The IAPP Europe Data Protection Conference 2024 is just a few days away and I am excited about meeting up with colleagues and friends, old and new, learning new thoughts and ideas, and engaging in insightful discussions.
Before I board a plane to Europe, I would like to share a few recent key data, privacy and artificial intelligence developments in greater China.
Data has been identified as a "new productive force" by the Chinese government, the country is actively promoting the digital economy and unlocking the value of data assets. The National Data Bureau, established in 2023, has been playing a pivotal role in this initiative.
In October, the National Data Bureau issued a set of detailed guidelines to promote the development and utilization of public data resources. These policies encourage innovative applications to promote the healthy development of the data industry, expand the supply of public data resources especially those generated in the industries of water, electricity, public transportation, health care and education, and call for coordinating development and security for the development and utilization of public data.
This approach is reflected in the amended Anti-Money Laundering Law, issued 8 Nov., and effective 1 Jan. 2025. The revised AML introduces some significant changes, one of the most noticeable being the aim to balance AML compliance obligations with the protection of personal data and data security. This amendment is significant as it underscores the Chinese government's commitment to protecting personal information and data security in the context of AML activities.
The revised AML provides that when financial institutions collect or handle personal information, "know your customer" or other AML information for performing AML duties, they must protect the confidentiality of the collected data and the AML measures adopted by financial institutions must be aligned with the corresponding AML risk level. Where financial institutions need to share the AML information with the same corporate group for AML purpose, they must strictly follow the relevant requirements under China's Cybersecurity Law, Data Security Law and Personal Information Protection Law. Where a financial institution in China is asked by foreign countries or entities to provide its customers' KYC information, transactional records, and compliance summaries, the financial institution must first make a reporting to the competent Chinese financial regulator and also meet the applicable cross-border data transfer requirements and the applicable Chinese data laws and regulations.
On the AI front, Chinese courts are taking a proactive stance in hearing emerging AI cases. As I reported in my previous APAC note, the Beijing Internet Court gave a landmark ruling in 2023 recognizing copyright for AI-generated images on the ground that the user has put in original intelligent efforts in inputting, revising and updating AI prompts. In October 2024, the court in Jiangsu province, China delivered a similar judgment upholding the copyright ability of an image created by the user using Midjourney and Photoshop.
Moving down to Hong Kong, the Office of the Privacy Commissioner for Personal Data stays active in promoting AI security and data security. At the Cyber Security Summit held in October in Hong Kong, the privacy commissioner discussed the privacy risks AI poses to organizations and introduced the "AI: Model Personal Data Protection Framework" published by the PCPD in June.
The PCPD recently slammed local sports club South China Athletic Association which suffered a data breach incident involving the exposure of over 72,000 members' personal data including names, HKID and passport numbers, photos, birth dates, addresses, and more. The PCPD issued an enforcement notice requiring the SCAA to address these violations and enhance its data protection strategies.
Barbara Li, CIPP/E, is a partner at Reed Smith.