The Measures outline the requirements and procedures for both self-initiated and regulator-requested compliance audits.

(Interestingly, they also clarify some other PIPL obligations, such as the data volume threshold for appointing a DPO as well as the necessity of separate consent for some processing activities.)

Who must conduct data protection compliance audits, and when?

The Measures require a data controller processing personal data of more than 10 million individuals to conduct a self-initiatedcompliance audit of its personal data processing activities (“Self-Initiated Audits“) at least once every two years. 

Data controllers below this volume threshold should still conduct Self-Initiated Audits on a regular basis as is already prescribed under the PIPL, as a matter of good governance.

In addition, the CAC or other data regulators may instruct any data controller to conduct an audit (“Regulator-Requested Audits“):

1. when personal data processing activities are found to involve significant risks, including serious impact on individuals’ rights and interests or a serious lack of security measures;
   
2. when processing activities may infringe upon the rights and interests of a large number of individuals; or
   
3. following a data security incident involving the leakage, tampering, loss, or damage of personal information of one million or more individuals, or sensitive personal information of 100,000 or more individuals.

The audit report for Regulator-Requested Audits must be submitted to the regulator. The regulator may request data controllers to undertake rectification steps, and a subsequent rectification report must be provided to the regulator within 15 business days of competing the rectification steps.

Data controllers may, if they wish or when requested by the regulator, engage an accredited third party to conduct the audit (but the third party and its affiliates must not conduct more than three such audits in total for the same organisation).  

DPOs of data controllers processing personal data of more than one million individuals are responsible for overseeing the audit activities.

Key elements to be audited

The Measures outline a detailed set of key elements to be audited, which offer valuable insights into the detailed compliance steps expected from controllers for compliance with PIPL obligations, and will help organisations to scope their audits. Unsurprisingly, these elements cover every facet of PIPL compliance, spanning the whole data lifecycle. They include: lawful bases, notice and consent, joint controllership, sharing or disclosing personal data, cross-border data transfers, automated decision-making, image collection/identification equipment, processing publicly available personal data, processing sensitive personal data, retention and deletion, data subject right requests, internal data governance, data incident response, privacy training, Important Platform Providers’ platform rules and CSR reports, etc.

Vietnam

Vietnam issued its first draft of a new Personal Data Protection Law (“PDPL”) in September 2024, for public consultation. The PDPL is anticipated to be adopted in May 2025, and it is tentatively scheduled to come into effect on 1 January 2026. The draft PDPL aims to create a more robust framework for data protection in Vietnam by unifying, clarifying, enhancing and supplementing the existing data protection rules set out in Vietnam’s existing Personal Data Protection Decree (“PDPD”). It remains unclear how the PDPD and draft PDPL will work together in practice, although some commentators suggest the PDPL will supersede the PDPD.

In addition to setting out eight personal data protection principles, the draft PDPL focuses on discussing specific compliance requirements for a number of processing activities and industries, including direct marketing, behavioural advertising, big data, AI, cloud computing, employee monitoring and recruitment, financial and credit information, health, insurance and social media. Key highlights proposed in the draft PDPL include (this is not a comprehensive list):

• Extra-territorial effect: the draft PDPL extends the scope under PDPD to cover processing of foreigners’ personal data within Vietnam.
• Consent: like the PDPD, consent remains the key legal basis for data processing, and separate consents are required for specific data processing activities.
• Clarified definitions: the draft PDPL clarifies the distinction between ‘basic personal data’ from ‘sensitive personal data’. New definitions are also introduced, including, amongst others, ‘developers’ and ‘personal data protection organization’. The data protection authority – currently known as A05 – would change its name if the draft PDPL is implemented.
• Updates to DPIA/TIA dossier filings: the now-familiar data processing impact assessment dossiers (“DPIA Dossiers”) for controllers and processors and transfer impact assessment for transferors (“TIA”) would have to be updated upon certain material change to the organisation were the draft PDPL to be implemented.
• Data protection department: companies would be required to have a data protection department overseeing personal data processing (although this could be outsourced to external service providers), as well as an expert (like a DPO) meeting certain eligibility criteria, with an initial short-term (two-year) exemption for new small businesses.
• Certification mechanism: the draft PDPL would introduce a data protection certification scheme, whereby certain organisations could earn trust ratings based on an assessment of their personal data protection practices.
• Breach reporting deadlines: the timescale for notifying authorities of breaches of personal data protection regulations is clarified as being 72 hours.

