High Impact Future Technologies, Data Trends and Innovations

New technologies, emerging digital innovations and trends in data, data analytics and cybersecurity are developing at a rapid pace. These will shape the future of business, trade, politics, the economy and society. Chief Executive Officers (CEOs), Data Protection Officers (DPOs), Chief Data Officers (CDOs), Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Boards  and Senior Leaders must understand these developments, assess their competitive advantages, manage  inherent risks and track the evolving governance and security implications. Automation, Artificial Intelligence (AI) Ethics, Blockchain, Data Bias, Differential Privacy, Digital Twins, Edge Computing, the Metaverse, Ransomware and Zero Trust Architecture and Security will increasingly lead the conversations in technology. These are set to grow exponentially, diversify and create lasting impacts. Here are the definitions of these key technologies, innovations and digital trends:  

Automation describes the increased use of sophisticated technologies that minimise or eliminate human input. This includes business process automation (BPA), IT automation, robotics and personal applications such as the automation of private homes and self-driving cars. Automation is driven by a range of technological features and applications of data science, engineering, algorithms, blockchain, machine learning, deep learning, industrialised robotics and artificial intelligence.

Artificial Intelligence (AI) Ethics are a group of values, principles, and techniques that apply widely accepted standards to guide ethical and moral conduct in the development, use and outcomes of AI systems. These disciplines seek to address the individual and societal harms AI systems might cause. AI ethics mitigates these harms by offering leaders, developers, engineers and project teams the values, principles, and techniques needed to produce more ethical, fairer, and safer AI applications.

Blockchain is a decentralised, distributed, and often public, digital ledger made up of records called blocks that are used to record transactions across many computers so that each block cannot be later altered, without changing all other blocks. This allows the participants to verify and audit transactions independently and relatively cheaply. Each block contains a cryptographic hash of the previous block, a timestamp, and transaction data. Blocks contain information about the blocks preceding it, forming a chain, each additional block reinforces the ones before it. A blockchain database is managed autonomously using a peer-to-peer network and a distributed timestamping server. They are authenticated by mass collaboration, powered by collective self-interests. Blockchains are growing in popularity through cryptocurrencies, especially using the Ethereum blockchain, and via the creation, sale, collection and distribution of Non-Fungible Tokens (NFTs).

Data Bias is any trend or deviation from the truth in data collection, data analysis, interpretation and publication which can cause false conclusions. Bias can occur intentionally or unintentionally. A biased dataset, for example in machine learning, does not accurately represent a model’s use case, resulting in skewed outcomes, low accuracy levels, and analytical errors. Types of bias include association bias, exclusion bias, measurement bias, observer (confirmation) bias, recall bias, racial bias, sample bias and sexual (gender) bias.

Differential Privacy is a mathematical technique of adding a degree of controlled randomness to a dataset to prevent the release or extraction of information about individuals in the dataset. This allows researchers and analysts to extract useful insights from datasets containing personal information while also offering stronger data privacy protections.

Digital Twins are digital replicas or representations of physical objects, such as a machine or person, or an intangible system, like a business process, that can be examined, altered and tested without interacting with it in the real world and avoiding negative consequences. The Digital Twin often spans the lifecycle of the object, person or system, is updated from real-time data, and uses simulation, machine learning and reasoning to aid decision-making.

Edge Computing is a distributed computing architecture framework where an organisation’s applications are closer to data sources such as Internet of Things (IoT) devices or local edge servers. The closeness to data at its source can deliver strong business benefits, faster insights, improved response times and better use of bandwidth.

The Metaverse is a unified way for people, data and things to interact in the virtual, physical and spacial environments. It is a collection of systems and interfaces combining computer screens, avatars, virtual reality, augmented reality, internet of things, robotics, artificial intelligence and automation. The term originates from science fiction, specifically from Neal Stephenson in Snow Crash in 1992 and the work of William Gibson.

Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems or networks. This is accompanied by a demand for financial ransom payments to restore access to systems, unencrypt databases or return data. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening email attachments, clicking on advertisements, clicking on hyperlinks or visiting a website that has been deliberately infected with malware. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware attacks can be initiated by state actors and by opportunistic hacktivism. In most cases, ransomware is part of international cybercrime and organised crime.

