On 5 March 2024, the Council and the European Parliament reached a provisional agreement on the prohibition of products derived from forced labour, as defined by the International Labour Organisation, and their export to third countries. The agreement introduces a series of changes specifying the responsibilities of the Commission and the competent national authorities in the investigation and decision-making process.
Inspired by Section 307 of the US Tariff Act, which gives US Customs and Border Protection the power to refuse entry into the United States of goods whose manufacture has involved the use of forced labour (Withhold Release Orders – WROs), this proposed Regulation authorises the supervisory authorities to penalise companies by ordering them to withdraw, at their own expense, goods produced using forced labour that they have sold on the European market.
Various elements of the provisional agreement between the two institutions should be mentioned here:
A database will be created by the Commission detailing verifiable and regularly updated information on the risks associated with forced labour, including reports from international organisations such as the International Labour Organisation.
This agreement implements various criteria that the Commission and national authorities must apply when assessing the likelihood of a breach of the Regulation:
The extent and severity of alleged forced labour, including whether forced labour imposed by a State can be a cause for concern;
The quantity or volume of products placed or made available on the EU market;
The proportion of the final product that is likely to be the result of forced labour;
The proximity of economic operators to the risks of presumed forced labour in their supply chain, and their scope for action in response.
Guidelines published by the Commission will make it possible to inform and help economic operators and Member States to comply with the requirements of the regulation, as well as good practices to remedy forced labour.
On the basis of these data, the authorities will open an investigation if there is reasonable evidence to suggest that a product has been produced using forced labour. The Commission will lead investigations outside EU territory. Where the risks are located on the territory of a Member State, the competent authority of that State will lead the investigations. Similarly, if the competent authorities, in the course of assessing the likelihood of violations of the Regulation, discover new information concerning suspected forced labour, they must inform the competent authorities of the other Member States, provided that the suspected forced labour takes place on their territory.
Economic operators may be heard at all stages of the investigation, and relevant information may be taken into account.
The decision to ban, withdraw or decommission a product produced using forced labour will be taken by the authority that conducted the investigation. In addition, the agreement specifies that when a component of a product has been found to be in breach of the regulation because it has been produced using forced labour, the obligation to take the product out of circulation applies only to that component and not to the entire product.
This Regulation strengthens the scope of the proposed Directive on corporate sustainability due diligence by obliging companies to ensure that their supply chain is free from forced labour.
In doing so, it is helping to complete the legislative framework for corporate social responsibility, as illustrated by the Corporate Sustainability Reporting (CSRD) and Corporate Sustainability Due Diligence (CSDD) directives.
Our DS team in Brussels and Paris works closely with our clients on this issue. We remain at the disposal of any company wishing to defend its rights and interests regarding forced labour.
Data protection and privacy legal frameworks are evolving rapidly worldwide, and Asia is no exception. Over the past two years, several key jurisdictions have adopted new regulations or updated their existing data protection laws.
These regulations, heavily influenced by the EU’s GDPR, set high standards of compliance for organizations handling personal data. Our Asia-based teams have prepared a detailed overview of national privacy approaches in China, India, Indonesia, Singapore and Vietnam.
Since Russia’s invasion of Ukraine in February 2022, the European Union (hereinafter the “EU”) continues to put in place restrictive measures to sanction Russian’s actions. Regulation No. 833/2014 which restricts and prohibits the import and export of certain products originating in Russia, has thus been modified multiple times.
Among these modifications, some aim to limit Russian’s industrial capacities. For instance, since June 3rd, 2022, it is prohibited to provide, directly or indirectly, certain services to the Russian government or to legal persons, entities or organizations established in Russia. Article 5n§1 targets accounting services, business and management consulting services orpublic relations services.
Since October 6th, 2022, following the 8th sanctions package, this ban has been extended to other services. According to §2 of Article 5n, it is prohibited, for example, the provision of legal advisory services and IT consulting services.
On December 18th, 2023, Regulation (EU) 833/2014 was once again amended following the adoption of the 12th “package” of sanctions. Article 5n was supplemented by paragraph 2b. This paragraph provides that it is now prohibited to sell, transfer, export or make available directly or indirectly software for the management of enterprises and industrial design and manufacturing software listed in Annex XXXIX to the government Russian or to legal entities, entities of organizations established in Russia. According to the Commission’s FAQs, this ban covers their updating and upgrading and also software in material form, for example saved on a USB key and in intangible form, in the case of storage on a cloud.
Management of enterprises means the systems used “to represent and digitally control all the processes taking place in a company”, including enterprise resource planning (ERP), customer relationship management (CRM), business intelligence (BI) or supply chain management (SCM).
Design and manufacturing software includes software “used in architecture, engineering, construction, manufacturing, media, education and entertainment, including” software that enables building information modeling (BIM), computer-aided design (CAD) and computer-aided manufacturing (CAM).
It is important to underline that, all the typical components of the above-mentioned suites are also covered by this appendix. For example, concerning business management software, accounting software, fleet management, logistics and human resources.
Regarding the deadlines surrounding Article 5n 2b, prohibitions targeted by the article entered into force on December 18th, 2023. The Commission has, however, allowed an additional period: these prohibitions will be effective as of March 20th, 2024, for contracts concluded before December 19th, 2023, or ancillary contracts necessary for execution.
These prohibitions in Article 5n §1, §2 and §2b will only be effective for Russian subsidiaries of EU groups as of June 20th, 2024. From this date, an authorization will be required to provide these services. However, it is important to remember that the Commission sanctions the sanctions’ circumvention. It is therefore necessary to rigorously conduct the “due diligence” process.
Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
On 17 April 2023, the Government issued Decree 13/2013/ND-CP on Personal Data Protection (“DPDP”) providing a comprehensive and uniform approach to data protection in Vietnam. The DPDP took effect on 1 July 2023.
A combination between international trend and local governance
Heavily influenced by the GDPR, the DPDP provides a clearer definition of personal data (basic and to-be-considered sensitive ones), responsibility of organisations and individuals that process personal data, as well as the rights of individuals over their personal data.
Despite being influenced by the GDPR, the DPDP provides some unique provisions such as the prohibition of the sale and purchase of personal data through any means, unless otherwise provided by law. This is expected to have a huge effect on the activity of data brokers and other businesses engaged in commodification of personal data. The DPDP also does not recognise the principle of “legitimate interests”.
Children Personal Data Protection
Like the GDPR, the DPDP provides special protection for children’s personal data. However, there’s a difference between the laws in the age threshold for obtaining valid consent. In Vietnam, the DPDP requires the consent of a parent or legal guardian of children aged 7 or older (nothing on age verification), while the GDPR only allows individuals over 16 to give consent independently for processing of their personal data.
The DPDP states that only the child’s parent or legal guardian can withdraw consent for the processing of the child’s data. Though, it remains unclear if the child himself/herself can revoke his/her consent and have his/her data deleted.
Requirements for Cross-Border Transfers of Personal Data
A Dossier of Impact Assessment for a Cross-Border Transfer of Personal Data is to be created before any cross-border transfer of data takes place. This Dossier must also be submitted to Department of Cybersecurity and Hi-Tech Crime Prevention (“DCHCP”) relative to the Ministry of Public Security (“MPS”) within 60 days of the date of processing of the data.
The Vietnamese Ministry of Public Security reserves the right to halt a personal data transfer if: (i) the transferred data is used for activities violating the national interest and security of Vietnam; (ii) the transferor does not comply with requests to supplement the impact assessment dossier; or (iii) there is an incident of leakage or loss of personal data of Vietnamese citizens—it seems this may be applied even if there is no fault of the transferor.
Implication for business
The DPDP regulates data protection in parallel to certain specific legal instruments also regulating data governance in Vietnam such as the Law on Cybersecurity (and its data localization requirements). It is critical for companies to understand and identify their new obligations under the DPDP and assess steps to be taken to comply with the DPDP.
Summary of the DPDP
Legislation
Decree No. 13/2023/ND-CP dated 17 April 2023 on protection of personal data
Authority
Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention)
Scope of application
Vietnamese individuals and organizations (including those operating offshore) and also to foreign entities operating in Vietnam, or directly engaging in or relating to personal data processing activities of Vietnamese citizens.
Parties involved in processing data
Personal data controller: organization or individual that decides purposes and means of processing personal data
Personal data processor: organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller
Personal data controlling and the processing entity: organization or individual that jointly decides purposes and means, and directly processes personal data
Definition of personal data
Information in the form of symbols, scripts, numbers, images, sounds or any other similar form in the electronic environment, which pertains to a particular individual or facilitates the identification of a particular individual. Personal data includes “basic personal data” and “sensitive personal data”
Personal data protection principles
8 principles: 1. The personal data shall be processed as prescribed by law. 2. The data subject shall be entitled to receive information related to the processing of his/her personal data, unless otherwise provided for by law. 3. The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Controlling And The Processing Entity and the Third Party. 4. The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law. 5. The personal data shall be updated and added for the processing purposes. 6. The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on protection of personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures. 7. The personal data shall be stored within a period of time that is appropriate for the processing purposes, unless otherwise provided for by law. 8. The Personal Data Controller and the Personal Controlling And The Processing Entity shall comply with the rules for data processing in accordance with the laws and prove their compliance.
Rights of the person concerned
11 rights : 1. Right to be informed 2. Right to consent 3. Right of access to personal data 4. Right to withdraw consent 5. Right to erase personal data 6. Right to limit processing 7. Right to obtain personal data 8. Right to object to processing 9. Right to lodge a complaint and take legal action 10. Right to claim damages 11. Right to self-defense
Requirement for consent
The consent of the data subject shall be granted to all activities in the processing of his/her personal data, unless otherwise provided for by law
The consent of the data subject is valid until the data subject has other decisions or the competent authority makes written request.
The withdrawal of consent shall not affect the lawfulness of the processing to which consent was given before it is withdrawn.
Measures to ensure protection of personal data
General protection: Managing and technical measures from the parties relating to the personal data, plus the competent government.
Additional measure for sensitive data: Assignment of data protection department and a data protection officer within the organization/entity
Impact assessment on data processing
The data controller, data processor, and data controlling and processing entity are required to prepare and report the application dossier for assessing the impact of personal data processing the MPS. Such dossier should be submitted to the DCHCP of the MPS within 60 days of the start of personal data processing. Any related updates or changes should also be reported.
Cross-border transfer of data and impact on assessment on overseas transfer
Definition of “cross-border transfer of data”: An act of using cyberspace, electronic devices, equipment, or other forms to transfer personal data of a Vietnamese citizen to a location outside the territory of the SRV or using a location outside the territory of the SRV to process personal data of a Vietnamese citizen. To be specific:
a. An organization, enterprise or individual transfers personal data of a Vietnamese citizen to an overseas organization, enterprise or management department in order to process the data for the purposes agreed upon by the data subject;
b. The personal data of a Vietnamese citizen is processed by automatic systems outside the territory of the Socialist Republic of Vietnam of the Personal Data Controller, Personal Data Controlling And The Processing Entity, Personal Data Processor for the purposes agreed upon by the data subject.
