By Susan Ning (partner), Wu Han(senior associate), Zhao Yangdi (associate)
Big data has become a hot topic in recent years, and the big data industry has been considered as one of the critical sources of economic growth by governments around the world. The U.S. Government issued reports on the big data industry – “Big Data Research and Development Initiative” and “2014 Big Data: Seizing Opportunities, Preserving Values” – in an effort to promote the development of this industry. Likewise, the State Council of China released the Circular on the Issuance of the Action Plan on Promoting the Development of Big Data Industry (“《关于印发促进大数据发展行动纲要的通知》”) in September 2015. This is the first time ever that China has designed a plan for the development of the big data industry at the state level, aiming to unlock the value of China’s big data industry and to push forward the development and application of big data. In addition, the Thirteenth Five Year Plan on the Development of National Economy and Society (“《国民经济和社会发展第十三个五年规划纲要》”) issued in 2016 also points out that “to expand the space for the network economy, to promote the sharing of data resources, and to implement the big data strategy”.
Data has become the strategic resource so far. It can be expected that China’s big data industry will embrace rapid growth in the near future. According to the data of Guiyang Big Data Exchange, the market size of China’s big data industry will increase from RMB76.7 billion Yuan in year 2014 to RMB822.881 billion Yuan by 2020.
With the boom of the big data industry, many areas such as government administration, public service and industry development will see huge potentials through the innovative application of data. However, the special characteristics of big data also pose certain legal risks which need to be taken care of and guarded against. The uncertainty of data ownership, coupled with the underlying basis of the big data industry – analysis and deduction of the association and causality between data from multiple sources, has brought about real challenges to the traditional legal rules in terms of data collection, storage, analysis and commercialization.
Development of Big Data Compliance in the US and the EU
The US and the EU have already recognized the compliance risks associated with the big data era. The US and the EU have long been trying to provide helpful guidance to the big data industry through its past and recent legislative and judicial practices, aiming to strike a balance between the development of big data industry and various other aspects, such as personal data protection, data security, and cross-border transmission of data.
1. Personal data protection
Take personal data protection as an example, the US legal regime for personal data protection mainly comprises of the Privacy Act enacted in 1974 and a series of special laws in some specific sectors. The current US laws and regulations, which were adopted years ago, seem to be outdated in regulating the new data exchange mode and data sources in the context of big data era. In addition to these laws and regulations, the US government has also been regulating the relevant issues through subsequent judicial practices and guidelines.
For instance, the Fair Credit Reporting Act enacted in 1971 governs the Consumer Reporting Agencies that provide investigation services on consumer credit information (“CRAs”). The CRAs usually include credit bureaus, employment background screening companies and other credit investigation organizations. However, a new data source has emerged in the big data era, i.e. the data broker. Different from the traditional channels for collecting data, data brokers compile the non-traditional data gathered from some social networking platforms, analyze the relevance among various types of information by using the algorithm, and eventually establish relatively complete personal profiles. Such personal profiles provided by data brokers are favored by the market due to its accuracy and completeness. However, if data brokers are not CRAs, and the Fair Credit Reporting Act is not applicable, in which case the individual’s right to his/her personal data will be compromised. The US court then established that “data broker” should also be governed by the Fair Credit Reporting Act through case laws. To be specific, in the case of the United States vs Spokeo, the Federal Trade Commission (“FTC”) considered that online data broker Spokeo established personal profiles by collecting and analyzing various data online and offline for the purpose of employment background check, which should be governed by the Fair Credit Reporting Act. Spokeo finally settled with the FTC. Another similar case is the United States vs Instant Checkmate. In this case, similar to Spokeo, Instant Checkmate also made public announcement on its website that it is not a CRA, but it still had to settle with the FTC and receive penalty.