Malaysia

Significant changes to Malaysia’s Personal Data Protection Act (“PDPA”) were recently passed via the Personal Data Protection (Amendment) Act (subject to royal assent), and are anticipated to come into effect soon. The PDPA is now quite old (first passed in 2010), and so the amendments are largely to update the Malaysia data protection framework, to align it with more modern data protection laws elsewhere in Asia. The key amendments are:

• mandatory breach notification;
• mandatory appointment of DPOs;
• direct obligations on data processors;
• data portability rights for data subjects;
• change of “data user” terminology to the more familiar “data controller”;
• expanding sensitive personal data to include biometric data;
• removing rights of deceased individuals re their personal data;
• increased penalties (now fines of up to MYR1,000,000 and/or imprisonment of up to three years); and
• updating the cross-border data transfer framework, to remove the “whitelist” of approved jurisdictions, and instead allowing transfers to jurisdictions with equivalent standards of protection. 

Besides the amendments to the PDPA, the Commissioner will develop guidelines to supplement the PDPA. The guidelines will cover areas including data breach notification, appointment of data protection officer, data portability, cross border data transfer, data protection impact assessment, privacy by design, and profiling and automated decision making.

Indonesia

Finally, a reminder that Law No.27 of 2022 on Personal Data Protection (“PDP Law”), Indonesia’s first omnibus data protection law, came into full effect, after a two-year grace period, on 17 October 2024. For further information about the compliance obligations introduced by the PDP Law, please see our earlier updates Indonesia: prepare now for the new Personal Data Protection Law | Privacy Matters and INDONESIA: Personal Data Protection Law PDPL Now in Force | Privacy Matters.

Scope

The Regulation governs “network data”, and the compliance obligations primarily apply to “network data handlers”.

• Network data: the Regulation governs electronic data processed and generated via networks (“network data“) and applies to all the processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).
  
• Network data handler: a “network data handler” refers to the party that autonomously determines the purposes and means of processing network data. That is akin to a data controller when it comes to personal information. In practice, this would include communication network operators, online service providers and users.

The Regulation has extra-territorial effect. This means that, if a foreign entity processes personal information of Mainland China residents outside of Mainland China, the requirements of the Regulation and the PIPL will apply if the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour.

As has become common with China data regulations, if a foreign (non-Chinese) entity’s processing of network data outside of Mainland China may harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens or organizations, the Regulation restates Chinese authorities’ power to hold the foreign entity liable in accordance with other applicable laws. It remains unclear how these powers may be enforced in practice against non-Chinese entities without a presence in Mainland China.  

Key Compliance Obligations

The Regulation focuses on four key areas:

• personal information privacy: enhancements and clarifications to the existing China personal information protection framework as it pertains to “network data”;
  
• “large scale” personal information handlers: introduces additional reporting obligations on data controllers of large volumes of personal information;
  
• important data: imposes significant additional governance obligations to the existing “important data” compliance framework, and clarifies how organisations can assess whether or not they handle important data; and
  
• online platform operators: extends existing compliance obligations to manufacturers of smart terminal devices with pre-installed applications, and imposes additional reporting and governance obligations on “large-scale network platforms”. 

Impact on Data Privacy Compliance

Key developments as regards network data handlers processing personal information include:   

• Security defects, threats and risks: the timescale for network data handlers to report data incidents (i.e. security defects, threats or risks involving its products or services) is reduced, so that an incident must be reported within 24 hours of identification if it could harm national security or public interests. However, the Regulation does not specify what defects, threats or risks could harm national security or the public interest or provide any assessment methods.
  
• Data processing agreements (“DPAs”) and record-keeping: the obligation on network data handlers to enter into a DPA with each third party to which it transfers personal information is clarified now to include C2C (controller to controller) transfers as well as C2P (controller to processor) transfers. The DPA and relevant processing records must be kept for at least three years. This obligation is also now clarified to extend to the sharing of important data with third parties, not just personal information.
  
• Data portability: the PIPL gives data subjects the right to data portability (although it is little used in practice by data subjects in China). The Regulation now sets out the conditions that must be met to exercise such right, namely: (i) verifying the true identity of the data subject; (ii) the legal basis for processing the concerned personal information must either be consent or contract necessity; (iii) the transfer is technically feasible; and (iv) the transfer will not harm the legitimate rights and interests of others. Further, it is now clarified that, if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request. Please note that the right to data portability still only covers personal information. Unlike the EU Data Act, the portability of other non-personal business or operation data is not addressed under the Regulation.
  