Condition on cross-border transfer of data: • Data subject’s consent is obtained • A transfer impact assessment dossier is inspected and evaluated by DCHCP of the MPS (within 60 days of the transfer) • A written notification to the DCHCP must be submitted after the data is transferred successfully.
Breach notification
• Timeline: 72 hours from the time of breach event (lateness must be accompanied with explanation) • Authority to receive notification: DCHCP of the MPS
Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
Since the Supreme Court of India declared the “right to privacy” a fundamental right in a landmark 2017 judgment and urged the national government to establish a data protection regime, policymakers have worked toward passing central legislation to protect privacy. As a result of this effort, the Digital Personal Data Protection Act, 2023 (“DPDPA”) was finally passed on August 11th 2023.
The DPDPA replaces a set of rules made under section 43A of the Information Technology Act, 2000 — which superficially resemble a data protection law.
The DPDPA aims at regulating the processing of digital personal data in a manner that recognizes both the rights of individuals to protect their personal data and the need to process such personal data for lawful purposes.
GDPR and DPDPA
The DPDPA has been partially modelled off the GDPR and data protection laws in Singapore and Australia.
While the GDPR employs an extraterritorial approach, meaning it applies to businesses worldwide that process personal data of EU data subjects, regardless of their geographical location and grants extensive rights to individuals (including the right to data portability, the right to erasure, the right to rectification, and the right to object), the DPDPA primarily focuses on data collected, processed, and stored within India. It has a national scope and applies to Indian citizens, as well as foreign companies processing their data.
Philosophically, the GDPR is grounded on the principles of fundamental individual rights, especially the right to privacy. It places data protection as a fundamental right of the individual and centers the importance of preserving the confidentiality of personal data. Conversely, the Indian approach highlights data sovereignty and the need to promote the economic development of the country. It seeks to strike a balance between personal data protection and the country’s development interests, including facilitating business and fostering innovation and the digital economy.
In summary, the GDPR focuses on safeguarding fundamental individual rights and the preservation of privacy, while the DPDPA emphasizes data sovereignty and striking a balance between data protection and economic development. These differences reflect the values and priorities unique to each region, but both regulations share the common goal of ensuring the protection of personal data.
Summary of the DPDPA
Legislation
India Digital Personal Data Protection Act 2023 Expected to come into effect in early 20244
Regulator
Data Protection Board of India (DPBI)
Scope
• Any entity that processes digital personal data within Indian territory. • Extraterritorial jurisdiction: covers data processed outside of India, if done with the intent to offer goods and services to individuals within India.
Exclusion: does not apply to Indian companies providing outsourcing services. Processing of data in India but these data have been collected abroad and does not affect data principal from India.
Concept of personal data
• The DPDPA applies uniformly to all types of personal data — defined as “any data about an individual who is identifiable by or in relation to such data.” • The DPDPA does not contain any provisions on special category data (i.e. sensitive data) But “significant data fiduciary” (classified as such based on volume and sensitivity of the personal data and other prescribed criteria) is subject to higher compliance burden.
Exclusion: • Non-digitised data. Unlike the GDPR, the DPDPA does not seek to regulate a processing operation or activity that is wholly manual or non-automated • Personal data processed for personal or domestic purposes or aggregated personal data collected for research and statistical purposes which is not used for any decision specific to a data • Personal data made publicly available
Parties involved in data processing
Data fiduciary: any person that decides on the purposes and means of processing of data (data controller) Can be significant data fiduciary
Data processor: any person who processes personal data on behalf of the data fiduciary
Data principal: individual to whom personal data relates (data subject)
Unlike the GDPR, the DPDPA does not impose obligations directly on the data processor but instead expects data fiduciaries to ensure compliance by data processors they engage through data processing agreements.
Rights and duties of data subjects
• Right to access • Right to correction • Right to erasure • Right to grievance redressal • Right to nominate • Not to impersonate another person • Not to suppress material information • To furnish only verifiably authentic information • Not to make frivolous complaints.
Unlike the GDPR, no right of data portability. Indian citizens can exercise their rights by the methods prescribed by the data fiduciaries. Data fiduciary must establish an effective mechanism for grievances by data personals.
Data localisation
While it doesn’t impose strict localisation requirements, it grants the government powers to mandate local storage for certain types of data in the interest of national security.
Power of the state
• Disclosure of personal data by data fiduciaries to the State/agents of the State (“State”) under a legal obligation: ‘legitimate use’, no consent or intimation required.
• State exempted from seeking consent (and other obligations under the DPDP Act, including that of erasure of personal data in its records) while processing personal data for the performance of any legal function, is in the interest of security, sovereignty and integrity of India or is to maintain public order.
• Indian government responsible for the appointment of the members of the DPBI.
The DPDP Act does not include conditions covering contractual necessity or legitimate interests. A previous version of the DPDP bill contained an exemption for processing in the public interest, but this has since been modified to only apply to the State.
Security
Data controller must implement reasonable security safeguards and appropriate technical and organisational measures to ensure compliance with the DPDPA and prevent personal data breaches.
