Summary of the key themes of the Draft Regulation:

• Scope of personal data: In addition to the list of “specific personal data” set out in the PDPL, the Draft Regulation introduces a mechanism for the government to expand the scope of “specific personal data”. The Ministry, in consultation with the PDP Agency, may designate other data as “specific personal data” if it has the potential to cause greater harm to data subjects, such as discrimination, material/immaterial loss and contravention of the law. It also clarifies that personal data will cover those in the public domain. This gives the government the flexibility to extend its control over time, which in turn creates uncertainty for businesses.

• Consent to data processing: Similar to the position taken under other data protection laws in Asia, data processing can be based on consent (though other bases of data processing are also available). Where consent is used, the data subject must be provided with a privacy notice and explicit lawful consent must be obtained.

With regard to children or persons with disabilities, consent should be obtained from the parents/guardians of the children and from either the disabled persons or their guardians.

Interestingly, a child is defined as any unmarried person under the age of 18. Controllers are also required to take measures to identify persons with disabilities. These provisions may lead to some uncertainty as to whether mere reliance on a data subject’s declaration is sufficient or whether a more proactive approach, such as verification and active monitoring, is required.

• Data subject rights: The Draft Regulation also sets out in detail the rights of data subjects and the timelines for responding to requests. For example, controllers must respond to data subject requests within “3 x 24” hours. This is a very short timeframe that is usually only applied in data breach notification scenarios in other jurisdictions in Asia.  

• Cross-border data transfers: The PDPL already provides that data controllers transferring personal data abroad must ensure that the recipient country has a level of data protection at least equal to that required in Indonesia. 

The Draft Regulation clarifies that the PDP Agency will be the authority to make the determination and the PDP Agency may in the future establish a list of jurisdictions meeting that threshold. If the receiving jurisdiction does not meet the threshold, measures similar to those adopted by other jurisdictions in Asia, such as cross-border agreements, standard contract clauses and binding group company regulations, must be put in place.

We expect the PDP Agency to provide more details on these practices, such as standard wordings and templates, in the future. Nonetheless, if these requirements are not met, the consent of the data subject could be used as a fallback in limited circumstances. In any event, controllers will be required to carry out a risk assessment and a legal instrument assessment prior to the transfer.

• Redress and out-of-court dispute resolution: The Draft Regulation places great emphasis on the redress for data subjects and the alternative dispute resolution mechanism in the event of breach.A data subject has the right to sue for violations, whether based on fault or negligence on the part of the controller, and receive material compensation, such as a sum of money, or non-material compensation, such as remedial measures. In particular, the Draft Regulation expressly gives priority to mediation among other dispute resolution mechanisms, and even provides for a Professional Mediation Institution that is equipped with expertise in data protection and certified in accordance with the Draft Regulation.

Alternatively, breaches of data protection may be punished by administrative fines up to 2% of the annual revenue or annual receipts of the violation. However, it is uncertain whether the percentage cap will be imposed on the local entity or on the group globally.

What next – practical steps

While the Draft Regulation signifies Indonesia’s commitment to strengthening its data protection framework in line with global standards, we expect that compliance with the data protection law in Indonesia could be challenging given the onerous obligations and uncertainty.

Given the PDPL will come into force in October 2024 and it now seems likely that the Draft Regulations will also come into effect at around the same time, we recommend that businesses prioritise the following:

• review existing data flows and the categories of data which are being collected and processed;
• consider existing mechanisms for obtaining consent;
• review processes for responding to data subject requests and data breach notification;
• review processes for conducting data protection impact assessments.

Thank you for subscribing and being a part of DLA Piper’s Data Protection, Privacy and Cybersecurity community. We appreciate your continued engagement with our insights and the evolving nature of the landscape.

Our goal for this blog is to help you navigate all aspects of data protection, privacy, and cybersecurity laws, while considering the ever-expanding geographic footprint of businesses. Here at DLA Piper, we understand how compliance across jurisdictions makes it even harder to solve today’s most pressing privacy problems and prepare for future cybersecurity threats.

We’re excited to announce that Privacy Matters will be bringing you more on privacy and cybersecurity issues at home and abroad.

• Find quickly shared updates on relevant topics on global data protection, privacy, and cybersecurity issues 
• Get perspectives from leading DLA Piper professionals from around the world 
• Easily navigate our improved, user-friendly layout 

With this change, you’ll need to add privacymatters@comms.com to your contacts to ensure blog updates make it to your inbox.

Thanks for reading,

The Data Privacy team at DLA Piper 

The Irish Circuit Court has recently delivered an important judgment on non-material damages for infringement of the GDPR.  The judgment also establishes a list of factors for the courts to consider when assessing non-material damages.

