Last Month in Privacy: November 2021
December 02, 2021
China: PIPL enters into effect
November started with the entry into effect of China's Personal Information Protection Law.
The PIPL governs personal information processing activities carried out by entities or individuals within China and, together with the Cybersecurity Law and the Data Security Law introduces a new data protection regime for China. Additionally, the Cyberspace Administration of China requested public comments on its draft Measures for Data Export Security Evaluation and its draft Network Data Security Management Regulations which seek to clarify data exports and address requirements such as data breach reporting, data sharing, consent, and data subject rights. To find out more about how OneTrust can assist with PIPL compliance, visit www.onetrust.com.
Read more here.
EU: EDPB releases guidelines on interplay between Article 3 and Chapter V of GDPR
The European Data Protection Board published its guidelines on the interplay between the application of Article 3 and the provisions on international transfers under Chapter V of the GDPR.
The guidelines identify three cumulative criteria that qualify data processing as a transfer and provide supplementary examples of specific processing situations which the EDPB has considered. For example, the EDPB highlights that the second criterion is neither fulfilled in cases where the controller in a third country collects data directly from a data subject in the EU, nor in cases of remote access of personal data in a third country by an employee of the controller.
The Guidelines will be subject to public consultation until the end of January.
Read more here.
UAE: UAE enacts new Federal Law on Protection of Personal Data as part of legislative reform package
The UAE Cabinet announced that it had enacted its Federal Law on the Protection of Personal Data.
Key features of the Law include:
- data controller obligations, including impact assessments, breach notifications, data protection officer appointments ('DPO'), and maintenance of data processing records.
- data processor obligations including requirements regarding the relationships with data controllers;
- principles for the lawful processing of personal data;
- a requirement of consent for lawful processing of personal data and instances where consent shall not be required;
- data subject rights; and
- cross border data transfers.
The Law will enter into effect on 2 January 2022 and provides for an implementation period of 12 months.
Read more here.