On February 24, 2023, the Cyberspace Administration of China (CAC) released the much-awaited Measures for the Standard Contract for Outbound Transfer of Personal Information (China SCC Measures) together with the issuance of finalized version of the standard contract for outbound transfer of personal information (China SCC), which will officially come into effect on June 1, 2023. For outbound transfers of personal information which have already been carried out before that date, the China SCC Measures require that the rectification shall be completed within six months from its effective date, i.e, before December 1, 2023.
As one of the three “legitimate grounds” for outbound personal information transfer of personal information under the Personal Information Protection Law of China (PIPL), the China SCC shares quite a number of similarities with the EU Standard Contractual Clauses (EU SCCs) under the GDPR, such as the protection of the data subject’s third-party beneficiary rights, the establishment of a “long-arm” jurisdiction for the exporting country through the execution of SCC-based contractual and other mandatory security requirements for the exported personal information. However, the China SCC Measures still vary significantly from the concept of SCCs under the GDPR. Rather than the four-module approach (controller – controller, controller – processor, processor – processor and processor – controller) under the EU SCCs, the China SCC adopts a one-size-fits-all approach towards exporting personal information by the personal information processor (PIP, a concept similar to the “data controller” under the GDPR) to the overseas recipient. There is no differentiation according to the role of the overseas recipient as a controller, processor or sub-processor. This article offers some key highlights of the newly released China SCC Measures.
Continue reading “China SCC Measures Officially Release a Path for Outbound Personal Information Transfer”
In recent months, a series of U.S. government reports have documented U.S. policymakers’ growing concerns over Chinese government policies and programs designed to advance China’s competitive edge in a range of technologies and industries. In turn, the findings of these reports are shaping U.S. economic and national security laws and policies, as illustrated by the recent Section 301 tariff actions, national security reviews of investment by Chinese firms under the Committee on Foreign Investment in the United States (CFIUS) process, and provisions of the recently-passed John McCain National Defense Authorization Act that restrict exports of “emerging and foundational technologies” and U.S. government use of certain Chinese-made telecommunications equipment. Against this background, a report released on October 26, 2018, is likely to further increase U.S. government scrutiny of China-manufactured devices with internet connectivity features – so-called “Internet of Things” or “IoT” devices.
Continue reading “New Report Signals Further Changes to U.S. Policy toward IoT Technology from China”
Mobile phones are ubiquitous extensions of our personal and professional lives and few think deeply about the tangled webs of software and hardware providers that formulate components to mobile phone fabricators. However, the Federal Trade Commission’s recent settlement with BLU Products represents an important reminder of the importance of appropriate vendor oversight in all phases of the manufacturing and sales process.
Continue reading “Mobile Phone Maker BLU Products Settles with FTC Resolving Allegations of Lax Data Security Practices”
On January 25, 2018, China released the final version of the Personal Information Security Specification, new voluntary standards on the protection of personal information. The standards anticipate and address the “issues faced in personal information security during the rapid development of IT technology; with the protection of personal information as their core” and is meant to “regulate all phases of big data operations and related conduct, such as the collection, storage, processing, use and disclosure of personal information.” The standards will go into effect on May 1, 2018.
The standards will apply to organizations using information systems to process personal information; specific departments that involve network security, third party assessment organizations; and other organizations that deal with the oversight, management, and assessment of personal information security. Generally, they lay out the following 8 basic principles of personal information security.
Continue reading “China Releases New Personal Information Privacy Standards”
An international human rights organization is urging the Chinese government to stop building big data policing technologies that aggregate and analyze citizens’ personal information. Though governments collecting information about its citizens is not new, China has begun pursuing newer and ambitious technologies, such as big data analytics, facial recognition, and cloud computing, to better and more quickly aggregate, mine, and leverage personal information.
Continue reading “Human Rights Watch Denounces China’s Big Data Policing”