This judgment comes in the context of other recent decisions on this topic in the UK and EU and which continue to shape the data protection environment that multi-national organisations operate in. The scrutiny by national courts over the lawfulness of certain processing, and commentary on the factors that will aggravate or mitigate an infringement, should be considered by these organisations and inform their approach to data protection compliance.

In Kaminski v Ballymaguire Foods [2023] IECC 5, the Irish Circuit Court awarded a claimant the sum of €2,000 for non-material damages for infringement of the GDPR by his employer. The approach of the Irish courts is broadly consistent with the approach in Germany and the UK as referred to below.

Facts in Kaminski

Mr Kaminski held a supervisory position within Ballymaguire Foods. In the course of a meeting about poor food safety practices, CCTV footage of Mr Kaminski was shown to other supervisors. Following the meeting, Mr Kaminski’s colleagues began to “slag” him for his conduct, causing him to feel humiliated and mocked. Mr Kaminski claimed that he suffered issues with his sleep following the incident, as well as heightened stress about going to work each day.

Mr Kaminski sought to claim damages on the basis that Ballymaguire Foods had infringed the Irish Data Protection Act 2018 and the GDPR by unlawfully processing his personal data.  Ballymaguire Foods denied the infringement and also argued that that Mr Kaminski was not entitled to recover damages as the non-material damage claimed amounted to no more than mere “upset, anxiety and embarrassment”, for which compensation was not recoverable.

The Court disagreed with Ballymaguire Foods and held that there was an infringement of the GDPR, that non-material damage resulted from that infringement and that a financial sum in compensation was due.  Mr Kaminski was awarded €2,000 for non-material loss, on the basis that it went beyond mere upset, and which resulted in insecurity lasting a short period of time.

Factors to consider in assessing non-material damages

In his judgment, Judge O’Connor referred to the CJEU ruling[1] in the Osterreichische Post[2] case and set out a list of factors to consider in assessing non-material damages. Interestingly the Judge caveated his own judgment stating that he was formulating the list “with some caution in the absence of clarification from the Oireachtas [the Irish Parliament], the Superior Courts and the outstanding preliminary reference before the CJEU”. The factors that he set out are:

• “Mere breach” of the GDPR is not sufficient to warrant an award of compensation.
• There is no minimum threshold of seriousness for a claim to exist (however compensation for non-material damage does not cover “mere upset”).
• There must be a link between the data infringement and the damages claimed.
• If the damage is non-material, it must be genuine and not speculative.
• Damages must be proved. Supporting evidence is strongly desirable (e.g. in a claim for distress and anxiety, independent evidence is desirable such as a psychologist report or medical evidence). Interestingly the Court did not require medical proof of Mr Kaminski’s purported anxiety in this case, commenting that Mr Kaminski was “viewed as a truthful and conscientious witness”.
• Data policies, such as employee privacy notices and CCTV policies, should be clear and transparent and accessible by all parties affected[3].
• Where a data breach occurs, it may be necessary to ascertain what steps were taken by the relevant parties to minimise the risk of harm from the breach.
• An apology where appropriate may be considered in mitigation of damages (e.g. reassuring the individual that their employment is safe and not at risk).
• Delay in dealing with a breach by either party is a relevant factor in assessing damages.
• A claim for legal costs may be affected by these factors.
• Even where non-material damage can be proved and is not trivial, damages in many cases will probably be modest (and the Court referred to the Irish Judicial Council Personal Injuries Guidelines re minor psychiatric damages, noting some cases non-material damage could be valued below €500).

The Comparative View – damages

Until now, there has been some uncertainty as to how compensation for non-material loss would be calculated in Ireland. The Irish court’s ruling, following the Osterreichische case, indicates some consistency in approach across Europe. The award of €2,000 for the claimant’s distress is comparatively consistent with the approach in the UK and Germany.

There are now several judgements where the German courts awarded compensation for non-material damages.[4] The highest compensation we are aware of is €10,000 for non-material damages for the loss of control of a data subject due to a delay in complying with the right of access.[5] However, the average award for non-material damages by the German courts appears to be in the region of approximately €2,000.[6]

The position in the UK broadly aligns with this. The case of Driver v CPS[7] was heard by the UK High Court in 2022 and made an award “at the lowest end of the spectrum” of £250. More recently in Ali v Chief Constable of Bedfordshire Police[8], the High Court awarded £3,000 for non-material damage on the basis that it was “in the bottom half of the range of awards for ‘less severe psychiatric harm’” in the Judicial College Guidelines for the Assessment of General Damages in Personal Injury cases.  However, the position in the UK Courts certainly remains somewhat unsettled.