Zero Trust Architecture and Security uses zero trust principles to plan business, industrial and enterprise infrastructure and workflows. Zero trust architecture is created on the premise “never trust, always verify.” Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical attributes, presence on the network or asset type. Authentication and authorisation of individuals and devices are discrete functions performed continuously before access to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), working from home, and cloud-based assets that are not located within an enterprise-owned network boundary. Zero Trust Security is a cybersecurity strategy in which information security policy is applied based on context established through least-privileged access controls and strict user authentication. Trust is not assumed.  A mature best-of-breed zero trust architecture can create a simpler network infrastructure, better user experience, and improved cyber defence.

PrivacySolved has a well-established track record of advising and leading projects for Consumer Relationship Management (CRM) systems, ecommerce, e-government, CCTV systems, cloud computing, fintech, artificial intelligence data, big data and data analytics. Contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

PS012022

Log4j and Future Cybersecurity Risks

In November 2021, major vulnerabilities were discovered in Log4j.  Log4j is an open-source Java logging library developed by the Apache Foundation. It is used in many custom applications, off-the-shelf software, security products and cloud applications like Steam and Apple iCloud. The Log4j library is present in many enterprise Java software and Apache frameworks. Other large projects including Netty, MyBatis and the Spring Framework also use the library. A range of vulnerabilities have been discovered in multiple versions of Apache Log4j. Scanning and attempted exploitations have been found globally. National Cyber Security Centres have discovered exploited vulnerabilities in VMware Horizon, MobileIron and Ubiquiti Unifi Network Application, among others. Vulnerabilities allow remote code execution and information disclosure, if exploited. Denial of Service exploits, bypassing mitigations to Log4shell and Conti ransomware operators gaining access through vulnerabilities, are all risks. Vulnerabilities also allow exfiltration of sensitive data. The list of applications impacted by these vulnerabilities is vast and so all organisations must proactively audit, test, review and respond to patching and updates. 

Information security specialists say that the Log4j vulnerability may be one of the most serious in the last ten years. Over time, it may become the most impactful vulnerability in the history of modern cyber security. Known vulnerabilities, patched vulnerabilities, half-day and zero-day exploits in the open-source code libraries can result in major future data breaches, supply chain attacks and ransomware attacks. Companies and organisations should locate and upgrade all instances of log4j and mitigate threats. This Resources Page is a dashboard of the most useful information and guidance. 

Log4j Joint Cybersecurity Advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the US  Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) – December 2021

NCSC UK Alert: Apache Log4J Vulnerabilities

NCSC UK Log4j Vulnerability: What Everyone Needs to Know

NCSC UK Log4J Vulnerability: What Should Boards be Asking?

NCSC Ireland Log4j Alert and Advisory

NCSC Netherlands Log4j Alert and Resources

CISA GOV (USA) Log4j Vulnerability Guidance on Github

PrivacySolved has years of expertise in data protection, cybersecurity strategy and data breach response. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)

Email: contact@privacysolved.com

Five Key Things to Know about the UAE Data Protection Law 2021

The United Arab Emirates (UAE) is a nation in the Middle East made up of the seven emirates of Abu Dhabi (the capital), Ajman, Dubai, Fujairah, Ras Al Khaimah, Sharjah and Umm Al Quwain. On 27 November 2021, the UAE Cabinet Office announced the new national data protection law (UAE DP Law). The UAE DP Law protects personal data held and processed by organisations that are registered in the UAE and processes personal data of individuals inside or outside the UAE. It also applies to any organisation that is established outside the UAE that process personal data of individuals inside the UAE, and external organisations with personal data links to the UAE. The law encourages data processing controls which includes lawfulness, fairness, transparency, using personal data for specific and clear purposes, accuracy, personal data security and responsible data retention. Individuals have rights to receive information, request a transfer of their personal data (data portability), correction, erasure, restrict processing, the right to object to types of processing like direct marketing and the right to object to automated processing. The UAE Data Office will be the regulator, established under a separate law. The UAE DP Law comes into force 1 January 2022. Further regulations will also follow, allowing time for compliance after these regulations are published. The UAE Data Office will also publish rules and guidance.