In addition, a challenge facing the personal data protection in the big data era is that if there are sufficient categories and volumes of data being analyzed, any data could be considered as linking to a specific individual. The boundary between personal and non-personal data is blurred in big data era. Having realized the difficulty of defining the personal data for the purpose of personal data protection, the FTC issued the report “Protecting Consumer Privacy in an Era of Rapid Change – Recommendations for Businesses and Policymakers (“Recommendations”)” in 2012. In addition to individual consumers, the Recommendations also include personal computers, mobile phones and other devices into the scope of consumer data protection, because the current internet environment and data analysis capability could always link the relevant device to the specific person using it. In this report, the FTC also discussed about reasonable technical approaches to de-identification, such as anonymization, statistical sampling, aggregated or synthetic data, or the addition of sufficient “noise” to data.
The EU legislation of personal data protection is later than the US with the European Treaty Series — No.108 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data only introduced in 1981, while the recently issued General Data Protection Regulation of the EU (“Regulation”) provides that “everyone has the right to the protection of personal data concerning him or her”. Given the necessity for data transmission in big data era, Article 20 of the Regulation sets forth the “right to data portability”, which enables users to freely transmit their personal data from one information service provider to another. Article 17 of the Regulation provides the “right to be forgotten”: data subject has the right to request the controller to erase his/her personal data if such data subject withdraws consent on which the processing is based and where there are no other legal grounds for the processing; the controller is required not only to erase the personal data under its own control but also to inform other third parties to stop using and erase the data for which such controller has made public. The additional rights granted under the Regulation augment the data subject’s control over the personal data. These provisions also set forth specific requirements for companies in terms of protecting the rights of data subjects, which will directly affect the policy formulation, business process, and IT system design of companies.
2. Data security
In terms of data security, the enactment of the EU Regulation is considered to be a significant initiative in the digital era that “clears obstacles and unleashes opportunities”. As mentioned above, the Regulation grants more rights to data subject on the basis of the EU 1995 Data Protection Directive and also in the meantime imposes more obligations on the data controller. Specifically, the Regulation introduces certain new mechanisms regarding data protection officer (DPO), data protection impact assessment (DPIA) and data processor accountability, and sets complete rules governing data transmission.
For example, the Regulation provides that the entities incorporated in the EU shall designate a data protection officer in any case where the processing is carried out by a public authority or body, or where the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or processing on a large scale of special categories of data. DPO must have professional knowledge and expertise regarding data protection, and is capable of performing its functions and duties independently. Pursuant to the Regulation, for data processing activities with high risks, a prior DPIA is required before the start of data processing. The Regulation does not define what kind of data processing would be considered as “highly risky”, but it explicitly provides that “a DPIA shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data; or (c) a systematic monitoring of a publicly accessible area on a large scale.”
Another highlight of the Regulation is the introduction of data breach notification mechanism, which requires the controller to notify the personal data breach to the supervisory authority no later than 24 hours. In case the controller fails to give such notification within 24 hours, it should explain the reasons for such undue delay. If the data breach may have negative impacts on the privacy of data subjects (for example personal injury), the controller must notify such breach to the data subject without delay. The notification should specify the nature of the data breach and propose recommendations for mitigating risks. In the big data era of advanced data analysis and mining technology, hackers and terrorists are getting more chances to steal data using sophisticated and unobservable methods. Relevant issues arising from data breach such as identify theft or fraud, data abuse and reputation damage pose severe risk to personal privacy. To impose notification obligations on the controller could alert data subjects to data breach in a timely manner, so that they could take measures to prevent or mitigate the risks and injuries to the extent possible.
Similarly, the new rules Protecting the Privacy of Customers of Broadband and Other Telecommunications Services – released by the Federal Communication Commission on December 2, 2016 (“FCC Rules”) have also set notification obligations for telecommunication carriers in case of data breach. Service providers must notify the users, FCC, FBI and the Secret Service of the data breach without delay, unless such carriers could reasonably determine that such breach will not incur risk to the users being affected. The FCC Rules set different requirements for service providers in terms of the parties to be notified and the timeline of such notification according to the severity of data breach.