• Foreign entities keeping and reporting institutions/representatives in China: The Regulation clarifies the procedure for complying with the PIPL requirement for foreign entities processing the personal information of Mainland China residents outside of Mainland China to establish a dedicated institution or designate a representative within Mainland China for personal information protection and to report the name and contact information of such institution/representative, where the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour. According to the Regulation, such information should be reported to the municipal-level data authority, which will then forward it to other relevant regulators at the same level. However, foreign entities still need to watch out for further clarifications regarding other aspects of this requirement such as the reporting timeframe.

Obligations re Important Data

• Defining/identifying important data: the Regulation follows the current approach whereby industry regulators have been tasked to formulate (and some have already formulated) important data catalogues, setting out what will be deemed to be “important data” in their industry sector. However, unfortunately the Regulation seems to indicate that such important data catalogues will not be an exhaustive list of important data, and instead they should be treated more as industry guidelines to help organisations classify whether data constitutes important data, and then report it to the industry regulators as required under existing reporting/monitoring rules. Therefore, unfortunately, the most critical question, i.e. what constitutes important data, is still not clearly answered. We now face the situation of, instead of waiting for important data catalogues to be published, rather unhelpfully network data handlers operating in sensitive industries may need to be prepared to identify and report its own important data based on the guidelines given by the authorities.  
  
• DPA: it is now clear that network data handlers must enter into a DPA with each third party to which it transfers important data, and that each such DPA must be kept for at least three years. This is a unique requirement for Mainland China, and means that organisations will potentially need to extend their template DPAs to cover important data as well as personal information.
  
• Network data security officer appointment: a network data handler that handles important data must appoint a “network data security officer” (who shall be a member of senior management) and establish a “network data security management department”. They shall be responsible for: formulating network data protection policies and procedures; organizing training and drills; monitoring daily data processing activities; and handling claims, investigations and other data protection related matters pertaining to important data. This is in addition to existing obligations to appoint a DPO, DSO and CSO.  
  
• Transfer assessment: an important data handler must conduct a risk assessment before transferring important data to any third party, including in the case of entrusted or joint processing (except where the transfer concerned is mandatorily required by law). The assessment should include, inter alia, the data recipient’s data protection capabilities and overall compliance status; and the effectiveness of the contract with the data recipient to comply with relevant data protection obligations. This appears to be closer to a PIIA for personal information than an EU-style DPIA or TIA, but we await a template assessment form or further guidance from the regulators on this.
  
• Reporting during M&A and corporate reorganisations, etc.: if the security of important data may be affected by an important data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.
  
• Annual assessment report: an important data handler must carry out a risk assessment of its data processing activities once a year, and submit the assessment report to the relevant industry regulator at provincial level or above. Details of what these annual reports must include, and how to submit them, have not yet been published; and it is also unclear how these align with the proposed mandatory data compliance audits recently proposed by the China data protection authorities.

Obligations on “Large Scale” Personal Information Handlers

The Regulation requires a network data handler who processes personal information of more than 10 million data subjects to comply with the “network security officer appointment” and “reporting during M&A and corporate reorganisations etc.” obligations (discussed above) in the same way as an important data handler. However, the Regulation does not address whether the personal information of more than 10 million data subjects per se constitutes important data.

Obligations on Online Platform Operators

The Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

• platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
  
• app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Next Steps

The Regulation adds to, rather than replaces, the existing – complex and ever-evolving – China data protection framework, and requires organisations handling China data to update their China data compliance obligations to prepare for these additional compliance obligations before the start of 2025.

Further, as indicated by the Regulation, data incident reporting, DPAs, record-keeping and compliance assessments/reporting will likely become the new compliance focus of the China data authorities in 2025.

Online platform operators’ responsibilities of monitoring in-platform data processing activities will still be an enforcement focus. Meanwhile, smart device manufacturers – who will now be regulated as online platform operators – will face a new set of complex obligations, and so are recommended to familiarize themselves with the requirements and upgrade their compliance programmes before the end of the year.

In the intervening time, in the European Union put into place the Payment Services Directive 2 (PSD2) which mandated that banks open their data to third parties with consumer consent.  

This post provides a brief overview of the CFPB’s proposal (the public comment period for the proposed rule period closed on December 29, 2023, and the final rule can be expected in the coming months) and compares the rule’s requirements to those in PSD2.

