Data protection at home and abroad:

Data protection at home and abroad:

a comparison of approaches
By Peter Bullock, King & Wood Mallesons

Data protection is not yet as high on the agendas of the boards of Chinese companies as it is for multi-national companies (“MNCs”).  This is hardly surprising, as China has no designated data protection regulator, has only recently started writing significant regulations in this area, and lists only very modest fines for infringements.  Given the disparity of experience between Chinese companies and MNCs, it is worth unpacking what makes data protection such an important issue for many and to test the temperature as to where regulation might go in China in the future.

For MNCs data protection is highly pervasive

The EU led Data Protection Principles, adhered to by most data protecting jurisdictions (outside the United States), encapsulate the whole gamut of the life of data from creation to deletion.  Fairness and proportionality are required at every stage of use: collection, transfer, access and deletion.  The principles also cover security and rights of access and correction.  The EU approach is to protect data as a right of the individual.  To date, China’s approach has been to regulate data in order to preserve an orderly market and to enhance Government’s effort to track the spiralling use of personal data in consumer and other business communications.

In developed markets outside China data protection regulation can be a potential blocker for business development.  For example:

in cloud computing, regulators (both of financial services and data protection) are often nervous that data may be passed to multiple overseas jurisdictions where it may (1) be misused and (2) cease to be susceptible to regulation from the first jurisdiction;

similar concerns arise in other types of offshoring of data processing, although these can often be ameliorated if the data user retains direct control over the processing facilities;

in market deregulation, shortcomings in obtaining consents to use personal data can stymie a dominant party’s advantage.  For example, as long ago as the early 1990s, British Gas intended to use their very extensive customer base to sell services (such as metering and billing services) to customers in the electricity sector.  However, they were prevented from using the customer lists for lack of the relevant consents.  Certain UK supermarket businesses, who were far more advanced in obtaining such consents, were able to use their own customer databases more effectively, and steal a march on the gas monopolist (which was otherwise very well placed to serve these customers); and

more generally, although this has been dealt with in some data protection laws over recent years, due diligence exercises surrounding Merger & Acquisition activity can be severely hampered if the disclosing party is constrained from giving access to personal data (such as data relating to employees and/or customers).

Data law can also give rise to significant issues of reputation management, especially for consumer facing businesses.  This screw has been tightened by regulators, especially those in Europe, who are meting out increasingly large fines for breaches of data protection regulations.

China's approach to Data Protection

Meanwhile, China’s approach is currently fragmented and sectoral.  The first recognisable data protection regulations were contained in the Tort Liability Law (with effect from 2010).  Article 2 affirmed the right to privacy was categorised as amongst “civil rights and interests”.  This was the first time privacy was treated as a “right” rather than an “obligation”.

The Law imposes tort liability for a “network user or network service provider who infringes upon the civil right or interest of another person”.

In 2012 the NPC Standing Committee handed down its “Decision on Internet Information Protection”.  This remains the highest level Chinese law on data protection.  It is addressed to “internet service providers and other enterprises that collect or use citizens’ personal electronic information in the course of their business”.  Given the rise of online services, although this is a law of sectoral rather than universal application, it covers an increasingly large slice of consumer business, in China as in all other highly connected markets.

Another element of the 2012 Decision is the requirement that consumers of online services provide only “real identity information”.  This is important for Beijing’s exercise of control over internet activity.  However, it is a point of stark comparison in other jurisdictions, even within the EU bloc.  Germany is a staunch defender of the right to online anonymity, and this is entrenched within its data privacy laws.  However, Ireland, another EU member state, supposedly interpreting the same Directives concerning data privacy, like China does not permit users of internet services to use pseudonyms.  This has led to hard fought legal proceedings between a German data protection regulator and Facebook (trading under the laws of Ireland for these purposes).  Of course, Facebook wishes to know the true identities of those using its services, as such personal data has significant commercial value to them.

MIIT's regulatory material

In 2011 the MIIT issued “Several Regulations on Standardising Market Order for Internet Information Services”.  This applies to all internet information service providers (“IISPs”).  It, in fact, meets many of the OECD guidelines for data protection regulation.  Furthermore, it includes some recent privacy principles absent from the regulations of some more mature data protecting jurisdictions (such as requirements surrounding minimal collection of personal data, and data breach notification).