While there is ostensibly some comfort found in the decision in Lloyd v Google[9] in which the UK Supreme Court rejected a US-style opt-out class action against Google, the Court certainly left the door ajar for future mass claims for data protection infringement. Indeed, if the lowest end of the scale is even just £200[10], then a group claim, or multi-party case, could quickly see the figures escalate dramatically and particularly when claimants’ costs are also factored in.

The Comparative View – how are non-material damages assessed elsewhere?

It is interesting to compare the approach of Judge O’Connor with how this issue is dealt with across the EU (in light of the Osterreichische judgment[11]) and the UK (and Lloyd -v- Google[12]) where it has been established:

• Loss of control of data or a simple infringement without consequence would not itself sound in compensation.
• Damage would need to be caused, which can be material damage (such as financial loss) or non-material damage (such as distress).
• That damage must be evidenced and proven.
• There is a de minimis threshold for distress claims and there will be some claims for which the issue is too trivial to lead to compensation.

Following the CJEU ruling in the Osterreichische Post case, we saw German courts making their decisions on the basis of the above criteria and assume that this will be the case for future decisions. Among the decisive factors here is that a mere breach of the GDPR does not give rise to an automatic claim for damages and that the plaintiff needs to prove both non-material damage and a causal link between the breach and the damage.

This is certainly the case in the UK, and the Österreichische Post AG decision effectively mirrors the reasoning of the UK court in Lloyd v Google, which, in turn, the Irish Circuit Court has followed in Kaminski. There is consistency in those first principles. Where this goes next is unclear. The CJEU decision in Österreichische Post necessarily gives a great deal of discretion to Member State courts and the post-Brexit interpretation of the GDPR requirements in the UK may see further divergence.

Conclusion

We are finally beginning to see the development of broadly consistent principles being applied by national courts to the awarding of non-material damages under GDPR and national data protection legislation. Further, the level of damages appears to be relatively modest. However that may be cold comfort to any organisation where a significant data breach occurs, opening it up to the possibility of a class action or claims by a large group of claimants resulting in large-scale multiples of those “modest” damages.  In DLA Piper, we continue to monitor these decisions to provide our clients with a broader view of the risks involved across multiple jurisdictions.

[1] Case C-300/21, UI v Österreichische Post AG

[2] https://blogs.dlapiper.com/privacymatters/europe-cjeu-holds-that-mere-infringement-of-the-gdpr-does-not-give-rise-to-a-right-to-compensation/

[3] As previously established in the cases of Cormac Doolin v The Data Protection Commissioner and Our Lady’s Hospice and Care Services [2020] IEHC 90 and McVann v Data Protection Commissioner [2023] IECC 3

[4] Some recent court decisions in this regard include: Higher Regional Court of Naumburg, judgment of March 2, 2023 – 4 U 81/22; Administrative Court Cologne, Judgment of February 23, 2023 – 13 K 278/21; Higher Regional Court of Hamm, judgment of January 20, 2023 – 11 U 88/22; Cologne Regional Court, judgment of September 28, 2022 – 28 O 21/22; Koblenz Higher Regional Court, judgment of May 18, 2022 – 5 U 2141/21;

[5] Labour Court Duisburg, judgment of March 23,2023 – 3 Ca 44/23.

[6] This was the result of an evaluation of 21 German court decisions from the years 2020-2023 with regard to the amount of damages awarded.

[7] https://www.dlapiper.com/en-am/insights/publications/2022/11/the-high-court-has-confirmed-its-position-as-to-the-award-of-damages

[8] Ali v Chief Constable of Bedfordshire Police [2023] EWHC 938 (KB)

[9] https://www.dlapiper.com/en-gb/insights/publications/2021/11/lloyd-v-google-supreme-court-judgment-report-and-impacts-on-data-protection

[10] So the lowest end, as per Driver v CPS

[11] https://blogs.dlapiper.com/privacymatters/europe-cjeu-holds-that-mere-infringement-of-the-gdpr-does-not-give-rise-to-a-right-to-compensation/

[12] https://www.dlapiper.com/en-gb/insights/publications/2021/11/lloyd-v-google-supreme-court-judgment-report-and-impacts-on-data-protection

Start preparing now to comply with India’s new data protection law. While there are similarities with EU/UK GDPR – and sufficient harmonisation with data protection laws across APAC to continue a regional data compliance in Asia – the practicalities of implementation and compliance should not be underestimated.

