Across the globe, concerns continue regarding cryptocurrencies and digital currency exchanges. In the October edition of our Privacy and Security Roundup, we dive into the latest details surrounding OFAC’s efforts to stifle ransomware attacks, how organizations should carefully assess the new Personal Information Protection Law in China, the new EU Standard Contractual Clauses requirement effective Sept. 27, and more.
Increasing government pressure on cryptocurrencies and related businesses
The exchange infrastructure that enables use of cryptocurrencies for malicious purposes has come under increased scrutiny. As previously covered by Matt Lapin, on Sept. 21 the Department of Treasury, Office of Foreign Assets Control (OFAC), stepped up efforts to disrupt use of crypto exchanges that facilitate payments to ransomware actors by sanctioning SUEX, an exchange that enables the purchase and sale of virtual currencies. While over 40% of SUEX’s transaction history was likely associated with illicit actors, this move by OFAC represents an attempt to lower the frequency and profitability of ransomware attacks. At the same time, however, this also might increase the risk for companies and facilitators assessing how to respond to ransomware attacks. In effect, sanctioning exchanges used to facilitate ransomware payments means companies struggling to cope with a ransomware attack and the consultants hired to negotiate payments may both end up on the wrong side of the law.
Meanwhile, on Sept. 24, China’s central bank announced a widely publicized ban on all cryptocurrency transactions, including services provided by off-shore exchanges. This ban follows several other measures by Chinese authorities, including bans on initial coin offerings, bank handling of Bitcoin and certain crypto mining activities. Like other countries, including the U.S., China has confronted concerns that highly volatile digital currencies could undercut or destabilize financial and monetary systems, introduce systemic risk, and promote financially motivated crimes. Notably, while the impact on the official state-backed digital currency e-CNY appears unclear, this development highlights the regulatory risks and uncertainties faced by cryptocurrency-related businesses.
China’s sweeping new Personal Information Protection Law
In the past few years, the legislative and regulatory landscape regarding privacy and data security has changed significantly in China, and businesses with China-facing operations should continue to evaluate their compliance, especially given recent news. On Sept. 1, China’s Data Security Law went into effect, which primarily applies to businesses that conduct data processing in China. Most recently, the Standing Committee of China’s National People’s Congress enacted the Personal Information Protection Law (PIPL), which will take effect on Nov. 1, 2021. An unofficial translation is available here. Although the PIPL shares several similarities with the General Data Protection Regulation (GDPR), including with respect to personal information rights, there are significant substantive differences. Also, despite the looming effective date, commentators have highlighted major areas of uncertainty or ambiguity within the law and suggest the PIPL may create a surge in demand for compliance-related products and services. While several key features are summarized below, organizations should carefully assess the PIPL’s applicability and requirements.
- Extraterritorial application and requirements: The PIPL applies within China and generally applies to the collection or processing of personal information on natural persons by entities outside of China that (1) provide products or services to individuals in China or (2) analyze or assess behavior of individuals in China. While anonymized information is not considered personal information under the PIPL, “personal information” is broadly defined to include “various types of electronic or otherwise recorded information relating to identified or identifiable natural person.” “Processing” is also broadly defined to include “collection, storage, use, refining, transmission, provision, public disclosure or deletion of personal information.” Additionally, offshore personal information processing entities (PIPEs)—akin to a data controller under the GDPR—will need to establish a dedicated office or appoint a dedicated representative within China to be responsible for personal information issues.
- Basis for processing: Like the GDPR, under the PIPL, organizations must have a lawful basis to process personal information. Broadly, notice and consent appears to be the primary legal basis on which companies can rely for processing. That said, organizations should also be aware that the PIPL definition of consent is broadly in line with the strict GDPR requirements for consent. There are several exceptions to the notice and consent requirement, including where processing is necessary to enter or perform a contract to which an individual is a party or in the context of human resources management. However, the PIPL still requires a separate consent if processing involves: (i) sharing of personal information with other processing entities; (ii) public disclosure of personal information; (iii) sensitive personal informational; or (iv) transfer of personal information outside of China.
- Cross border transfers: As noted above, to transfer personal information outside of China, PIPEs must obtain consent as well as provide individuals with certain information about the transfers and adopt measures to ensure the same level of protection by recipients overseas. Importantly, entities must also carry out a Personal Information Protection Impact Assessment. Additionally, where Critical Information Infrastructure (CII) operators are involved, including entities who process a certain volume of personal information exceeding an amount to be determined by Chinese authorities, those entities must (1) locally store personal information collected and generated in China and (2) pass a security assessment by the Cyberspace Administration of China.
