The DPOInsider covers the latest news and developments in data compliance and privacy every Friday. The DPO's favourite weekly read ☕️

China looks to relax cross-border data security controls

China is taking steps to address the concerns of foreign businesses regarding its stringent cross-border data controls. The Cyberspace Administration of China (CAC) has introduced new rules aimed at simplifying and clarifying the transfer of data outside the country for regular business operations. This move is seen as an attempt by Beijing to alleviate the apprehensions of foreign businesses, especially in the backdrop of the escalating US-China tensions and the growing influence of China's security apparatus.

Previously, the CAC's security rules mandated a thorough review of data export submissions from foreign entities wishing to share "important data" overseas. This created a cloud of uncertainty, with many unsure about the need for these data reviews and the definition of "important data." Graham Webster, a China expert at Stanford University, aptly pointed out the ambiguity surrounding these rules. The recent changes, as Webster suggests, pave a clearer path for the majority of data to be transferred abroad.

The new draft rules by the CAC are more specific. They state that only data explicitly labeled as important by government agencies would require a security review. This is a significant relief for global companies, as the draft rules permit the sharing of employee records outside China. Furthermore, personal information, essential for cross-border transactions or bookings, can be transferred without undergoing security reviews.

However, it's crucial to note that while these changes are a step in the right direction, they might not be enough. The expanded anti-espionage law, which came into effect in July, has led many foreign entities to segregate their local IT systems and data. The apprehension of inadvertently transferring sensitive material has pushed several companies to localize their data entirely.

In conclusion, while China's efforts to relax its data controls are commendable, the broader landscape remains complex. The mixed signals on data collection and overseas transfer, coupled with the overarching security concerns, indicate that the road ahead is still fraught with challenges. It will be interesting to see how these draft rules evolve after the public comment period in mid-October and whether they will indeed address the concerns of foreign businesses operating in China.

GDPR as Pandora’s Box

I recently delved into an article from IAPP titled "A view from Brussels: The EU GDPR and 'Pandora's box'", and it sparked a series of reflections I wanted to share with our community. The piece masterfully juxtaposes the Pandora myth with the intricacies of the EU General Data Protection Regulation (GDPR). As Pandora's actions led to unexpected outcomes, the GDPR, despite its noble intentions, has presented us with a labyrinth of challenges.

The ongoing debate about potentially "reopening" the GDPR resonated with me. It's a testament to the dynamic nature of data protection and the need for regulations to evolve alongside technological advancements. The European Commission's initiative to harmonize GDPR enforcement procedures, coupled with the joint recommendations from the European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB), signifies a proactive approach to these challenges.

The spotlight on MEPs Sergey Lagodinsky and Axel Voss adds depth to the discourse. Voss, with his extensive GDPR experience, has always been a voice of reason in the data protection arena. His forthcoming insights at the Europe Data Protection Congress are something I eagerly anticipate.

Reflecting on the article, it's evident that the GDPR, while groundbreaking, is not set in stone. Its evolution is necessary to address the ever-changing digital landscape. As data protection officers, our role is not just to navigate these regulations but to actively participate in shaping their future. The Pandora analogy serves as a reminder that while opening the box may release challenges, it also offers an opportunity for growth, learning, and adaptation.

Other data privacy news

Data protection and security: A marriage of necessity?

The data protection market is fundamentally changing. An increased focus on cybersecurity and resilience efforts should shift how an organization views backup.

General Data Protection Regulation (GDPR) – The Story So Far

Do you remember where you were on 25th May 2018? Perhaps you were enjoying a Friday night drink with friends. Perhaps you were with family, relaxing after a busy week at work.

International Criminal Court Reveals Security Breach

The International Criminal Court (ICC) yesterday confirmed the discovery of suspicious activity inside its IT network but revealed little else of a worrying security breach last week.

Poland opens privacy probe of ChatGPT following GDPR complaint

OpenAI is facing another investigation into whether its generative AI chatbot, ChatGPT, complies with European Union privacy laws.