In 2013, MIIT issued “Guidelines for Personal Information Protection within Public and Commercial Services Information Systems”.  This is stated as being voluntary in nature and accordingly has received little traction in legal circles.  It has a broad scope; covering the “processing of personal information through information systems”.  It provides detailed content of regulations on data export, sensitive data (although what is deemed sensitive is much wider in ambit than the European norms); data subject access and the right to rectification of inaccurate data.

In a productive period, also in 2013, MIIT issued a further law, titled “User Data Protection Regulations”.  These were broader than the 2011 Regulations; addressed to ISPs and “telecommunications business operators”.  They for the first time included a comprehensive definition of “personal data” (with its roots in EU laws, some have observed).  These 2013 Regulations provide a more or less complete data protection regime for the internet and telecoms sector in China.

It is these 2013 Regulations that contain the reference to the modest fines for transgressors (up to RMB30,000).  They also include provisions allowing for transgressors to be “named and shamed” through public notification, acknowledging the opprobrium attached (by the larger consumer brands at least) to misuse of personal data, and ensuing reputational damage.

Data Protection practice gaining traction in China

Despite the fact there is no overarching data protection regulator, which has led to the regulations being less coordinated than might otherwise be the case, data protection practice is alive and well in China.  For example:

The banking regulator has for a number of years banned the export from China of customer data.  However, PRC banks often wish to outsource their data processing.  This has led a number of banks to seek waivers from their regulators to allow cross border transfers, presumably upon strict undertakings concerning the treatment of data offshore;

There is a significant push for the development of cloud services.  The main domestic hub is the Chongqing Data Centre Hub.  This is being used as a stepping stone to develop both an internal and an international market for cloud services.  This will produce challenges for data protection regulation in China;

Similarly, the ecommerce sector is rapidly expanding, with Alibaba’s Jack Ma predicting that there may be decades of growth left in this sector.  It may well be that the major China players in ecommerce will seek to distance themselves from challenger brands through maintaining high standards of data protection compliance.

There are local variances in data protection regulation which add to the complexity of compliance in China.  For example:

There is dedicated data protection-relevant legislation in Jiangsu; and

There are additional consumer protections active in Shanghai and Henan.

No international coordination of data protection

It would be easy to criticise policy makers in China for what is something of a patchwork of laws and regulations in the data protection arena.  However, the rest of the world is perhaps little better.

One can view Asian data privacy legislation as a kaleidoscope of different rules, seemingly ever changing as jurisdictions constantly play catch up with their neighbours.  The contents of data regulation move with time (and the underlying technologies and perceived threats).  In terms of privacy, what may seem paramount in one culture (such as banking secrecy in Switzerland) may be anathema in another (for a long time Italian tax authorities made every individual’s tax returns public).

In Asia Pacific we have jurisdictions which are:

Early adopters of data protection (such as Taiwan) and non-adopters (Vietnam);

Reluctant enforcers (Hong Kong really did not enforce the laws between 1996 and 2010, but since a high profile case of misuse of data for marketing purposes has now started to enforce more aggressively), to zealous converts (South Korea’s data protection laws are in some ways more proscriptive than even the EU “gold standard”);

Using fragmentary regulations (China would currently fall into this category) compared to Australia, which has cohesive laws; and

EU comparators (such as New Zealand) to those playing catch up (everyone else).

Data breaches

Like other aspects of data protection, a jurisdiction’s legal response to data breach notification is usually driven by local concerns:

In 2005 in the US, ChoicePoint (which compiles information on millions of consumers) fell victim to a security breach which disclosed 145,000 subject records to a criminal enterprise.  It notified consumers in California only (as required there), but not in other states whose residents were equally affected.  As soon as those non-Californians started to complain about the unequal treatment, states quite quickly fell into line with their own versions of data breach notification legislation.  In the absence of coordination, however, there are many differences in approach between different states (eg as to the thresholds for notification, who should be notified and penalties for non-observance);

In the UK there has been a succession of public sector breaches, including in relation to healthcare and children.  To date, however, there is no initial requirement for breach notification.

In Hong Kong, there have also been many publicised breaches, in both the public sector (such as Hospital Authority employees using unencrypted USBs containing large amounts of sensitive personal data), the financial services sector, and the commercial sector (the VTech data loss of children’s data for electronic toys).  There remains no legal requirement for breach notification in Hong Kong.