Requirement for consent
Data processing requires explicit users’ consent, unless data can be processed based on another legal basis. Consent must be: • Free: The data principal must not feel coerced or pressured to give consent. • Unconditional: The consent cannot be made conditional on anything else, such as providing a product or service. unambiguous: The data principal must be clear about what they are consenting to. • Specific: The consent must specify the purpose for which the data is being collected and processed. • Informed: The data principal must be given enough information about how their data will be used so that they can make an informed decision about whether to consent.
Data fiduciary must issue notice explaining purpose and means of data processing. Data fiduciary shall give the data principal the option to access the contents of the notice in English or any of the 22 languages specified in the Eighth Schedule to the Constitution
Data principal has the right to revoke their consent at any time.
Processing of children’s (below 18 years of age) data requires the verifiable consent of a parent or a guardian. Any tracking and behavioural monitoring of children or targeted advertising towards children is prohibited.
Impact assessment on data processing
Only the significant data fiduciaries are required to conduct a Data Protection Impact Assessment (DPIA).
Cross-Border transfer of data and impact on assessment on overseas transfer
Unlike the GDPR, transfer of personal data for processing outside India is generally permitted under the DPDPA.
The Indian government can identify specific countries to which data transfers are prohibited. At present, the government has not given any indication of the countries that may feature on this list.
If the PDPDA provisions on international data transfer conflict with other Indian laws, the law which provides a higher degree of protection or restriction on cross-border transfers will prevail (i.e. sector-specific regulations, such as the RBI’s data localisation mandate with respect to payment system data, will continue to apply)
Breach notification
1. Report a breach to the DPB within 72 hours of becoming aware of the breach 2. Information of the data principals affected by the breach 3. Data principals who are harmed by a data breach may be able to sue the data fiduciary in breach for damages
Penalties
Fines: • Failure by a data controller to take reasonable security measures: fines up to INR 250 crore (Euro 2,800,000) • Failure to notify a personal data breach or comply with children’s data protection requirements: fines up to INR 200 crores (Euro 2,240,000)
Fines are determined by the DPB, depending on the nature of the offense.
Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
Indonesia’s long awaited law on Personal Data Protection (Law No. 27 Year 2022) (“PDPL”) finally came into force on 17 October 2022. With its extraterritorial coverage, the PDPL also applies to processing activities outside Indonesian jurisdiction so long as the activities have legal effect or consequences within Indonesia and/or towards Indonesian data subjects outside Indonesia. It classifies personal data into specific and general categories. The PDPL regulates various personal data processing activities, emphasizing principles such as limited and transparent data collection, accurate processing, and security measures. Transitional provisions set a two-year compliance period for entities involved in personal data processing.
PDPL and GDPR
The PDPL is equally close and different from the GDPR.
Both regulations have adopted a broad definition of “personal data” and have created different categories of data based on their sensitivity. The PDPL adopts a similar extraterritorial approach than the GDPR, applying to any entity that processes personal data of Indonesian citizens, whether they are or not in Indonesia and to entities outside of Indonesian jurisdiction who have an impact within Indonesia.
Also, they both aim to safeguard individuals’ rights, emphasizing the importance of protecting personal data as a human right by prioritising transparent and accountable data processing and ensuring individuals are informed.
The PDPL is however critically different from the GDPR concerning the powers of the regulatory bodies. While the Indonesian law gives substantial powers to the government to formulate policies, supervise implementation and enforce sanctions, the GDPR relies on independent authorities.
Moreover, the PDPL highlights promoting the growth of the digital economy and information technology industry alongside personal data protection, reflecting a dual focus on development and privacy, while the GDPR focuses on protection of individual rights.
Cross-Border Data Transfer Requirements
Under the PDPL, data controllers transferring personal data abroad, must ensure that the recipient country has a level of data protection equivalent or higher than their own. While the GDPR emphasises adequacy decisions, the PDPL focuses on ensuring the receiving entity’s protection level. Moreover, the PDPL introduces the possibility of obtaining approval from the relevant data subject if equivalent protection is not assured, a provision not explicitly present in the GDPR.
The PDPL sets forth administrative sanctions to ensure compliance. These sanctions are designed to encourage organisations to adhere to the principles and comply with the obligations outlined in the PDPL. The severity of the sanction depends on the nature and extent of the violation, aiming at balancing enforcement with the goal of promoting responsible and lawful personal data processing.
Law No. 27 Year 2022, Personal Data Protection Law Sector specific regulation: Banking / Financial Services
Regulator
Ministry of Communication and Informatics of the Republic of Indonesia
Scope
Extra-territorial Any entity processing Indonesian personal data whether they are within or outside of Indonesia.
Definition of personal data
Personal data means any data related to identified or identifiable individuals, separately or in combination with other information, directly or indirectly, through an electronic or non-electronic system.
Sensitive personal data includes 1. Health and information data; 2. Biometric data;genetic data; 3. Criminal records;children’s data; 4. Personal financial data; and/or 5. Other data in accordance with provisions of laws and regulations.
Parties involved in the processing of data
Controller: means any person or corporation, public institution and international organisation acting individually or jointly that determine the purposes and have control over personal data processing activities. Processor: means any person or corporation, public institution and international organisation acting individually or jointly in processing personal data on behalf of the Controller.
