It is a pity that many of the privacy pros in China missed the IAPP Global Privacy Summit 2022 in Washington, D.C., last week due to the travel restrictions, but thanks to the livestream coverage, we were able to watch Tim Cook’s keynote speech and other inspiring talks given by many guest speakers during the GPS22 events. Hopefully the COVID-19 situation will be much improved in the coming months and we can see each other at the IAPP Asia Privacy Conference in Singapore in July!
This week witnesses some interesting privacy developments in China. The public consultation for the draft Implementation Rules of the Regulations on Administration of Human Genetic Resources (known as the “Draft HGR Rules”) will end 21 April. The Draft HGR Rules, after finalized and adopted, will be a set of important rules to fill in the gaps in China’s Biosecurity Law, Data Security Law and the Regulations on Administration of HGR, and will have significant implications for businesses and entities in the pharma, health care and biology sectors regarding the collection, processing, sharing and cross-border transfer of medical and health data. Some notable changes in the Draft HGR Rules and the related official interpretations:
- The scope of HGR data is likely to be significantly narrowed down to human genome data. Clinical data such as demographic data and imaging data, including ultrasound, CT, MRI and X-ray data, will not be regarded as HGR data.
- Provision of HGR data to foreign organizations/individuals or foreign-controlled entities will be subject to the security review carried out by China’s Ministry of Science and Technology, if any of the following conditions is met: a) HGR data of significantly hereditary families; b) HGR data from specific regions; c) exome sequencing and genome sequencing of more than 500 people; and d) other information that may endanger China’s national security, public health or public interests.
Another important development in China’s data regulatory space is related to a high-profile enforcement case in connection with cross-border data transfer. On 15 April, the state media CCTV published China’s first national security case involving illegal collection and cross-border transfer of high-speed rail data.
In that case, a Chinese tech company located in Shanghai signed a new contract with a foreign company, under which contract the Shanghai company was commissioned to collect signal data, including IoT, GSM-R, and spectrum data used in China’s high-speed rail operations. The Shanghai company collected a large volume of high-speed rail data and provided remote access to the foreign company, even though the in-house legal team of the Shanghai company alerted the compliance risk. The illegal data collection and cross-border transfer was caught by the authorities. After investigation, the authorities concluded that such data c0llection and transfer brings potential risks to China’s national security. Penalties were imposed on the company and relevant responsible individuals were arrested for violations of applicable laws. This again demonstrates that special care must be taken when handling data in sensitive and highly regulated industries, and risk impact assessment is a must-have step before rolling out new business models.
In Australia, the Office of the Australian Information Commissioner made a series of determinations which provide more references to the definition of personal information, including the 7-Eleven case, the Clearview Al case and the Australian Federal Police case. While these cases bring lots of insights into data compliance, one lesson is most prominent that the data should be considered in a context linking to other factors or information, which means that the identifiability of a natural person depends on not only one particular piece of information, but also other information that is known or available. These cases are worth a detailed reading as the definition of personal information has always been a controversial issue for most jurisdictions.
Hope you enjoy this digest. See you next time!