Everything will change in the EU with effect from 25 May 2018, however.  On that day the General Data Protection Regulation will take effect.  This will mean that:

Data controllers must notify most data breaches to the Data Protection regulator in their local jurisdiction (within 72 hours of becoming aware of the problem).

Fines may be levied of up to the higher of EUR 20 million and 4% of worldwide turnover for transgressors.

Data export

Another area of great importance, both to multi-national companies, and single jurisdiction companies who are either supplying customers overseas or processing customer data offshore, is the question of cross-border data transfer.

In the absence of international data protection norms, restrictions to data export are highly important.  Different approaches are taken by different jurisdictions:

Some jurisdictions adopt a “fortress” approach, whereby the regulator’s imperative is to avoid the transference overseas of data at any time.  Such a heavy-handed approach can be very inconvenient for the more sophisticated data users within the jurisdiction;

Other jurisdictions’ regulators are prepared to allow data transfer offshore so long as the data subject has indicated his/her informed consent.  What constitutes adequate consent is often difficult to pre-judge; and

In recent years, some jurisdictions are trying to police the off-shoring of data through extra-territorial enforcement powers.  Australia is an example.  Although it is currently difficult to predict with certainty how extra-territorial enforcement might work, the hope and anticipation is that, if enough jurisdictions adopt this sort of wording, there will be sufficient mutuality of interest to encourage jurisdictions to enforce the data protection laws of other requesting jurisdictions.

The EU – a multitude of approaches

The EU has adopted or permitted a patchwork of different approaches to transfer offshore of personal data:

A white-list is maintained of jurisdictions deemed to have a sufficiently similar level of data protection legislation such as to be able to receive EU outbound data without further compliance procedures (eg Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay);

Transfers are permitted where exporter and recipient have adopted prescribed forms of data export contracts;

A number of EU Data Protection authorities are receptive to the use of Binding Corporate Rules, whereby an MNC binds itself constitutionally to treat all the personal data it handles in a particular way no matter in which jurisdiction it is using the data;

Informed consent has been obtained; and

To facilitate EU to US transfers, the US recipient has signed up to the EU US Privacy Shield (the replacement to the ill-fated Safe Harbor protocol).

China's approach to data offshoring

China has to date adopted the “fortress” approach to the offshoring of personal data of banking customers and for most employee data.  Other classes of personal data are not specifically regulated when it comes to data outflows.

Hong Kong's approach is still in gestation

Section 33 of the Personal Data (Privacy) Ordinance is still not yet in force, notwithstanding that it was enacted 20 years ago!

Section 33 provides a functional equivalent to the EU position of operating a white-list; a set of standard clauses, and a fall back provision of the obtaining of adequate subject consent.  The Government has been undertaking a consultancy project to move this forward for a number of years now, with nothing currently to show for it.  In the meantime, the Privacy Commissioner can only seek to police off shore transfers of data on the basis that consent of the data subject should be obtained.

Right to be forgotten

Data privacy practice is developing in various unforeseen ways.

In 2014 the EU Court of Justice decided that an Internet search engine operator is responsible for the processing that it carries out of personal information contained on its web pages but published by third parties.  The search engine can be obliged to remove the content of searched materials.  Grounds for removal include where the results are irrelevant, no longer relevant or deemed excessive.

This process involves a considerable amount of compliance machinery.

One question arises as to whether other jurisdictions might have the appetite to follow suit.  The Hong Kong Privacy Commissioner has shown at least passing interest in the issue, although there seems no immediate likelihood of its adoption as part of Hong Kong laws. There would seem no likelihood whatsoever of China instituting laws relating to “the right to be forgotten”.

Conclusions

In brief, data protection is a massive regulatory area.  Multi-national companies require multi-jurisdictional advice on data protection.  In some jurisdictions (notably across the EU), potential fines for data protection compliance infringement now rival anti-trust enforcement penalties.  Cyber-security risks are a universal problem.  This is well-recognised by China.

All in all, data protection is an expanding area of regulatory advice.

EMIR UPDATE - Margin rules and other developments

By Karen Butler and Vanessa Docherty, King & Wood Mallesons

On 28 July 2016 the European Commission endorsed, with amendments, the draft rules on margin requirements for non-cleared OTC derivatives contracts (“Margin RTS”). The margin rules are designed to prevent the build-up of uncollateralised exposures by requiring certain counterparties to post initial margin and variation margin.

