Jurisdictions with Stephenson Harwood expertise
There is not a single comprehensive data protection law in the People's Republic of China ("China"). Instead, there is a complex framework of rules relating to personal information protection and data security. This framework is formed by the three main pillars:
- Personal Information Protection Law ("PIPL") that entered into effect on 1 November 2021 and is China's first comprehensive data protection law.
- Cybersecurity Law ("CSL") that came into effect on 1 June 2017 and was the first national–level law to address cybersecurity and data privacy protection.
- Data Security Law ("DSL") came into force on 1 September 2021 and focuses on data security across a broad category of data (not just personal information).
In addition, the Civil Code of the People's Republic of China ("the Civil Code") became effective on 1st January 2021 and expressly provides individuals with the right of privacy and personal information protection.
Over the past few years, there has been an enormous number of specific requirements introduced by laws and regulations in China that govern specific industry sectors, such as the telecommunications, finance, healthcare, network services, consumer, e-commerce, and transportation.
These new framework poses significant challenges for companies when conducting or responding to investigations in China, particularly in respect of requirements on the processing of personal information and cross border data transfer. That is because PIPL's new framework requires consents as its principal basis for data collection and handling, introduces provisions with extraterritorial effect, restricts cross border data transfers and applies significant fines for non-compliant conduct.
Given this new framework and the fact that new regulations are anticipated to be published in the coming years, it is recommended that organizations continue to monitor the developments of the data protection regime in China. For that, our team at Stephenson Harwood can assist you and offer tailor advice supported by our office in Shanghai, which is part of our Greater China practice.
The DIFC Law No. 5/2020 (the "DIFC Law No. 5/2020") was brought into force on 1 July 2020, bringing the DIFC more closely into line with existing established data protection regimes including the EU General Data Protection Regulation (the "GDPR"), from which the UK legislation also originates. As a result, commentary and guidance on the European Union and UK data protection legislation are likely to be of use to DIFC entities subject to the DIFC Law No. 5/2020.
The DIFC Law No. 5/2020 is supplemented by the DIFC Data Protection Regulations 2020. Certain federal laws also continue to apply within the DIFC.
On March 2022, the DIFC announced that it had enacted the DIFC Laws Amendment Law ("DIFC Law No. 2 of 2022") to incorporate amendments to several DIFC laws, including the DIFC Law No. 5/2020. Among the changes, the amendment clarifies the process for judicial redress for individuals, strengthens accountability of controllers and processors and increases the powers to the Commissioner of Data Protection.
Our experienced team in Dubai and London can advise clients in relation to each of the areas referred to above and assist with the practical steps necessary to ensure compliance with the applicable laws and regulations and international best practice.
The Personal Data (Privacy) Ordinance (the “PDPO”) governs data processing in Hong Kong and contains a series of Data Protection Principles (the “DPP”). The majority of the provisions of the PDPO came into force on 20 December 1996, with some amendments by the Personal Data (Privacy) (Amendment) Ordinance 2012 (“2012 Amendments”) and the Personal Data (Privacy) (Amendment) Ordinance 2021 (“2021 Amendments”).
The PDPO establishes the Privacy Commissioner for Personal Data as the regulatory body responsible for provides guidance on PDPO compliance. In addition to the PDPO, Hong Kong imposes sector-specific guidelines, including financial services and telecommunications.
The PDPO applies where the data user in question controls the processing of data in or from Hong Kong even if the data processing cycle occurs outside Hong Kong. However, the PDPO does not contain any express provisions conferring extra-territorial application.
Singapore enacted the Personal Data Protection Act of 2012 (No. 26 of 2012) on 15 October 2012, and it was subsequently amended via the Personal Data Protection (Amendment) Act 2020 (together, the “Singapore Act”).
In addition to the Singapore Act, the Singapore data protection regime consists of a variety of advisory guidelines that can be general or sector specific. These guidelines are issued by the Personal Data Protection Commission and indicate the manner in which the Commission will interpret the Singapore Act.
The Singapore Act has extraterritorial effect and applies to organizations collecting, using or disclosing personal data in Singapore regardless of the organisation being registered or having a physical presence in Singapore.
It is important to note that the data protection obligations under the Singapore Act do not apply to the public sector, which is regulated by the Government Instruction Manual 8 (“IM8”) and the Public Sector (Governance) Act. In practice, the public sector rules apply the same protections as the Singapore Act, including similar investigations and enforcement actions taken against data security breaches.
Our experienced team in Singapore can assist with any data protection queries related to your processing of personal data in Singapore.
Despite a series of Data Protection regulation proposals over the years, there is still no federal law regulating data privacy in the United States ("US").
Following the footsteps of the GDPR, the American Data Privacy Protection Act ("ADPPA") was proposed in the Congress as the landmark US Federal privacy legislation. The ADPPA is a bipartisan legislation which would apply broadly to organizations and businesses operating all over the country. So far, it has surpassed any previous attempts to create a federal data protection law having been approved by the House Committee on Energy and Commerce. However, the bill still faces a long way until being enacted and it is possible that it may never be passed.
In the absence of a federal law (ADPPA or otherwise), data protection in the US is governed by a patchwork system of sector-specific federal, state and local laws and regulations.
Several states have enacted their own privacy laws, such as California, Virginia, Colorado, Connecticut, and Utah. There are also a number of bills waiting to pass state legislature in a series of other states. However, only California, Virginia and Colorado have enacted cross-sector comprehensive privacy law.
The California Consumer Privacy Rights Act ("CPRA") which took effect on 1 January 2023, amends the California Consumer Privacy Act ("CCPA"), which introduced most of the data privacy provisions in California. The CPRA establishes a new California enforcement agency and imposes additional compliance obligations and restrictions in relation to data privacy.
The Virginia Consumer Data Protection Act (effective 1 January 2023) and the Colorado Privacy Act (effective 1 July 2023) have very similar provisions to those in California, but both exclude personal data collected in connection with employment relations.
The very fact that US data protection is regulated through different state laws which overlap with sector-specific federal laws, means US business operating around the country must comply with every single state and local laws and regulations in addition to any federal law.
Of particular interest for UK and EU based businesses is the ability to transfer personal data to the US and what safeguards they need in place to ensure such transfer is lawful. For more information on international transfers, please see our knowhow article on data transfers.