Principles under the PDPL
1. Lawful, fair and transparent processing 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Integrity, security and confidentiality 6. Lawful retention 7. Ensuring data subjects’ rights 8. Accountability
Rights of data subjects
1. Right to obtain information 2. Right to complete, update and/or rectify errors or inaccuracies 3. Right to access data or copies of dataRight to terminate the processing, deletion or disposal of data 4. Right to withdraw consent 5. Right to object against automated decision-making 6. Right to restrict processingRight to file a lawsuit 7. Right to obtain, use or transfer their data 8. Right to complain to the relevant data protection authority(ies)
Security
The Controller and Processor are required to protect and ensure the security of the processed personal data. This shall be achieved through: a) preparing and implementing operational technical measures to protect personal data from disruption in the data processing; b) determining the security level of personal data by taking into account the nature and risks of the processed personal data; c) andusing a security system for the processed personal data and/or processing personal data using an electronic system in a reliable, secure and responsible manner.
Requirement for consent
Children: Under the PDPL, processing children’s personal data requires the consent of their parent or legal guardian. The PDPL defer the authority to set out the age of consent to other laws. Based on Law No. 23 of 2002 regarding Child Protection, as amended by Law No. 35 of 2014, a child is an individual who has not reached the age of 18 years.
Cross-Border Data Transfer
Cross-border data transfer can be carried out if one of the following conditions is fulfilled: – the transferor must ensure that the recipient’s country has an equivalent or higher standard of personal data protection than the PDP Law; – if the above condition in letter a is not met, the transferor must ensure the existence of an adequate and binding instrument (e.g., standard contractual clause); or – if the above conditions in letters a and b are not met, the transferor must obtain the data subjects’ consent.
Breach notification
In the event that a data breach occurs, the Controller is required to submit a written notification to the affected data subjects and the Indonesian DPA no later than three days from the occurrence of the data breach. In certain circumstances, the data breach shall also be notified to the public if it disturbs public services and/or has a material impact on the public interest. The notification shall contain the following items:
– the disclosed data; – the time and reason of the breach; and – the remedy measure carried out by the Controller.
Penalties/ sanctions
I) written warning II) temporary suspension of the data processing activity III)erasure or destruction of personal data; and/or VI) an administrative fine in the maximum amount of two per cent of annual income or annual receipt of the violation variable
Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
Brief Introduction of Personal Data Protection in China
The Personal Information Protection Law (“PIPL”) of the People’s Republic of China (“PRC”), which came into effect on 1 November 2021 is known as “Chinese GDPR” due to its similarities with the EU General Data Protection Regulation (“GDPR”).
Foreign invested enterprises (“FIEs”) familiar with the European approach to data protection would have some advantages in implementing the “Chinese GDPR”, as some of the best practices established under the GDPR hold significant value as a model. However, as influenced by the GDPR as the PIPL might be, one cannot simply rely on their knowledge of the GDPR while approaching the PIPL and must take into account the distinctive features of data controllers/processors in China.
Although the PIPL follows a similar framework than the GDPR, it gradually shows more of its own unique features through both its supporting regulations, implementing rules, national standards and compliance practices recommended by competent authorities. Before the PIPL came into effect, provisions related to data protection were scattered across different laws and regulations, including but not limited to the PRC Civil Code, Criminal Law, Cybersecurity Law, the Law on the Protection of Minors and E-commerce Law.
For certain strategic industries, industry-specific regulations, standards, and guidelines that may impose further obligations concerning data security and other related matters should not be overlooked. In addition to meeting the duties outlined by PIPL and PRC Data Security Law for processing data, controllers/processors may also encounter tougher cybersecurity demands and extra data processing requirements. Therefore, data controllers and processors must adapt data compliance projects by considering their target for compliance and organizational traits.
Data controllers/processors should however not ignore the importance of cybersecurity laws in China, especially the PRC Cybersecurity Law which is closely intertwined with the PIPL. Indeed, some cybersecurity law infringement cases relate to violations on personal data protection as personal data compliance should have been built upon cybersecurity compliance. Data compliance cannot be complete or effective without cybersecurity compliance.
Considering the evolving legal landscape in China, it is advisable for data controllers and processors to take a comprehensive approach in creating and implementing compliance projects. Additionally, it is critical to keep up with legal updates and adjust plans accordingly. In particular, FIEs should balance the compliance requirements imposed by their parent companies in other countries with the compliance targets established for their subsidiaries/FIEs in China.
Latest Updates on Data Protection in China
Following the implementation of the PIPL, various national standards, regulations, and guides have been gradually released or updated. These legal instruments provide specific instructions on key aspects of data protection, including consent management, cross border data transfer (“CBDT”), facial recognition, and personal data audit. Below is a brief introduction to the main legal instruments related to these topics.
Consent Management
Obtaining consent is one of the legal obligations under the PIPL to process personal data. For certain significant personal data processes, obtaining separate consent from the concerned individuals is also necessary. The Chinese laws and regulations do not explicitly explain how to collect and maintain such consent, but a recommended national standard sets out the general principles regarding consent.
The Information Security Technology—Implementation Guidelines for Notices and Consent in Personal Information Processing (Reference No. GB/T 42574-2023) deals with:
Information of data subjects (form and content of notice);
Requirements to obtain consent (including separate consent) and exemptions;
Refusals and withdrawal of consent; and,
Preservation of consent as evidence.
CBDT
The Chinese CBDT regime is primarily based on and further detailed by two regulations respectively specifying the scenarios and requirements where security assessments and Chinese Standard Contracts are applicable as CBDT compliance tools:
The former regulates CBDT as well as personal data, whereas the latter only supervises CBDT relating to personal data. The former appears to have more stringent requirements compared to the latter, which in practice put data exporters in a challenging situation, A recently issued draft regulation, the Draft Provisions on Regulating and Facilitating Cross-border Data Flow (“DPRF CBDT”), released on 28th September 2023, provides exemptions to the two aforementioned regulations. which, if passed, will facilitate the CBDT and, notably, reduce the compliance burden for data exporters.