On 11 August 2023, India’s long-awaited law governing data protection – the Digital Personal Data Protection Act, 2023 (DPDP Act) – received the President’s assent and was published in the official gazette the following day. The DPDP Act is India’s first comprehensive law on the protection of personal data and comes six years after the Supreme Court of India first declared a fundamental right to privacy in the Puttaswarmy case in 2017. The DPDP Act will replace India’s current data protection framework, which includes relevant provisions of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The majority of the requirements in the DPDP Act are not yet operative – the Central Government of India can determine different dates for entry into force of different provisions within the DPDP Act. Therefore, as well as preparing for the new DPDP Act, organisations will need to continue to ensure compliance with existing rules and regulations under the current Indian data protection regime. It is anticipated that subordinate legislation will follow to clarify and give effect to the provisions of the DPDP Act. Rumours are that there will be a grace period for organisations to comply, but it may be as short as six months.

Summary of key requirements under the DPDP Act

• Scope of the DPDP Act: The DPDP Act is applicable to the processing of “digital personal data”, which includes personal data collected either digitally, or collected in a non-digitised form and subsequently converted into digital form. In contrast to the current position in India and the EU/UK GDPR, the DPDP Act makes no distinction between personal data and sensitive personal data, but this is quite similar to many other Asia data protection laws. The DPDP Act does not apply to personal data used by individuals for personal or domestic purposes, or publicly accessible data.
• Extra-territorial effect: The DPDP Act applies both to: (i) Indian entities which engage in the processing of personal data; and (ii) foreign entities processing personal data as part of offering goods and services to data principals (i.e. data subjects, using the GDPR terminology) located within India. Unlike the EU/UK GDPR, the DPDP Act does not apply to entities outside India that monitor the behaviour of India data subjects.
• Consent and notice: Similar to the general position with other Asia data protection laws, consent of the individual is required to process personal data, although there are a number of ‘legitimate use’ exceptions to the consent requirement (e.g. fulfilment of any legal/judicial obligations, employment and medical emergencies and health services).  Consent must be “free, specific, informed, unconditional and unambiguous” and must be obtained through clear affirmative action (e.g. opt-in). In order to obtain consent, organisations must provide a clear notice to individuals, which includes (inter alia): (i) information on the personal data to be collected and the purpose of its processing; and (ii) a description of the data principal’s (i.e. data subject’s) rights, including correction, withdrawal of consent, and the procedure for filing complaints with the Data Protection Board. Importantly, the notice and request for consent must be made available in English and in all the 22 languages mentioned in the 8th schedule of the Indian Constitution – this translation time/cost must be factored into organisations’ implementation plan.
• Data Fiduciaries and Significant Data Fiduciaries: the DPDP Act introduces a number of changes in relation to the obligations of ‘data fiduciaries’ (defined as any person who alone or in conjunction with other persons determines the purpose and means of processing personal data, under the DPDP Act) – i.e. a data controller using the GDPR terminology. These include a requirement to implement technical and organizational measures, record keeping requirements, obligations in relation to the appointment of data processors and reporting “Personal Data Beaches” to the Data Protection Board and data principals (see below).

The DPDP Act also introduces the concept of ‘significant data fidiciaries’, which imposes more stringent compliance requirements on those data fiduciaries (or classes of them) which are classified by the Central Government of India as ‘significant data fiduciaries’. Non-compliance with these additional obligations can result in substantial penalties The designation of significant data fiduciary status is dependent on a range of factors (e.g. volume and sensitivity of personal data, risk posed to rights of data principals, impact of processing on the sovereignty and integrity of India, national security and public order etc). Additional compliance requirements include:

• designation of a Data Protection Officer (DPO);
• appointment of an independent data auditor to assess data protection compliance; and
• undertaking data protection impact assessments, periodic audits and other measures required by the authorities. 
• Data Protection Officer (DPO): organisations must appoint a contact person / representative to address data principals’ queries on the processing of their personal data. Where an organisation is considered a ‘significant data fiduciary (see above), the organisation must appoint a DPO and publish the business contact information of that DPO. 
• Data breach notification: All types of personal data breaches (which includes unauthorised data processing, disclosure, alteration, loss, or actions compromising data confidentiality, integrity, or availability), regardless of scope and impact, are reportable to affected data principals and the authorities. This follows the recent trend in India of mandatory reporting for virtually all cyber incidents, and is a significant uplift on data breach notifications under EU/UK GDPR and data protection laws elsewhere in Asia. The form and timeline for reporting data breaches is not set out in the DPDP Act, and will be prescribed in rules to be issued by the Central Government. The reporting obligations under the DPDP Act apply in addition to the existing reporting obligations under India’s Computer Emergency Response Team (CERT-In) rules, imposing potentially duplicate reporting requirements on organisations.
• Data Principal Rights: Data principals have a number of rights under the DPDP Act, including a right of access information, the right to correction of personal data, the right of erasure, the right to withdraw consent and the right of grievance redressal. The DPDP Act also imposes obligations on data principals, including an obligations to furnish only verifiably authentic information, not to impersonate another person while providing personal data for a specified purpose, and not to register a false or frivolous grievance or complaint with a data fiduciary or the Data Protection Board. The DPDP Act includes financial penalties for breach of these obligations.
• Cross-border data transfers: Under the DPDP Act, the cross-border transfer of personal data for processing is permitted, except to blacklisted countries as specified by the Government of India (list to be published in due course). That said, there remains to be sector-specific restrictions on the transfer of personal data (e.g. payments, insurance etc). The removal of previous data localisation provisions under previous drafts of data protection laws in India have been widely welcomed by multinational businesses, and in practice aligns India with general international principles and practices for cross-border data transfers.
• Penalties: Whilst the previous data protection framework in India laid down both civil and criminal penalties, under the DPDP Act only fines ranging from INR 5 Crores (approximately €559,875) to INR 250 Crores (approximately € 27,993,712) have been prescribed.

What next – practical steps

As a priority, businesses should map out and understand personal data flows and processes with respect to Indian personal data, in order to remediate any gaps or inconsistencies with the DPDP Act in existing data privacy programmes. In particular, businesses should prioritise the following:

• Identify what digital personal data is being collected and the purposes of processing, as well as understanding whether any third party processors are used to process the digital personal data.
• Ensuring existing notice and consent approaches (if any) are adequate. Otherwise, roll out notice and consent mechanisms for data principals.
• Putting in place procedures and policies for response and reporting of personal data breaches, given the significant uplift in obligations in comparison to the general requirements across all other data protection laws.

The Draft Measures propose to introduce or flesh out other compliance requirements contained in the PIPL. For example:

• Automated Decision-Making: where a data controller uses personal data to conduct any automated decision making, it must proactively inform data subjects in advance the types of data processed and the potential impact of the automated decision making. It must also conduct security and ethical assessment on the algorithm and parametric models, record all the manual intervention involved in the annotation management and model training processes to prevent manipulation, and enable data subjects to amend or delete customized tags to opt out. This will, therefore, require more in-depth privacy notices than businesses may be used to providing in China.
• Publicly Available Data: where a data controller processes personal data obtained from public resources, it must stop the processing (even if the processing is comparable with the original purpose) once it receives the data subjects’ objection. As such, data controllers shall be more conservative when relying on the lawful basis of “publicly available data” for processing. Assessing the original purpose for which the data was published becomes critical. This is important to note for any data scraping activities.
• Monitoring of overseas data recipients/processors: when determining whether a data controller has taken sufficient measures to ensure its overseas data recipients have satisfied the PIPL data protection standards, the following factors shall be considered: whether the data controller has conducted proper due diligence to check the data protection capability of the overseas recipients, whether the data controller has clearly informed the PIPL requirements and standards to the overseas recipients, whether there are sufficient contractual obligations imposed on the overseas recipients to comply with PIPL requirements, and whether the data controller conducts periodical audits and keeps monitoring the overseas recipients’ processing activities. This aligns with controls to monitor recipients under C2C and C2P transfers in other data protection laws.
• Governance: a data controller must establish a proper internal data protection framework. Must-have supporting policies and procedures include at least: data classification policy, data incident responsive policy, personal information impact assessment policy, data subject request handling procedures and data protection training plans. International businesses should already have tweaked such existing global policies for China purposes.
• Data incident notification: it is clarified that data incidents must be reported to the internal data protection departments or teams within 72 hours, which seems to suggest that the data controller may have a longer time to report incidents to the CAC than under other data protection frameworks.
• Role of the DPO: although the Draft Measures still do not clarify the processing threshold that requires a data controller to appoint a DPO, it provides the that a DPO must have the authority to coordinate the work of data protection team and other internal data protection stakeholders, have the right to raise suggestions and comments before the data controller makes any major decisions concerning data processing activities, and have the power to request suspension of non-compliance processing activities and order internal remediation measures. All these indicate that DPO should be a relatively senior position within an organization.

The public consultation on the Draft Measures closes on 2 September 2023

On 3 August 2023, the Cyberspace Administration of China (“CAC”) published the Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comment) (“Draft Measures”) for public consultation, which closes on 2 September 2023. The Draft Measures expand on the audit requirements in the PRC Personal Information Protection Law (PIPL), by setting out the scope and frequency of audits.