Who is covered

The CFPB’s proposed rule takes a phased approach to making consumer financial data available to both consumers and authorized third parties, applying to a limited set of data providers and covered financial products, services, and information. The proposed rule would apply to the following types of financial products and services: (1) demand deposit (checking), savings, or other consumer asset accounts subject to Regulation E, (2) credit cards subject to Regulation Z, and (3) payment facilitation  from  Regulation E accounts or Regulation Z credit cards (such as  digital wallet services). The proposed rule defines “data providers” as covered persons subject to the CFPA that are financial institutions as defined by Regulation E (e.g., banks, savings associations, credit unions), credit card issuers as defined by Regulation Z, or any other persons that control or possess information concerning a covered consumer financial product or service the consumer obtained from those persons. While the proposal does not cover other types of consumer financial products or services, such as mortgages, student loans, or other closed end lending products, the CFPB intends to conduct supplemental rule-making proceedings to expand the scope of the open banking rule.

For purposes of the proposed rule, a “consumer” means a natural person; the term also includes trusts that are established for tax or estate planning purposes (which notably are not included under current US federal financial privacy law). A “third party” is any person or entity that is not the consumer about whom the covered data pertains or the data provider that controls or possess the consumer’s covered data. A “data aggregator” is an entity that is retained by and provides services to an authorized third party to enable access to covered data.

Requirements for data providers

Under the proposed rule, when a data provider receives a request from a consumer or an authorized third party for “covered data” in the data provider’s possession or control, the data provider must make the covered data available in an electronic machine-readable file that consumers and authorized third parties can retain.

“Covered data” includes:

• Transaction information (including 24 months of historical transaction information):  information about individual transactions, including payment amount, date, payment type, pending or authorized status, payee or merchant name, rewards credits, fees, finance charges.
• Account balance: Available funds in an asset account or credit card balance.
• Information to initiate payment to or from a Reg E account: Actual or Tokenized account and routing numbers used to initiate an ACH transaction.
• Terms and conditions: Contractual terms under which data provider provides financial products or services to the consumer. Includes pricing (APR, APY, fees, other pricing), rewards program terms, and dispute resolution (i.e., arbitration) requirements.
• Upcoming bill information: Payments scheduled through the data provider (e.g., recurring or scheduled online bill pay transactions), payments due to the data provider.
• Basic account verification information: Name, address, email address, phone number associated with the covered financial product or service.

Data providers will need to establish a consumer interface to field consumer requests for covered data and a developer interface for covered data requests from authorized third parties and data aggregators. Notably, data providers will not be able to charge either consumers or authorized third parties fees to provide covered data or for developing or maintaining the respective interfaces. The rule would establish performance requirements for the developer interface (similar to a service level agreement in a contract); the developer interface must “properly respond” to 99.5% of the requests for covered data, and a data provider may not unreasonably restrict the frequency that it receives and responds to requests for covered data. Data providers’ developer interfaces also will need to comply with the Gramm Leach Bliley Act’s (GLBA) information security requirements.

While the proposed rule does not explicitly prohibit authorized third parties from using screen scraping methods to obtain covered data from data providers, the notice of proposed rulemaking discussion clearly describes screen scraping as a disfavored practice. The CFPB refers to screen scraping as a security risk (as it proliferates the use of consumers’ account credentials), a method that can cause over-collection of consumer data and lead to data inaccuracies, and a practice that can overburden data providers’ systems and increase their liability risks. The Bureau’s proposed rule clearly intends for the developer portals to be the primary way third parties and data aggregators access covered data from data providers.

Data providers will need to have reasonable written policies and procedures for complying with the rule and will need to make certain information publicly available, such as developer interface documentation (technical data to help third parties use the interface) and performance data for the developer portal.

Requirements for third parties and data aggregators

To obtain covered data on behalf of a consumer under the proposed rule, a third party must obtain a consumer’s authorization. The authorization must be clear and conspicuous and be separate from other materials or terms. To be valid, the authorization must be signed (electronic or written) by the consumer and include the following information:

• The name of the third party that will be authorized to access covered data.
• The name of the data provider that controls or possesses the covered data that the third party seeks to access on the consumer’s behalf.
• A brief description of the product or service that the consumer has requested the third party provide and a statement that the third party will collect, use, and retain the consumer’s data solely for the purpose of providing that product or service to the consumer.
• The categories of covered data that will be accessed.
• A statement that the third party certifies that it agrees that it will limit its collection, use, and retention of covered data to what is reasonably necessary to provide the consumer’s requested product or service.
• A description of the mechanism a consumer may use to revoke the authorization.
• The name of any data aggregator that will assist the third party with accessing covered data and a brief description of the services the data aggregator will provide.