The date on which counterparties will be required to comply with the margin rules will depend on the aggregate notional amount of non-centrally cleared derivatives trades that have been entered into, with the application of the margin rules determined as at the “date of inception” of the derivatives contract.

The Commission amendments relate to certain technical matters which:

outline the rationale for delaying the application of the margin rules to single stock equity options and equity index options by 3 years;

confirm that cash initial margin can also be held with non-EU credit institutions where an equivalence decision has been issued by the European Commission;

clarify that the application of the margin rules to FX forwards will apply from the date specified in the delegated act under the Markets in Financial Instruments Directive II, or 31 December 2018, whichever is earlier; and

amend the concentration limits for pension scheme arrangements - concentration limits restrict the proportion of specific forms of collateral, to promote diversification and reduce risk.

The Commission has also clarified in the Margin RTS that counterparties may apply to or notify their member state regulator for the intra-group exemption once the margin rules have entered into force (i.e. 20 days following publication in the EU Official Journal). An application or notification will have to be submitted where: (a) the counterparties are located in different EU member states, or (b) one counterparty to the derivatives trade is established in a "third country" and the other is established in an EU member state. The exemption will only be granted if certain conditions are met (the conditions that apply will depend on how the counterparty is categorised). If the exemption is granted then the counterparty will either be wholly or partially exempt from the margin requirements. The relevant counterparty must publicly disclose details relating to its reliance on the exemption.

There is a temporary three year reprieve for intra-group derivatives transactions between an EU counterparty and a third country entity without the need for an equivalence decision by the Commission in respect of the third country (provided that all the other conditions of the intra-group exemption are met). This three year reprieve will be cut short if the Commission subsequently makes an equivalence decision for the third country prior to the end of the three year period.

It is critical that counterparties understand whether they meet the requirements to qualify for the intragroup exemption from the margin requirements and that they submit the application to the relevant member state regulator using the relevant final application form.

We note that the FCA has published a draft application form for the intragroup exemption pending finalisation of the Margin RTS to give counterparties an idea of the types of questions they will be asked and the information that they will be required to submit in order to give counterparties more time to prepare their applications. The FCA is expected to publish the finalised application form shortly.

The application or notification must be completed on a per counterparty basis, and may cover all the intragroup OTC derivative contracts falling within the intragroup exemption, provided that the information is clearly provided per counterparty.

The European Commission has also proposed an adjusted timetable for implementation of the margin rules as follows:

the variation margin rules to apply: (a) to the most active qualifying counterparties from one month following the entry into force of the margin rules; and (b) from 1 March 2017 for all other qualifying counterparties or one month following the entry into force of the margin rules (whichever is the latest);

the initial margin rules will be phased in from 1 September 2017 for the most active counterparties and then will apply to other qualifying counterparties from 1 September each year (i.e. 2018, 2019, 2020) depending on whether their trading activity exceeds the relevant threshold.

Third country regulated markets

The European Commission has declared certain US designated contract markets to be equivalent to EU regulated markets. This means that derivatives trades that are entered into on such markets will no longer be treated as OTC for EMIR purposes. Counterparties will not be subject to the risk mitigation obligations (e.g. confirmations, portfolio reconciliation, dispute resolution, margin etc.) or the central clearing obligation in EMIR.

Derivatives Clearing involving Category 3 Firms

There have been three clearing mandates determinations approved by the European Commission so far. The date from which counterparties must comply with the mandatory clearing obligation under EMIR will depend on which of the four categories the counterparty falls into (please see our previous alert for further details).

On 13 July 2016, the European Securities and Markets Authority (ESMA) published a consultation paper that proposes to postpone the phase-in date for central clearing of OTC derivatives contracts entered into with a Category 3 counterparty for three years. Category 3 counterparties consist of financial counterparties and alternative investment funds (please see our earlier link on counterparty categorisation) whose aggregate month-end average outstanding gross notional amount of all non-centrally cleared derivatives over the relevant three month period does not exceed Euro 8 billion. The consultation closes on 5 September 2016 and ESMA is expected to publish its final report by the end of 2016.

(0)

相关推荐