  1. What types or organisations are covered by UAE DP Law?

The law applies to businesses and organisations, both controllers and processors, that are registered in the UAE and that process personal data or sensitive personal data. It also applies to businesses and organisations based outside the UAE that process personal data of individuals who are in the UAE.  Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law. Controllers are those that decide the method, criteria and purpose for processing personal data. Processors collect use and store personal data on behalf of, under the direction of and in accordance with the instructions of the controller. Data processors must follow the instructions of controllers and agree personal data processing contracts setting out the scope, purpose and types of data processing.

The UAE DP Law does not apply to government data, government organisations that control or process personal data, personal data held by security and judicial authorities and personal data used for personal purposes by individuals. Health personal data regulated by the ICT Healthcare Law of 2019 are excluded. Banking personal data regulated by other laws are also out of scope. Companies and organisations registered in UAE free zones that have their own specific free zone data protection laws are excluded. The Abu Dhabi Global Market (ADGM) and the Dubai International Financial Centre (DIFC) have their own separate data protection laws.

2. What types of data or information are covered by UAE DP Law?

The UAE DP Law protects personal data, which is defined as any data related to a specific natural person or related to a natural person that can be identified directly or indirectly by linking the data. The definition includes an individual’s name, voice, image, identification number, electronic identifier and geographical location. Sensitive personal data are also covered by the UAE DP Law. This category is defined as data that directly or indirectly reveals the family or ethnic origin of a natural person, political or philosophical opinions or religious beliefs, criminal record, biometric data and any data relating to an individual’s health.

3. What are the main UAE DP Law obligations for businesses?

UAE registered businesses and foreign based organisations should:

(a) Create a UAE (or Middle East and Africa) data protection framework with data processing controls and apply the law’s data protection principles, such as transparency (notices), fairness, lawfulness, accuracy and responsible data retention.

(b) Businesses and organisations acting as controllers and processors should establish and maintain a Special Record for Personal Data (SRPD). This should be available to the UAE Data Office, if requested. This appears to be like the GDPR’s Record of Processing Activities (ROPA).

(c) Establish opt-in consent mechanisms and ensure that each consent transaction is specific, clear, unambiguous and forms a clear positive statement or action.

(d) Appoint a sufficiently skilled and knowledgeable Data Protection Officer (DPO), as an employee or via an external service provider based inside or outside of the UAE. A DPO is legally required where personal data processing creates a high risk to the privacy of the personal data because of the adoption of new technologies or the volume of personal data processed. Also, where processing involves the assessment of sensitive personal data as part of profiling or automated processing.  Or, where large volumes of sensitive personal data are processed.

(e) Report personal data breaches and data leakages to the UAE Data Office and to individuals affected, where necessary, as soon as they become aware of these incidents.

(f) Complete Data Protection Impact Assessments (DPIAs) when using any modern technologies that pose a high risk to the privacy and confidentiality of individuals.

(g) Create appropriate policies for processing sensitive personal data.

(h) Put in place appropriate technical and organisational measures to protect personal data and manage automatic processing to remain limited to the intended purpose, including anonymisation and pseudonymisation.

(i) Set up accessible systems and processes to allow individuals to exercise their data protection rights, free of charge.

(j) Prepare for the new UAE DP Law international data transfer regime. There will be rules for countries that the UAE deem to have an adequate level of data protection and those that are treated differently by mandating contractual clauses, assessments and personal data transfer mechanisms.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), UAE ADGM DP Law or UAE DIFC DP Law will they automatically comply with UAE DP Law?

Yes, to a certain extent, but not completely. GDPR, UAE free zone data protection laws and UAE DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. UAE DP Law was enacted to include provisions that largely reflect the EU’s GDPR requirements. GDPR data mapping and Records of Processing Activities logs can help to identify UAE DP Law-impacted personal data. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist UAE DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. The UAE DP Law also contains broad sector and data exclusions from government data, government bodies, health bodies, judicial and security bodies and some banking related personal data. UAE DP Law will also be supported by a range of further regulations in the coming months and years that will expand, specify and interpret the law.