If a third party uses a data aggregator to obtain covered data, the data aggregator may provide consumers with the authorization notices and obtain consumer’s express consents on behalf of the third party. The data aggregator would need to provide its own certification to the consumer regarding compliance with the rule and the restrictions on the collection, use, and disclosure of the consumer’s covered data. The third party would still be responsible for complying with the rule’s authorization requirements.

A consumer’s authorization, unless revoked earlier, would remain in effect for 12 months. Third parties will need to obtain fresh consumer authorizations every 12 months. When an authorization expires, a third party may no longer collect covered data from a data provider, and the third party may no longer use or retain covered data that was collected pursuant to the expired authorization unless the retention of that covered data remains reasonably necessary to providing the consumer’s requested product or service.

As described in the authorization form requirements above, a third party may only collect, use, and disclose covered data as reasonably necessary to provide a specific product or service that a consumer requested. The proposed rule would not permit covered data to be collected, used, or disclosed for any secondary purposes, and the proposal expressly prohibits collecting, using, or disclosing covered data for targeted advertising purposes, to cross-sell other products or services, or for any sale of covered data.

The systems that a third party uses to collect, use and retain covered data would need to comply with GLBA’s information security requirements; if a third party is not already subject to GLBA’s security requirements, it would need to comply with the prescriptive security requirements of the Federal Trade Commission’s Safeguards Rule, 16 CFR Part 314.

Third parties would need to maintain their own internal written policies on procedures to comply with the rule and the rule’s record retention requirements.

Industry standards and compliance dates

The proposed rule contemplates data providers’ and third parties’ compliance with qualified industry standards issued by a CFPB recognized standard-setting body could be used as indicia of compliance with the rule. However, the proposed rule did not identify or discuss any existing industry standards that could meet the Bureau’s requirements.

The proposed rule sets forth staggered compliance deadlines for data providers; the proposed rule does not include any compliance deadlines for third parties. The data provider compliance dates turn on the size of the respective data provider.

• The largest data providers, depository institutions with at least $500 billion in total assets and nondepository institutions that generated at least $10 billion in revenue in the preceding calendar year or that are projected to do so in the current calendar year, would need to comply with the rule within 6 months after the final rule is published in the Federal Register.
• Depository institutions with at least $50 billion in total assets and non-depository institutions that generated less than $10 billion in revenue in the preceding calendar year or that are projected to generate less than $10 billion in revenue in the current calendar year, would need to comply with the rule within 1 year after the final rule is published.
• Depository institutions with at least $850 million in total assets would need to comply with the rule within 2 1/2 years after the final rule is published in the Federal Register.
• Depository institutions with less than $850 million in total assets would need to comply with the rule within 4 years after the final rule is published.

As the comment period has now closed, the CFPB is in the process of reviewing the comments it received from the public.

Comparison with EU PSD2 Requirements

The EU PSD2 provides rules to ensure legal certainty for consumers, merchants, and companies within the payment chain and modernizes the legal framework for the market for payment services. It introduced several novelties in the payment services field, creating new opportunities for payment service users and enhancing transparency.

In particular, the PSD2 gave Open Banking a stable regulatory framework by regulating new types of payment service providers which play a significant role in the Open Banking process: information service providers (AISPs) and payment initiation service providers (PISPs).

AISPs and PISPs offer value-added services to users by accessing their account data held by banks and other payment account providers, upon users’ request. While PISPs are able to initiate payment orders at the request of a user concerning the user’s payment account held at another payment service provider, AISPs gather and consolidate information on one or more payment accounts held by the user either with another payment service provider or with more than one payment service provider, thus allowing the user to have an overall view of their financial situation at any given moment.

Unlike the CFPB’s proposed rule, which applies to financial data relating to “consumers,” the PSD2 applies to payment service providers which target both individuals and legal entities. However, similar to the CFPB’s proposed rule, the PSD2 excludes some financial product and service providers from its scope, such as services that entail creditworthiness assessments of the payment service user or audit services performed based on the collection of information via an account information service as well as accounts other than payment accounts (e.g., savings, investments).

, The PSD2 states that any processing of personal data, including the provision of information about the processing, for the purposes of the PSD2, shall be carried out in accordance with the General Data Protection Regulation (GDPR). However, the interplay of the GDPR and the PSD2 generated several uncertainties which the European Data Protection Board (EDPB) has partially addressed in its Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR.

General requirements for AISPs and PISPs under the EU PSD2

The PSD2 regulates the legal conditions under which PISPs and AISPs may access payment accounts to provide their services to users and imposes obligations vis-à-vis banks and other credit institutions holding users’ information.

