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”). The proposals include some measures that will result in a significant divergence, particularly for companies operating on a pan-European basis. While some compliance obligations will be relaxed, most of the changes can best be described as “similar but different” in approach. It remains to be seen what the final text will look like when the bill is passed into law, with some of the more radical proposals already having been dropped from consideration. A crucial point of consideration for UK legislators when the DPDI Bill is making its way through the various stages of the legislative process in the Houses of Parliament will be whether this legislation remains sufficiently similar to the EU’s General Data Protection Regulation (“EU GDPR”) that the UK is able to retain its adequacy status for the purposes of exports of personal data from the EU to the UK by companies operating internationally.
Continue reading “UK’s Data Protection Reform Proposals Show Distinct Divergence from EU Rules”