5. Does the UAE DP Law apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses are registered in UAE and process personal data in the UAE or elsewhere, then the UAE DP Law will apply. The law also applies to foreign based businesses that process personal data on behalf of organisations registered in the UAE as well as foreign based businesses that externally process personal data about individuals who live, work or are otherwise in the UAE.

The UAE DP Law has not yet published the penalties that will apply. These will appear in future regulations and output from the UAE Data Office.

Resources

UAE Government Data Protection Pages

PrivacySolved Data Protection Officer Services

PrivacySolved Consulting and Strategy Services

PS122021

The Ransomware Problem: Five Steps to Success

Briefing

Ransomware is malicious software, or malware, that stops organisations and computer users from accessing their computer files, systems and networks. This is accompanied by a demand for a financial ransom payment to restore access to systems, unencrypt databases or return data. Ransomware attacks can cause significant disruption to IT operations. Critical business information and personal data can be lost. Ransomware can be introduced to a computer or system by users accidentally downloading ransomware by opening an email attachment, clicking an advertisement, clicking on a hyperlink or visiting a website that has been deliberately infected with malware. Globally, across all sectors, these attacks have increased in scope, frequency, sophistication and the levels of financial payments demanded. It is now a major component of global cybercrime. Combatting these cyberattacks can be complex, especially for the largest businesses and organisations.

A Sophos poll of 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific, Central Asia, the Middle East and Africa found startling results. The total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 USD in 2020 to $1.85 million USD in 2021. The average ransom paid is $170,404 USD. Only 8% of organisations managed to get back all their data after paying a ransom, with 29% getting back no more than half of their data.

Here are five steps that all businesses and organisations can take to improve their resilience, their offensive capabilities and their defensive success:

  1. Strategic, Systematic and Regular Backups

Ransomware should be treated at a strategic and existential threat. An attack should be regarded as inevitable. Organisations should create backups to build resilience. These are crucial for recovering data after an attack. The industry standard approach is called 3:2:1. Three sets of backups, using two different media, one of which must be kept offline. Backups should be programmed to be completed regularly.

2. Prevent Malware from being Delivered and Running on Systems

Businesses and organisations can reduce malware and ransomware reaching your devices by filtering to only allow file types that they expect to receive, and blocking known malicious websites. Content can be actively inspected, and signatures can be used to block known malicious code. Network services are used to fulfil these tasks and tools include intercepting proxies, internet security gateways, safe browsing lists and mail and spam filtering. Disabling Remote Desktop Protocol (RDP) if it is not needed, enabling Multi-Factor Authentication (MFA) at all remote access points into the network and using a secure Virtual Private Network (VPN) can provide effective responses to the most modern ransomware deployment practices.

A defence in depth approach should be in place. This assumes that malware will reach your devices. Businesses should take steps to prevent malware from running by using device-level security features. Organisations should centrally manage devices to only permit applications trusted by the enterprise to run on devices and use up-to-date enterprise antivirus or anti-malware products. Scripting environments and macros should be disabled or restricted by enforcing PowerShell Constrained Language mode via a User Mode Code Integrity (UMCI) policy. Also, systems can be protected from malicious Microsoft Office macros and autorun for mounted (activated) media can be disabled.

To avoid attackers forcing their malicious code to execute by exploiting vulnerabilities in devices, these must be well-configured and kept up to date. Security updates should be installed as soon as they become available to fix exploitable bugs, enable automatic updates for Operating Systems, applications, and firmware (if possible). Using the latest versions of Operating Systems and applications to access the latest security features is advisable. Host-based and network firewalls should be configured to bar inbound connections by default.        

3. If Attacked: To Pay, or Not to Pay the Ransom?

A wide range of law enforcement agencies around the world discourage the payment of ransom demands. However, sometimes payments must be made as a pragmatic response and to aid business continuity. At all times, organisations must avoid committing a criminal offence by sending payments to sanctioned individuals, entities or organisations or those involved in money laundering. Companies should liaise with their insurers, lawyers and risk professionals. Even after payments are made, confidential personal data could still be published online, breaching data protection and global privacy laws. There is no guarantee that organisations will regain access to their data, computer systems or networks. An IT system may still be infected long after the ransomware attack. Repairing, recovering and remediating the systems can be expensive and take many weeks or months.