However, it is important to note that not all compliance obligations on personal data protection can be exempted through possible exemptions. The DPRF CBDT only pertains to CBDT compliance in later stages of an all-encompassing personal data compliance program. There is much work to be done prior to the implementation of the CBDT compliance tool, including data mapping and corrective measures to ensure lawful processing of personal data, particularly with regard to the principles of data minimization and necessity, which should be diligently observed.
Data controllers have another CBDT compliance tool at their disposal, the Personal Information Protection Certification. Due to its complexity and cost, this option is currently not widely adopted by data controllers.
A draft regulation on facial recognition, the Provisions on Security Management of the Application of Face Recognition Technology (for Trial Implementation), was released in August 2023 for public review. The draft document regulates the application of facial recognition and sets out the key responsibilities of data controllers. In particular, it mentions that facial recognition used in public places and processing of personal data of/over 10k data subjects should be filed with the local competent authority. Besides the basic compliance obligations on data, facial recognition service providers targeting the public have stricter requirements on its Multi-Level Protection Scheme (“MLPS”) under the PRC Cybersecurity Law.
Personal Data Audit
The PIPL mandates that all data controllers conduct a personal data audit, either voluntarily or upon order of competent authorities. However, it does not specify the audit procedures, frequency or routines. In August 2023, a draft regulation, the Administrative Measures for Personal Information Protection Compliance Auditing, was published for public comment and provides guidance on personal data audits.
Conducting a personal data protection audit is an essential task for data controllers in the initial stages of a personal data compliance project. This will enable data controllers to assess any shortcomings in meeting compliance requirements. It is advisable to use this draft as a reference and commence the audit promptly, as achieving personal data compliance can be a lengthy process.
If they possess adequate resources, personal data audits can be done by the data controllers themselves. This should occur at least once every two years, or once per year if personal data for over 1 million data subjects is processed.
Data breaches or other data incidents may also trigger an audit, in which case a qualified audit service provider registered with the competent authorities should be engaged. Data controllers should implement corrective measures based on the findings of the first audit report. A second audit will be conducted to determine whether the situation has been improved, and whether the compliance target has been reached. The final report will be submitted to the competent authority.
Furthermore, the draft regulation also outlines essential elements that require auditing, as well as the obligations of audit service providers. Additionally, it stipulates the penalties for non-compliance.
Summary of the PIPL
Aspects\Laws
Personal Information Protection Law (“PIPL”)
Effective Date
November 1st, 2021
Definition of personal data/personal information (“PI”)
Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized (Article 4, PIPL). Personal information is the information recorded electronically or in other ways that can be used, by itself or in combination with other information, to identify a natural person, including the name, date of birth, identification number, biometric information, residential address, telephone number, email address, health information, whereabouts, and the like, of the person (Article 1034, PRC Civil Code).
Minors’ personal data/personal information
Any personal information of minors under 14 years old is considered as sensitive personal information. Processing personal information of minors should also comply with other applicable laws and regulations, including but not limited to, the Law of the People’s Republic of China on the Protection of Minors, Regulations on the Protection of Minors Online, and the Provisions on the Protection of Minors at School, etc.
Parties involved in data processing
Data Processor: term used in PIPL to designate the data controller (hereinafter referred to as “data controller”/ “controller”) Entrusted Processor: term used in PIPL to designate the data processor (hereinafter referred to as “data processor”/ “processor”)
Scope
Territorial principle: PIPL applies to data processing activities occurring in China. Targeting principle: PIPL applies to data processing activities occurring outside China but targeting natural persons in China: 1. For provision of products and/or service; or 2. for analyzing their behavior.
General principles of processing
1. Lawfulness, legitimacy, necessity and good faith; 2. Legitimate purpose; 3. Data minimization; 4. Openness and transparency; 5. Accuracy and completeness; 6. Security.
Legal Basis for processing
PIPL require controllers to meet at least one of the following conditions for PI processing: 1. Informed consent; 2. Contract and labor management; 3. Legal obligation; 4. Emergency (public health/vital interest of individuals); 5. News reporting, or 6. for public interest purposes; 7. PI disclosed to the public; and, 8. other legal basis specified by other laws and regulations.
PIPL specifies that processing PI legally disclosed to the public does not require the consent from the data subject, however the data subject has the right to refuse such processing. In such case, the processing should be stopped.
Rights of data subjects
1. Right to information; 2. Right to access; 3. Right to rectification; 4. Right to erasure/to be forgotten; 5. Right to restriction of processing; 6. Right to data portability; 7. Right to object; 8. Right to not be subject to automated decision-making. 9. Right to make copies(associated to the right to access); 10. Right to decide on the processing activities (associated to the right to restriction and the right to deny).
Protection Measures
PIPL requires that controllers keep a registry of important data processing activities (the scenarios listed in the impact assessment below). Most of the mandatory obligations in protection of personal data and data subjects are undertaken and led by controllers, who should take appropriate technical and organizational measures to ensure the lawful processing of personal data. Processors are responsible for securing data, processing data as agreed in contractual arrangements and assisting controllers.
Impact Assessment
Personal Information Protection Impact Assessment (“PIPIA”)is required in the following scenarios: 1. Cross-border transfer; 2. Process sensitive personal information; 3. Process personal information for decision-making; 4. Providing personal information to 3rd parties; 5. Publicize personal information; 6. Any other scenarios where data subjects’ rights and interests will be greatly impacted.