According to the Draft Measures, a data controller who processes personal data of more than one million data subjects must carry out a compliance audit at least once a year. Other data controllers must carry out a compliance audit at least once every two years.

The Draft Measures set out the key points to be audited in each of the following data protection areas: lawful basis, notice and consent, sharing or transferring personal data with third parties, automated decision-making, CCTV, public disclosure of personal data, processing sensitive personal data, cross-border transfer of personal data, retention and deletion, data subject right request, DPO, internal data governance, data incident responsive plan and personal data impact assessment.

Under the Draft Measures, the CAC has the authority to order a compliance audit on a data controller and entrust a third party auditing institution to perform the audit. The entrusted institution may request the data controller to provide documents and materials, conduct on-site investigations, access relevant systems and devices, organize interviews and request other assistance from the data controller. It has 90 working days to complete the audit and issue auditing opinions.

The data controller is required to follow the auditing institution’s recommendations and take remediation measures. After remediation, the satisfactory auditing result will be reported to the CAC

If implemented, this is going to require significant internal resources to manage. While there may be some changes to the key audit points or other technical details in the final version of the Draft Measures, it is very likely that the data compliance audit regime will be launched soon. Data controllers are recommended to start to review their ongoing data processing activities, and take necessary remediation action now while they still have the chance to make plans suitable for its own operation before being audited by the CAC. Gradually, conducting periodic data compliance audits will likely become part of the regular business routines of data controllers

Businesses who must follow the China SCCs route to legitimize their cross-border transfers of personal data must file their signed China SCCs together with the supporting personal information impact assessment (“PIIA”) report with their local CAC branch by no later than 30 November 2023. This requires significant effort, and so businesses must act now to meet the filing deadline.

To recap, the China SCCs route is the relevant route for China entities that are data controllers of China personal information but who do not meet the thresholds whereby the full CAC assessment must be undertaken (for further information on this, click here).

During the past few weeks, more practical guidance has been published by different local CACs, and we have gained insights from businesses already preparing their SCCs and accompanying PIIAs:

• More than 30 local CACs have published hotline numbers. Businesses can ask questions on filing-related matters on a real name basis. Anonymous questions in general are not accepted.
• Many local CACs (e.g. Beijing, Shanghai, Jiangsu, Chongqing, Shandong, Hubei, Jiangxi, Hainan, Heilongjiang, Guangxin, etc.) have published the email addresses to which companies may send the electronic copies of their filing materials. In these provinces, the local CACs’ comments and the companies’ amended materials will mainly be exchanged via emails. Companies only need to submit the hard copy materials after the electronic versions are confirmed by the CACs.
• Different CACs have different opinions on whether a filing on a group basis is acceptable. For example, the Beijing CAC seems to be fine with the group filing approach. If the Chinese headquarter of a multi-national organization is registered in Beijing, it may consider making the filing on behalf of all the other Chinese affiliates with the Beijing CAC. As to how to define the scope of “affiliate” (e.g. whether more than 50% control or other conditions are required), there is no clear guidance yet.

In addition, whether the group filing can work in practice also depends on the local CACs in the provinces where the affiliates are registered. For example, some CACs (e.g. Tianjin) only request a copy of the group filing record in other provinces, while some other CACs (e.g. Zhejiang) request the record/re-submission of the province-specific materials.