4. Train Staff and Prepare for Incidents

Businesses and organisations should develop a corporate training strategy, on a rolling basis, that is updated to include the latest developments in malware, ransomware and information security threats. Different types of staff will need varying depths of training and awareness.

Organisations should identify their critical assets and determine the impact if these were affected by a malware attack. This is a very important preparatory step. Preparation also includes developing an internal and external communication strategy (including any impacts from collateral third-party malware not intended for the organisation). Incident management plans should be rehearsed and reviewed. This helps to clarify the roles and responsibilities of staff and third parties, and to prioritise system recovery. War-games and hackathons to rebuild virtual environments, servers, files, physical servers and rebuilds from offline backups, under pressure, should be included. Developing a plan to continue to operate critical business services or a minimum viable service or product, is also essential.

5. Report and Share Intelligence

There are legal obligations to report certain cyberattacks and data breaches to personal data regulators, governments, information services regulators, financial services regulators and market regulators. These reports should be done quickly, to receive help and to reduce liability. There is a growing drive to voluntarily report ransomware to government agencies and law enforcement. This should be considered because they may hold information that could be useful for the organisation’s response. Reports also help them to better understand the level of the threat and can deploy offensive and defensive capabilities to protect a sector or group of companies. The most difficult and controversial decision will be whether to report ransomware attacks to sector groups, fellow businesses and potential competitors. This is increasingly being encouraged, but will rely heavily on mutual trust, non-disclosure agreements and clear memorandums of understanding to protect each party. The more information and intelligence about ransomware that can be collected and skilfully used, will reduce the impacts and costs of ransomware.

For assistance with Personal Data Beach Response, Ransomware, Cybersecurity Strategy or Information Security Training, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS112021

5 Key Things to Know about China’s Personal Information Protection Law (PIPL)

Briefing

The People’s Republic of China’s Personal Information Protection Law (China PIPL) is the country’s new data protection law. The law was adopted in August 2021 and came into force on 1 November 2021. PIPL protects the personal information held and processed by organisations operating in China and those established outside China. PIPL’s data protection principles include lawfulness, necessity, good faith, purpose limitation and data minimisation, transparency, accuracy and accountability and security accountability. Individuals have rights to be informed, access, copies, deletion, rectification, portability and rights to respond to automated decision-making. Businesses and organisations must be more accountable and act in good faith when collecting, using and storing personal information. China does not have an Independent data protection regulator. China’s PIPL enforcement is decentralised and the main government departments responsible for enforcement are the Cyberspace Administration of China (CAC) and the Ministry of Public Security. Each of these bodies has state-level and local organisations that can have rulemaking and enforcement powers. Enforcement starts on 1 November 2021, after a short implementation period.

  1. What types or organisations are covered by China PIPL?

The law applies to businesses and organisations, which PIPL calls Personal Information Processors. The term is very similar to Controllers in the European Union’s General Data Protection Regulation (GDPR). The law covers businesses that are based in China and those based outside China that collect, use and store personal information about individuals in China. Companies and organisations based outside of China fall within the scope of PIPL is they provide goods and services to people in China, analyse or assess the behaviour of people in China and where other Chinese laws and regulations specify. Entrusted Parties are organisations that process personal information on behalf of and under the instruction of Personal Information Processors. This role is similar to the function of Processors in GDPR, but there are less explicit legal responsibilities, under PIPL.

2. What types of data or information are covered by China PIPL?

China’s PIPL protects personal information. This is defined very broadly as all information related to identified and identifiable natural persons. Anonymised data are not personal information, if these cannot be used to identify specific natural persons and the personal information cannot be restored after processing. The law recognises sensitive personal information as that which disclosure or illegal use can easily lead to the infringement of an individual’s personal dignity or harm their person or property. Examples of these information includes biometrics, religious beliefs, specific identity information, medical health, financial accounts, individual location tracking / geolocation and any personal information about children under 14 years old. Processing sensitive personal information attracts actional requirements including clear and specific purpose, necessity, strict protective measures, additional consent, greater transparency measures and Personal Information Impact Assessments (PIIAs).  

3. What are the main obligations from China PIPL for businesses?

Businesses registered in China and international businesses and organisations with supply chains and links to China that fall within China PIPL’s scope must:

(a) Conduct regular China PIPL compliance audits.