PIPIA report shall be kept for at least 3 years. As to the approaches, they are provided in relevant Chinese national standards. Besides, PIPIA report for cross-border transfer shall follow an official template and be submitted to the competent authority for record-filing.
CBFT
Informing data subjects, obtaining separate consent if applicable and choosing one to legitimize the transfer: 1. Security Assessment organized by competent authority (in some scenarios this is mandatory and not optional for data exporters); 2. Obtained Personal Information Protection Certification issued by licensed service providers; 3. Concluding Standard Contract between data exporter and data importer.
Breach Notification
Report data breach to the competent authority/authorities within 24 hours/immediately.
Per a draft regulation released on December 8, 2023, the Administrative Measures for the Reporting of Cybersecurity Incidents, any serious cyber incident should be reported within 1 hour to the competent authority, with any key details reported within 24 hours; and, the cyber incident disposal report should also be submitted within 5 working days after it is solved.
Remedies
Data subjects may take legal actions against the infringing party, and the qualified organizations could also take civil legal actions for public interests.
Details of Administrative Penalties for Violation of PIPL
Scenarios
Penalties
Minor violations
Order of rectification; Warning; Confiscating illegal gains (if any); (for software applications) order of suspension or termination of the service.
Where the violator refuses to rectify the illegal activities
Beside the above, Pecuniary fine (RMB below 1 million) upon the violator; Pecuniary fine (RMB 10k to RMB 100k) upon the person directly in charge of the violator.
Severe violations
Order of rectification by the competent authority in provincial level; Confiscating illegal gains (if any); Pecuniary fine of maximum RMB 50 million or 5% of the previous year’s turnover; Suspension or termination of business, and cancellation of the relevant approvals or business license; Pecuniary fine of minimum RMB 100k to maximum RMB 1 million to the person directly in charge; and, Such person directly in charge of the violator can be banned for a certain period of time from serving as director, supervisor, senior officer or PI protection officer of a relevant enterprise.
Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.
Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.
Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.
The Personal Data Protection Act of Singapore 2012 (PDPA) came into effect on 2 July 2014 and provides a baseline standard of protection for personal data in Singapore. The PDPA’s main purpose is to protect privacy rights of individuals and regulate the collection and treatment of personal data by private organisations.
GDPR and PDPA:
While the GDPR is grounded in the philosophy of individual fundamental rights, particularly the right to privacy, and places a strong emphasis on data protection as a fundamental right of the individual positioning the safeguarding of privacy at the core of its concerns and recognizing the importance of preserving the confidentiality of personal data, the PDPA seeks a balance between data protection and facilitating business and acknowledges the significance of innovation and economic development while concurrently safeguarding privacy.
Both laws are comprehensive and provide a similar personal and extra-territorial scope. They both create a supervisory authority with wide-ranging investigation and corrective powers and the possibility to condemn actors to significant monetary fines in case of non-compliance. However, compliance with the PDPA does not necessarily mean the organisation is in compliance with the GDPR as there are differing requirements under the two regimes[1].
Below is an infographic developed by the Personal Data Protection Commission of Singapore (PDPC) illustrating the broad comparison between the PDPA’s exceptions to consent and the GDPR’s legal bases for processing of personal data.
[1] However, with the amendments introduced in the enhanced PDPA that came into effect on 1 February 2021, the exceptions to consent under the PDPA have been streamlined and categorised broadly in ways that are similar to the EU GDPR’s six legal bases for processing of personal data.
Other differences are:
While the PDPA excludes public agencies and organisations acting on behalf of it, the GPDR applies to both private and public bodies.
The PDPA grants a narrower protection to individual compared to the GDPR.
While the GDPR applies to all businesses that process personal data of EU data subjects, regardless of where they are located, the PDPA applies to any organisation, excluding public agency, that process personal data in Singapore.
Although both legislations grant people the right to be informed of the conditions under which their data is collected and used, the right to object to the collection of their data, the right to access data that has been collected and to modify it, the RGPD goes further by notably allowing people to obtain the deletion of their personal data that has been collected. The PDPA for its part remains silent on this point. Thus, companies that have collected data are not required to delete the data collected if requested to do so.
Présentation du PDPA
Legislation
Personal Data Protection Act 2012 (No.26 of 2012) (“PDPA”)
Specific guidelines for certain sectors: telecommunications/real estate agencies/ educations / healthcare / social services / transport services / management corporation /
Specific regulations for certain sectors: banking/ healthcare / life insurance
Regulator
Personal Data Protection Commission (PDPC)
Scope
Applies to all organisations (including any individual, company, association or body of persons, corporate or unincorporated, whether or not formed or recognized under the laws of Singapore) that carries out activities involving personal data in Singapore, unless they fall within the category of organisations expressly excluded from the application of the PDPA: • Individuals acting in a personal or domestic capacity; • Employees acting in the course of his or her employment with an organisation; • Public agencies; and • Organisations in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of personal data.