• The China SCCs are drafted in a way deeming the Chinese data exporter as a data controller. Thus, it remains uncertain as to whether or how the SCCs should be signed if the Chinese data exporter is a data processor.
• Where the Chinese exporter is the data controller, the same SCCs should be used regardless of whether the overseas importer is a data controller or a data processor – i.e. there is not a separate C2P version of the China SCCs. While in theory the parties may insert additional (but not conflicting) terms in Appendix 2 to the SCCs, we suggest limiting those to the absolutely necessary terms (if any), to avoid delays in the filing or more questions from the local CACs.
• In practice, we are seeing many international businesses identifying their group companies (e.g. the lead entity under their IGDTA) as the primary overseas recipient and vendors contracted at a group level as onward recipients (since in practice vendors engaged locally by the China entity tend to provide domestic only services). In other words, the first-tier transfer is on an intra-group basis. When reviewing the CAC security assessment applications, the CAC seems to be fine with this approach. Following this approach, some businesses are considering putting in place the China SCCs directly between the exporter and the importer, while some other companies are considering supplementing their intra-group data transfer agreement with the China SCCs. The latter seems to be more common in practice at the moment, given the reluctance of big tech vendors at the moment to engage on signing China SCCs except where they have contracted directly with a China entity.
• At the moment, an overseas recipient is not mandatorily required to sign the China SCCs with the subsequent recipient(s) (i.e. for onward transfers). But it remains uncertain as to whether the CAC will adjust the regulatory approach in the future. While this delay is being embraced by vendors, who are keen to avoid signing China SCCs for such onward transfers at the moment, there is an obligation in the China SCCs to flow them down to onward recipients, so while this is not an immediate priority this should not be forgotten entirely.
• Together with the signed SCCs, a personal information protection impact assessment (“PIIA”) report must be submitted to support the filing. The PIIA report requires extensive data mapping, and a significant amount of work to complete. Do not leave it until the last minute – the time to act is now. The PIIA template published by the CAC requires almost the same set of details as in a CAC security assessment (i.e. the approval route). No local CAC has published further explanation on how detailed a PIIA report should be. To cover all the matters included in the template, a PIIA report can easily go beyond 50 pages. It is recommended to reserve at least two months to gather all the required details, coordinate with overseas parties and prepare (and translate if needed) the PIIA report.
• While it is referred to as a filing, the local CACs have the authority and discretion to order specific remediation measures if they identify compliance gaps when reviewing the data processing activities described in the PIIA report. Thus, before making the filing, it is recommended to fix major compliance gaps or (for the gaps that require significant effort to mitigate) at least formulating and describing in the PIIA report clear remediation plans.

On July 24, 2023, the People’s Bank of China (“PBOC”) released the Measures for the Management of Data Security in the Business Areas Falling into PBOC’s Jurisdiction (Draft for Comment) (“Draft Measures”) for public consultation, which closes on August 24, 2023.

The Draft Measures regulate the processing of electronic data collected and generated during the course of business activities that are under the supervision and management of PBOC (“Regulated Data”). Regulated Data includes personal and non-personal data categories, but state secrets are specially carved out from the scope of Regulated Data. Financial institutions and other organizations (“Data Handlers”) processing Regulated Data with the territory of China must comply with the requirements of the Draft Measures.

Such regulated processing activities mainly include those carried out in the following business areas: monetary policy, cross-border RMB transactions, inter-bank transactions, comprehensive financial industry statistics, payment and clearing, currency management and digital RMB, treasury management, credit collection and anti-money-laundering.

Key obligations of Data Handlers when processing Regulated Data include:

Data categorization and grading: Regulated Data shall be categorized based on the underlying business contexts. Regulated Data shall be graded into three grades (namely ordinary, important and core) based on its potential impact to national security. Within each grade, Regulated Data shall further be divided into five different levels according to its sensitivity and availability. The categorization and grading shall be recorded in catalogues and updated regularly. Where Regulated Data is in unstructured formats, or where Regulated Data falling into different categories or grades is processed in the same context, the Data Handler shall implement technical and organizational measures applicable to the category or grade requiring a higher protection level. This is not dissimilar in practice to existing guidelines around categorization of “financial data”.

Full life cycle protection: Data Handlers must obtain the consent of individuals or organizations before processing their Regulated Data (howsoever the data was collected or obtained). Access controls, storage media, backups, encryption, transfer controls and retention period must be determined based on the category, grade and level of Regulated Data. The data protection level cannot be reduced even in the context of intra-group processing. Regular training and periodic audits shall be conducted to ensure the effectiveness of data security measures in place. In general, the compliance obligations of a Data Handler processing Regulated Data at level three or above are significantly heavier the others. At a high level, we anticipate financial institutions will already be doing this, so it will be interesting to see whether more granular security standards will be subsequently published and whether they impose higher requirements than, say, current international best practice standards.

Cross-border data transfer: The Draft Measures do not provide new requirements regarding cross-border transfer of Regulated Data. Instead, the Draft Measures only briefly state that existing rules regarding data localization and cross-border data transfers (e.g. under the PIPL and related measures) continue to apply, save that in addition PBOC’s approval is required if a Data Handler plans to share any Regulated Data with any international organizations or foreign financial services administrative authorities. This latter measure could create practical difficulties when balancing regulatory requests for information.

Detailed technical requirements: The Draft Measures focus on the effectiveness of technical measures implemented to protect Regulated Data. In addition to the basic MLPS (multi-level cybersecurity protection regimes) requirements, the Draft Measures also set out detailed technical requirements concerning data input protocols, watermarks must be used, interface technical specifications, data recovery time and resilience testing requirements, etc. Data Handlers are also required to classify data incidents into different levels and implement level-specific incident responsive measures. Again, it will be interesting to see whether more granular requirements or standards are to be published subsequently, and how they align with current international best practices.