(b) Formulate operating rules, internal management, data classification, data processing records and information management systems.

(c) Respond efficiently to personal information breaches with immediate remedies and notify Chinese authorities and affected individuals.

(d) Appoint a representative in China or create a specific legal entity in China to comply with PIPL’s requirements.

(e) Set up processes and tools to carry out Personal Information Impact Assessments (PIIAs) for international personal information transfers outside of China, using third parties to process personal information (such as other Personal Information Processors or Entrusted Parties) or when disclosing information.

(f) Allow individuals to easily give and withdraw consent.

(g) Follow the strict rules of personal information international transfers. Either, by passing a security assessment from the State Cybersecurity and Informationization Department (if critical information infrastructure, transferring a lot of personal information), gain a personal information protection certification from a specialised body authorised by the Sate Cybersecurity and Informationization department, agree a contract with the foreign receiving party based on the standard contractual clauses issued by the Cyberspace and Informationization department  or other methods specifies by Chinese law, administrative regulations or the State Cybersecurity and Informatization department.

(h) Appoint a Personal Information Protection Officer (PIPO), if required to do so by the State Cyberspace and Informationization department, to supervise data processing, register with the authorities and identify themselves to individuals whose personal information are being processed.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with China PIPL?

Yes, in large part, but not completely. GDPR and China PIPL have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. China PIPL was enacted to include provisions that mirror some of the EU’s GDPR requirements. GDPR data mapping and records of processing activities can help to identify personal information impacted by China PIPL. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist China PIPL compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. Chinese-speaking Data Protection Officers (Personal Information Protection Officers) and Representatives based in China are also important.  

For fuller Chinese compliance, companies and organisation should also comply with other Chinese laws which are closely associated or aligned with China’s PIPL. These include:

China Cybersecurity Law (CSL) of 7 November 2016, in force 1 June 2017

China Data Security Law (DSL) of 10 June 2021, in force 1 September 2021

China Civil Code of 28 May 2020, in force 1 January 2021

5. Does China PIPL apply to foreign based companies and what are the penalties for breach of the law?

Yes, it can. If foreign businesses are registered in China and process personal information in China, then China PIPL will apply. The law also applies to foreign-based businesses that provide goods and services to people in China and support China-based businesses and organisations. Foreign-based companies and organisations that analyse or assess the behaviour of people in China also fall within PIPL’s scope. China PIPL could also be extended by other Chinese laws and regulations at the national, regional, state or local level. This means that organisations must constantly review the scope and application of PIPL. 

Enforcement of China PIPL is multifaceted. There are criminal penalties, including imprisonment, if a violation of PIPL amounts to a breach of public security administration and criminal liability is proven. There are civil liability penalties for breaches of China’s Civil Code, including consumer law. Chinese state or regional consumer organisations can also conduct public interest litigation on behalf of a large group of people affected by breaches of PIPL. It is important to note that the burden of proof lies with the Personal Information Processor to demonstrate that no breach of China PIPL has taken place, because Personal Information Processor fault is presumed at the outset.

PIPL also has a system of administrative penalties, falling into two types of cases. In general cases, Personal Information Processors and Individuals can be given warnings, orders to rectify, confiscation of illegal gains and orders to suspend / terminate services that unlawfully process personal information. Failure to make corrections could result in fines up to £1 million RMB. Responsible Persons could receive fines from 10,000 RMB. In severe cases, Personal Information Processors and Individuals can be given, orders to rectify, confiscation of illegal gains, orders to suspend / terminate services, cessation of business for rectification or revocation of business licences or permits. Fines of up to 50 million RMB or 5% of annual turnover from the previous year could also be given. For Responsible Persons, fines ranging from 100,000 to 1 million RMB could be levied. Responsible Persons could also be prohibited from holding director, supervisor, senior manager or Personal Information Protection Officer positions, for a period of time.

Resources

National People’s Congress of China, PIPL Official Chinese Translation

National People’s Congress of China, PIPL Official English Translation

National People’s Congress of China, DSL Official English Translation

Stanford University Cyber Policy Center: DigiChina

PS102021