- Personal Information Protection Impact Assessments: As indicated above, transfers of personal information overseas trigger an assessment requirement. However, PIPEs must also conduct assessments where processing involves automated decision-making and processing of sensitive information. Further, PIPEs are required to maintain processing records for at least three years.
- Penalties and enforcement: The PIPL provides for certain private rights of action for violation of personal information rights (e.g., rejecting individual requests for access, correction, deletion, etc.). From an enforcement standpoint, regulators have broad discretion and may impose corrective actions, issue warrants, confiscate income and impose fines, suspend services, or even record violations in the credit files of the PIPE under the national social credit system. Like the GDPR, top-end penalties are potentially steep, including up to 5% of annual revenue for more serious violations (although whether this includes revenue generated in China or globally is unclear).
ITEMS TO KNOW AND KEEP IN MIND GOING FORWARD
In with the new: New EU SCCs required as of Sept. 27
As previously covered by Katja Garvey, entities that use EU Standard Contractual Clauses (SCCs) for transfers of personal information from the European Economic Area (EAA) had until Sept. 27 to start using the new SCCs for new agreements involving the transfer of personal information. Significantly, however, organizations can continue to rely on the previous iteration of SCCs in existing agreements until Dec. 27, 2021. That said, whether relying on the old or new SCCs, organizations also need to be aware of the requirement to conduct Transfer Impact Assessments (TIAs) on accounts of the Schrems II decision (with the old SCCs) and as an explicit contractual requirement under the new SCCs. Broadly, TIAs should consider the sufficiency of foreign (non-EEA) protections on a case-by-case basis. For the new SCCs, among other considerations applicable to TIAs, parties are expressly required to warrant “they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses.” Further, the new SCCs require TIAs to be documented and available to the competent supervisory authority upon request.
Taking a step back, organizations with a large number of agreements relying on SCCs should already be cognizant of the potentially heavy lift of managing the TIA requirements and the transition to the new and more exacting SCCs by the deadline next year. This might also be an opportunity to double-check that service providers/sub-processors also meet GDPR requirements. Finally, as covered in last month’s edition, while transfers from the U.K. still fall under the old SCCs modified for U.K. data protection laws, organizations should keep an eye out for changes that may result in better EEA/U.K. alignment with respect to transfers out of the U.K. and EEA.
A new CFPB director and expectations for increased enforcement
After months of uncertainty, on Sept. 30, the Senate confirmed a current FTC Commissioner, Rohit Chopra, as the new Director of the Consumer Financial Protection Bureau (CFPB). The party-line confirmation vote reflects division over both Director Chopra’s nomination and the ultimate role of the CFPB tasked with consumer protection in the financial sector in the aftermath of 2007 and 2008. Interestingly, Chopra’s confirmation also means the FTC will once again be split along party lines. Supporters view Director Chopra as an experienced regulator who has advocated for action against significant market participants. However, given Director Chopra’s prior involvement with the CFPB and actions as an FTC Commissioner, detractors would argue that Director Chopra will pursue an anti-business agenda, seeking to further expensive regulation. Under the prior administration, the CFPB generally pursued few actions against major financial institutions, and the number of enforcement actions and consumer recoveries decreased. The CFPB under Director Chopra is expected to be more active in deploying supervisory, rulemaking and enforcement authorities, particularly with respect to unfair, deceptive or abusive acts and practices (UDAAP). Further, among other priorities, Director Chopra has outlined an interest in examining data-collection and privacy practices at major lenders. Given the expectations for increased CFPB activity, organizations subject to CFPB oversight will likely want to review their compliance management systems and closely follow the work of the CFPB’s new leadership.
A new data privacy and security focused bureau: A step towards broader data privacy and security authority for the FTC?
At a time when businesses of all sizes are grappling with how to address an increasingly complex patchwork of state privacy requirements, a new proposal has garnered attention that would appropriate $1 billion towards the establishment of a privacy bureau at the Federal Trade Commission (FTC). This follows headline cyber security incidents, greater public awareness of privacy concerns and a new batch of privacy and security-related Congressional proposals that involve mandatory breach notification requirements. As part of a $3.5 trillion spending bill that faces an uncertain future, the new bureau would be tasked with “accomplishing the work of the [FTC] related to unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses and related matters.” The FTC is currently split into three bureaus, with the Bureau of Consumer Protection addressing data privacy and security-related actions against unfair or deceptive acts or practices under Section 5 of the FTC Act. While the measure’s future is currently uncertain, this proposal reflects a broader focus at the federal level on boosting federal privacy oversight via existing regulatory infrastructure, if not through legislation.