Since the issuance of the PRC Data Security Law (“DSL”), sectoral authorities have been formulating rules to regulate data security matters within their respective jurisdictions. The Draft Measures reflects PBOC’s approach in implementing the DSL requirements within the financial services industry. The focus is in particular on the establishment of data categorization and grading systems within the industry, and the formulation of category and grade specific data security requirements. Data Handlers must record and report their internal data categorization and grading results, which will form the basis for PBOC’s formulation of important data catalogue(s) for this industry – which themselves are highly anticipated.

Before the Draft Measures, PBOC has issued several important financial data security standards, such as the Guidelines on Data Security Classification for Financial Data Security (JR/T 0197-2020) and the Specification on Data Life Cycle Security for Financial Data Security (JR/T0223-2021). The Draft Measures requirements in general are consistent with those earlier standards.

Next steps: Assuming there will not be significant changes to the Draft Measures before they are implemented, it is time for Data Handlers to start – if they have not already done so as part of PIPL compliance programmes – thoroughly mapping out their Regulated Data processing activities, covering both personal data and industry or business data. Based on the mapping results, data categorization and grading work must be started to form the basis for establishment of data protection framework and supporting policies and procedures once the Draft Measures are finalised and come into force.

On 18 July 2023, Singapore’s Personal Data Protection Commission (“PDPC”) issued for public consultation a set of proposed guidelines for the use of personal data in AI recommendation and decision systems (“Proposed Guidelines”). The public consultation is open until 31 August 2023.

The Proposed Guidelines aim to clarify the application of the Singapore Personal Data Protection Act (“PDPA”) in the context of developing and deploying AI systems involving the use of personal data for making recommendations or predictions for human decision-makers or autonomous decision-making.

Key takeaways for businesses:

1. Exceptions to consent may apply: Under the PDPA, businesses are required to obtain consent for the collection and use of personal data unless deemed consent or an exception applies. The Proposed Guidelines clarify that the Business Improvement Exception may be applied by the organisation when it is either developing a new product, enhancing an existing one, or using an AI system to boost operational efficiency and offer personalised services. This also extends to data sharing within company groups for these purposes. Relevant applications include social media recommendation engines and AI systems enhancing product competitiveness.

In addition, the Research Exception may also be considered by the organisation when it conducts commercial research to advance science and engineering without a product development plan. This includes collaborative research with other companies. For the Research Exception to apply, several conditions must be met, including that data in individually identifiable form is essential for the research and there also needs to be a clear public benefit. However, it may be difficult for organisations to rely on this exception given there is traditionally a high threshold for a public benefit to accrue.

2. Consent and Notification Obligations continue to apply: If relying on consent instead of an exception under the PDPA, organisations should craft consent language that enables individuals to give meaningful consent. The Proposed Guidelines highlight that the consent need not be overly technical or detailed, but should be proportionate having regard to the potential harm to the individual and the level of autonomy of the AI system. For example, a social media platform providing personalised content recommendations should explain why specific content is shown and the factors affecting the ranking of posts (e.g., past user interactions or group memberships).
3. Navigating B2B AI deployments: Where businesses engage professional service providers to provide bespoke or fully customisable AI systems, such service providers may be acting as data intermediaries / data processors and are subject to obligations under the PDPA in relation to the protection and retention of personal data. To support businesses in meeting their consent, notification and accountability obligations, service providers should adopt practices such as pre-processing stage data mapping and labelling and maintaining training data records. Service providers should familiarise themselves with the information needed to meet their customer’s PDPA obligations and design systems to facilitate information extraction relevant to these obligations. In addition, organisations should undertake a data protection impact assessment when deploying, using or designing AI systems.

Our observations

The Proposed Guidelines build on the PDPC’s existing Model AI Governance Framework (PDPC | Singapore’s Approach to AI Governance) (first released in 2019 and updated in 2020), and are in line with Singapore’s pro-innovation, business-friendly approach in developing AI in a lawful but pragmatic way.

In recent months, the APAC region has seen a trend of businesses harnessing data to develop and deploy AI systems, fueled by pro-innovation and pro-collaboration regulations across the region, such as the new generative AI measures in China. While countries in the region are considering their unique approach in AI regulation, a common thread is the recognition of the pivotal role that data plays in powering AI solutions.

The Draft Advisory Guidelines on use of Personal Data in AI Recommendation and Decision Systems may be accessed here.

To find out more on AI and AI laws and regulations, visit DLA Piper’s Focus on Artificial Intelligence page and Technology’s Legal Edge blog.

Please contact Carolyn Bigg (Partner), Lauren Hurcombe (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.