Definition of personal data
“personal data” means data, whether true or not, about an individual who can be identified — (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access;”
PDPA does not define special categories of data
PDPC have considered in several decisions the concept of more sensitive data, including: medical data, financial data, bankruptcy status, drug problems and infidelity
Obligations under the PDPA
Personal data protection principles: • The consent obligations (sections 13 to 17) • The purpose limitation obligation (section 18) •The notification obligations (section 20) •The Access and Correction Obligations (sections 21, 22 and 22A •The Accuracy Obligation (section 23) •The Protection Obligation (section 24) •The Retention Limitation Obligation (section 25) •The Transfer Limitation Obligation (section 26) •The Data Breach Notification Obligation (sections 26A to 26E) •The Accountability Obligation (sections 11 and 12)
Parties involved
Data controller: the PDPA does not use the term ‘data controller’. Instead, it uses the more general term ‘organisation’ to refer to the entities that are required to comply with the obligations prescribed under the PDPA. The term ‘organisation’ broadly covers natural persons, corporate bodies (such as companies) and unincorporated bodies of persons (such as associations), regardless of whether they are formed or recognised under the law of Singapore, or are resident or have an office or place of business in Singapore
Data processor: the term ‘data processor’ is not used in the PDPA, but an equivalent term ‘data intermediary’ is used. A ‘data intermediary’ is defined as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation. For more information on the obligations of data intermediaries, see also section on personal scope above
Rights of data subjects
Provide individuals access to and correct errors to their personal data
Security
Security arrangements reasonable and appropriate in the circumstances to protect personal data and prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risk
Requirement for consent
Consent obligation (sections 13 to 17): organisations are required to obtain individuals’ consent to collect, use, or disclose their personal data unless such collection, use, or disclosure is required or authorised under the PDPA or any other written law
Consent is not required for the collection, use, and disclosure of personal data where the specific exceptions in the First Schedule and the Second Schedule to the PDPA apply, for example where the collection, use, or disclosure of personal data about an individual is: • Necessary for any purpose which is clearly in the interests of the individual, and (i) consent for the collection, use, or disclosure cannot be obtained in a timely way; or (ii) the individual would not reasonably be expected to withhold consent • Publicly available • In the national interest • In the legitimate interests of the organisation or another person, and the legitimate interests of the organisation or other person outweigh any adverse effect on the individual
An organisation is further required to state the purposes for which it is collecting, using, or disclosing the data under the Notification Obligation
Individuals can be deemed to have given consent when they voluntarily provide their personal data for a purpose, and it is reasonable that they would voluntarily provide such data. The PDPA provides for three different forms of deemed consent: • Deemed consent by conduct • Deemed consent by contractual necessity • Deemed consent by notification.
Consent should be written or in electronic form
Consent can be withdrawn at any time by an individual upon reasonable notice to the organisation
Impact assessment on data processing
Cross-border transfer of data and impact on assessment of overseas transfer Organisation may transfer data if: • They comply with the PDPA while the transferred data remains in their possession; • The recipient is bound by legally enforceable obligations to provide protection comparable to that under the PDPA
Breach notification
PDPC’s Guide to Managing Breaches 2.0
Organisations are advised to notify the PDPC and/or affected individuals of data breaches that is of a significant scale or is more likely to result in significant harm or impact to the individuals to whom the information relates
Sanctions
Fines not exceeding S$1,000,000 or 10% of the annual turnover if it exceeds S$10,000,000
You are required to disclose the ultimate beneficial owner (UBO) to the Business Register by December 11, 2023, with penalties for non-compliance.
After several extensions, the Register of Beneficial Owners is now fully operational
If you have a company or a subsidiary in Italy, it is essential to identify the UBO to the locally competent Chamber of Commerce by December 11, 2023, to avoid incurring sanctions, in compliance with the relevant Italian anti-money laundering law (Italian Legislative Decree No. 231/2007, as amended).
DS Avocats in Milano, Italy can support your company in identifying the UBO of your company, in collecting all the relevant information, and in filing the communication to Companies’ Register.
Which entities are obliged to disclose the UBO?
Companies, specifically corporations (excluding partnerships), including limited liability companies (S.r.l.) and joint stock companies (S.p.A.).
Other entities, such as foundations and associations that are registered in a specialized Register.
Particular types of trusts.
Obligation to disclose the UBO and sanctions
With respect to the companies, the directors have the obligation to file by electronic means to the Companies’ Register the communication on the UBOs. In case of doubts on the identity of the UBOs, the directors must submit a formal request for the information to the shareholders. The communication must be digitally signed respectively by the directors (firma digitale) and filed by December 11, 2023.
In addition, it is worth underlining that any future variation of the information on the UBOs shall be notified to the Companies’ Register within 30 days of the same. The information must be confirmed every year by the companies and the other obligated entities. The companies can confirm the information on UBOs concurrently with the filing of their annual financial statements.
In case of violation of the obligations of disclosure and notification of the information on UBOs, fines can be applied (ranging from 103 Euros to 1,032 Euros).
What is the definition of an UBO under the Italian Law?
According to Decree No. 231/2007, the ultimate beneficial owner is the individual or the individuals whom, ultimately, the direct or indirect ownership of the entity or the relevant control can be attributed.
The Decree clarifies that shareholding exceeding 25%, held by an individual in a company either directly or indirectly (i.e. through controlled companies, trust companies, or third parties) constitutes an indication of ownership. If not unequivocally identified by those criteria, the beneficial owner(s) shall be identified with the individual(s) ultimately controlling the company by means of:
(a) the control of the majority of the voting rights that can be exercised in the ordinary shareholders’ meeting;
(b) the control of a number of voting rights allowing to exercise a significant influence in the ordinary shareholders’ meeting;
(c) the existence of any shareholders’ agreement allowing to exercise an ultimate influence in the company.
When the criteria referred to in the above paragraphs do not permit the identification of one or more beneficial owners, the beneficial owner(s) shall be individual(s) having the powers of legal representation and management of the company.
For more information: Tel +39 02 29060461 | milano@dsavocats.it