• User consent and mandatory sharing of user information

The PSD2 provides that the access and use of payment and account information services are rights of the user, meaning that the providers holding such information (usually banks) must share users’ information with PISPs and AISPs, upon users’ explicit consent.

Nonetheless, the PSD2 does not set an “expiration date” on this authorization. It merely provides that payment service providers shall only access, process, and retain personal data necessary to provide their payment services, with the user’s explicit consent.

This explicit consent should be regarded as an additional requirement of a contractual nature about the access to and subsequent processing and storage of personal information to provide payment services and is, therefore, not the same as express consent under the GDPR. When entering into a contract with a payment service provider under the PSD2, users must be made fully aware of the specific categories of personal information that will be processed. Further, they must be made aware of the specific (payment service) purpose for which their personal information will be processed and must explicitly agree to these clauses. Such clauses should be clearly distinguishable from other matters dealt with in the contract and must be explicitly accepted by the users (similar to the CFPB’s proposed requirement that a consumer’s authorization be separate from any other terms).

Further transparency obligations on the purpose for which users’ data is processed arise from the GDPR.

• Secondary use and purpose limitation

Ever since the PSD2 entered into force in 2016, the provision of ancillary value-added service has become the primary business model for the AISPs and PISPs operating on the European market. It is common for PISPs, in addition to enabling payments to merchants on the Internet, to offer ancillary services such as reloading funds to prepaid cards or paying commercial invoices, while AISPs may also offer services aimed at improving customers’ financial habits by planning expenses and savings or supporting credit scoring processes.

However, similar to the prohibition of secondary use envisaged by the CFPB’s proposed rule, the PSD2 considerably restricts how AISPs and PISPs may process data for purposes other than providing the service requested by the user. This limitation must be read in conjunction with the principle of purpose limitation set forth by the GDPR, with the result that the processing for another purpose is not allowed unless the user has given consent under the GDPR or the processing is required by EU or member state law to which the AISP or PISP is subject (e.g., anti-money laundering purposes).

As a result, AISPs and PISPs must collect end-customer consents distinguishing between those required under PSD2 (i.e., consents allowing access to users’ data by intermediaries offering PIS and AIS services) and those necessary under the GDPR (i.e., consents allowing the extracted information to be transferred to other parties or processed to pursue purposes other than those strictly necessary to provide payment services).

Therefore, the PSD2 considerably restricts the possibilities for processing users’ data for other purposes incompatible with the one for which this data is initially collected.

• Data minimization 

The PSD2 considerably restricts the ability of AISPs and PISPs to collect data beyond the minimum necessary to provide the service requested by the user, meaning that data collection and subsequent processing shall be limited to the strictly necessary, consistently with the data minimization principle set forth by the GDPR.

For instance, AISPs’ access is limited to the information from designated payment accounts and associated payment transactions., They shall not use, access, or store any data for purposes other than for performing the account information service explicitly requested by the user, in accordance with the GDPR, which emphasizes that personal data can only be collected for specified, explicit, and legitimate purposes.

Therefore, an AISP should make explicit in the contract the specific purposes for which personal account information will be processed, in the context of its account information service.

• Data retention 

Unlike the CFPB’s proposed rule, PSD2 does not envisage data retention terms but GDPR does. Besides collecting the minimum amount of data possible, the service provider must also envisage limited retention periods: open-ended retention terms or permanent data storage are generally incompatible with the GDPR. As such, personal data should only be stored by the service provider for a period related to the purposes requested by the payment service user.

• Implementation of security measures and identification requirements

The implementation of adequate security measures is directly addressed by the PSD2, which, similar to the CFPB’s proposed rule, relies on standards promulgated by a dedicated body.

Under the PSD2, PISPs and AISPs, on the one hand, and the account servicing payment service provider, on the other hand, should observe the necessary data protection and security requirements established by, or referred to in, the PSD2 or included in the regulatory technical standards.

The latter are included in the Commission Delegated Regulation (EU) 2018/389, which sets forth regulatory technical standards for strong customer authentication and common and secure open communication standards.

Moreover, the GDPR always requires organizations to implement appropriate security measures, considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the likelihood and severity of risks to the rights and freedoms of natural persons.

The upcoming revision of the EU PSD2

Although the PSD2 has significantly contributed to the development of the European payments market and improved customer protection and the efficiency, transparency, and choice of payment instruments, a few shortcomings have emerged, such as regulatory deficiencies regarding new players and services in the payments market, divergences in implementation across Member States, and unclear alignment with other EU legislation.

To address these issues, the European Parliament has published a proposal to revise PSD2, comprised of a proposal for a directive on payment services and electronic money services (PSD3) and a proposal for a regulation of payment services in the internal market (PSR).

Summary: The final version of the China SCCs has now been published, meaning those organisations that haven’t had to apply for CAC approval for their cross-border transfers of personal information now have until 1 December 2023 to:

• sign the China SCCs with overseas recipients of personal information; and
• file a copy of the signed China SCCs and accompanying PIIA with the local branch of the CAC.

Otherwise, cross-border data transfers must stop until these steps are taken for those organisations that must follow the China SCCs route).

Additional guidance has been given to support those organisations assessing whether they must follow the CAC assessment/approval or China SCCs routes.

Background: The long-awaited final version of the China standard contractual clauses for cross-border transfers of personal information (“China SCCs”) were finally published on 24 February 2023 by the Cyberspace Administration of China (“CAC”) via the Measures for Standard Contracts for Transferring Personal Information Overseas (“Measures”).

Timing: There is a grace period until 1 December 2023 for personal information controllers to:

• sign the new China SCCs with overseas recipients of their personal information; and
• file a copy of the signed China SCCs, together with the corresponding personal information impact assessment (“PIIA”, China’s version of the GDPR DPIA) completed by the organisation, with the local branch of the CAC.

The Measures will come into force on 1 June 2023, and organisations then have six months from this date to take these steps.

Who must put in place the China SCCs: personal information controllers that do not meet the thresholds for the CAC assessment/approval route, or the CAC certification for non-China personal information controllers, must follow this China SCCs route to legitimise their transfers of personal information outside of Mainland China.

By way of reminder:

• those organisations that must follow the CAC assessment/approval route are: (1) organisations designated as a Critical Information Infrastructure Operator; (2) organisations that export “important data”; (3) organisations that process personal information of more than one million individuals and intend to export some of it; or (4) personal information controllers that transfer overseas (i) personal information of more than 100,000 individuals in aggregate, or (ii) sensitive personal information of more than 10,000 individuals in aggregate, where “in aggregate” means in the period from 1 January of the preceding year; and
• non-China personal information controllers should instead follow the alternative CAC certification route (details not yet published).

Strictly personal information controllers that must follow the CAC assessment/approval route or the CAC certification route need not sign and file the China SCCs. Indeed, as noted below, the China SCCs are drafted assuming that the personal information controller is a Mainland China entity. That said, it would be sensible for such organisations nonetheless to sign the China SCCs with overseas recipients of China personal information as evidence of good practice, even if they don’t need to do so within the grace period or to file them.

China SCCs apply to C2C and C2P transfers: Unlike the GDPR, the SCCs do not differentiate between controller-to-controller or controller-to-processor transfers.

The obligation to sign and file the China SCCs is on the Chinese personal information controller. It appears that, in a C2C situation, both personal information controllers (assuming both are Chinese entities and are subject to the China SCCs route) have their own obligation to file the signed China SCCs (together with each of their independent PIIAs conducted for the transfer).

It is unclear from the Measures whether personal information processors must sign and file the China SCCs with their sub-processors. While we await guidance on this, it is advisable as a matter of good practice to flow down the China SCCs to those sub-processors.

China SCCs cannot be negotiated but can be added to: Similar to the GDPR SCCs, the China SCCs must be executed “as is”. This is good news for personal information controllers who will be seeking to sign the China SCCs with the big technology vendors, as it should expedite the signing process.

On the other hand, unlike the GDPR SCCs, organisations may negotiate additional (i.e., enhanced) terms with overseas data recipients, provided that these do not conflict with the China SCCs. However, in practice, we anticipate many data processors will be reluctant to sign terms over and above the China SCCs.

Filing practicalities: Organisations must submit a filing to the local CAC branch, including:

• the signed China SCCs – Chinese language; it is unclear whether bilingual versions will be accepted; and
• the corresponding PIIA,

within 10 business days of the China SCCs taking effect (i.e., from the signing or effective date of the China SCCs stated on the signed version).

So effectively a filing will be needed for each overseas transfer/recipient.

Details of the in person or online filing procedure have not yet been published.

It is unclear whether “any other agreements” related to the transfers must be filed. We had previously understood that just the signed China SCCs would need to be filed, meaning that including the China SCCs in a standalone supplement to the global DPA or underlying agreement would be sensible, to manage risks of disclosing additional or commercial terms unnecessarily to the CAC. It is unclear whether that approach is sustainable, or whether the CAC will expect the full agreement, or a partially redacted version of the full agreement, to be disclosed as well. We hope the CAC will publish guidance on this sooner rather than later, given the potential impact on confidentiality clauses and contract structuring.

Updated filing if transfers change: Unlike the CAC assessment/approval route, there is no time limit on the validity or legitimacy of the China SCCs once signed and filed. However, organisations must sign a supplemental or new set of China SCCs, and refile them with the local CAC branch with a refreshed PIIA, if there:

• is a change in purpose, scope, category, degree of sensitivity, method, storage location or term of the personal information transferred overseas; or
• is a change in the processing purpose or method of the personal information by the overseas recipient; or
• is a change in the personal information protection policies or regulations of the jurisdiction of the overseas recipient that may affect the rights and interests of personal information – effectively meaning organisations must monitor changes to overseas data protection laws, and undertake mini-TIAs within their PIIAs, to assess whether regulatory changes overseas might have such an effect; or
• other circumstances which may affect the rights and interests of data subject.

This effectively means active monitoring of processing activities, overseas recipients, and the laws in the jurisdictions they operate, is necessary. We anticipate many local and China data protection teams will need to add to existing resources or head count to incorporate this into their data protection compliance programmes.

China SCCs are not the only compliance steps: signing and filing the China SCCs alone do not legitimise the cross-border transfers of personal information. Do not forget:

• separate, explicit consent for the cross-border data transfer (on top of general consent to data processing and other separate consents for processing of (inter alia) sensitive personal information);
• undertaking a PIIA; and
• putting in place technical, organisational measures to ensure the data is processed to standards akin to China data protection laws (such as due diligence, ongoing vendor monitoring etc,).

The Measures specifically mentions the requirement for separate consent when transferring personal information overseas for processing activities which rely on the legal basis of consent. We await clarification from the CAC as to whether or not the separate consent requirement will be exempted for processing activities based on (the limited) alternative legal bases in the PIPL.

CAC assessment/approval route clarification:  For those organisations that have already considered whether or not they must follow the CAC assessment/approval route, the CAC has clarified that organisations may not seek to circumvent the CAC assessment route by falsely structuring the volume of personal information processed, splitting across multiple organisations or legal entities. Organisations that have not yet submitted their CAC assessment applications before the 1 March 2023 deadline are, therefore, strongly advised to reconsider their internal assessments as to whether or not they meet the relevant thresholds.

Next steps

Organisations must execute the China SCCs as a priority, or risk having to stop cross-border transfers of China personal information. We are creating a template China SCCs addendum for organisations to use, so please contact us for support.

Please contact Carolyn Bigg (Partner) if you have any questions or to see what this means for your organisation.

Indonesia’s long-awaited Personal Data Protection Law (“PDPL”) finally came into force on 17 October 2022, helpfully consolidating and clarifying the personal data protection framework in Indonesia.

Whilst there is a two-year transition period, businesses with Indonesian operations or which process the personal data of Indonesian citizens should now make compliance a priority.

The law is primarily consent-based. Key things to note include:

• Extra-territorial effect. The PDPL applies to all personal data processing activities of individuals, corporations, public bodies and international bodies:
  • • within Indonesia; or
    • outside of Indonesia, which: (i) has legal consequences in Indonesia, or (ii) affects Indonesian citizens located outside of Indonesia.
• Data Subject Rights. Under the PDPL these include the: (i) right to obtain details of data processing; (ii) right to correct or supplement personal data; (iii) right to access and obtain a copy of personal data; (iv) right to request deletion of personal data; (v) right to withdraw consent; (vi) right to refuse automated decision-making; (vii) right to restrict data processing; (viii) right to bring civil action for violation of the PDPL, and (ix) right to data portability. For some specific rights, businesses only have 72 hours to respond.
• Data Protection Impact Assessment. These are required where data processing involves a high potential risk to the data subject.
• Data Protection Officer (DPO). For certain data processing activities, data controllers and processors must appoint a DPO.
• Overseas Data Transfers. Data controllers transferring personal data outside of Indonesia must ensure that the recipient country has a level of data protection at least equal to that required under the PDPL. Otherwise, data controllers must ensure there is adequate data protection. If neither can be achieved, the data controller must obtain consent from the data subject for the overseas data transfer. It is anticipated that data localisation measures in certain industry sectors will remain, at least in the short term.
• Sanctions. These include written warnings, temporary suspension of personal data activities and deletion or destruction of personal data. Most notably, the PDPL introduces fines of up to 2% of the annual revenue of the data controller. In addition to these administrative sanctions, criminal sanctions include a prison sentence of up to six years and fines of up to Rp 6 billion (approximately USD 385,000) for the most serious offences.