3. Other compliance issues
In addition to personal data protection and data security, European and American nations have discussed extensively about other compliance issues regarding the application of big data, including data ownership, data quality, data standardization, liabilities for data exchange, etc. Further, with big data being recognized as core economic assets by nations around the world in recent years, jurisdictions like the US and the EU are beginning to show concerns about the potential antitrust issues that could arise in the big data era, given the economic value of big data and the competitive edge it may bring. The competition authorities in the EU, the US, Spain, Germany, and France have issued reports on big data and the antitrust issues in recent years, analyzing the impact of big data on antitrust enforcement. The US antitrust authority had assessed the potential entry barriers brought by big data when reviewing merger cases. In its review of the merger between Bazaarvoice and Power-Reviews, the US Department of Justice eventually found that data can serve as an entry barrier in the market for “rating and review platforms”. Even in the non-digital market, the EU and French authorities also determined in relevant cases that data could lead to entry barriers or confer data advantage on companies due to the scarcity of data.
Opportunities and Challenges Facing Big Data Compliance in China
Although China has very limited legislations regarding information and data protection, Chinese authorities always pay great attentions to data compliance issues. In the private law area of personal data protection, the Civil Law of China has not provided for the “right to personal data”, but the concept of “personal data” was first mentioned in the Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Cases about Tour Disputes issued by the Supreme Court in 2010. The National People’s Congress issued its Decision on Strengthening the Protection of Cyber Information in 2012, which includes the “electronic information identifiable to personal identity or concerning personal privacy” into the scope of protection. The Cyber Security Law of the PRC promulgated on November 7, 2016 (“Cyber Security Law”) defines the “personal data” for the first time at the legislative level and sets out a non-exhaustive list of the information that could fall within the meaning of the defined “personal data”.
As for data security, Chapter 3 of the Cyber Security Law sets out various requirements and obligations to protect cyber security for internet operators including internet service providers. Article 21 under Chapter 3 explicitly provides that “the State implements the classified protection system for cyber security”, and requires internet operators to perform their obligations of protecting cyber security in accordance with these rules. In addition to the classified protection system for cyber security, the Cyber Security Law adopts a stricter protection mechanism for “key information infrastructure”. Pursuant to the Cyber Security Law, where key information infrastructure operators purchase network products and services, which may have impact on national security, they shall go through a security review.
In contrast to the legislations and practices of the countries in the EU and the US, there is no practicable guidance for big data compliance in China. For instance, China follows the EU approach in defining personal data, i.e. considering “identifiability” as the core standard for identifying personal data. However, relevant laws and regulations have not specified what kind of data could be deemed as identifiable to specific individuals. The current criteria of “identifying specific persons independently or in combination with other information” are ambiguous and impracticable. Without further guidance on identifying personal data, the boundary between personal and non-personal data would be blurred, resulting in unlimited expansion of the scope of personal data, in which case the application of law will face great uncertainty. Moreover, personal data after de-identification and anonymization are being used more and more broadly nowadays, and companies will be facing a thorny problem that personal data already being de-identified could possibly be re-identified and linked to specific individuals.
Similar to the legislation and practices of major jurisdictions in terms of local storage of data and restrictions on cross-border data transmission, the Cyber Security Law also explicitly provides that person data must be stored within China, i.e. “key information infrastructure operators shall store locally personal information and important data gathered and produced during operations within the territory of the People's Republic of China”, and as a general principle operators are prohibited from transmitting such data overseas. However, the “standards of key information infrastructure” and the “assessment measures on data cross-border transmission” remain to be formulated, which adds more uncertainties to the enforcement of the Cyber Security Law and company compliance.
To sum up, China is currently still at a very preliminary stage in terms of big data legislation and practice. More attention needs to be given to some other important issues, such as the compliance issues relating to data exchange and the potential antitrust risks arising from big data.
Opportunities always come with challenges. As China has just established its own legislation and enforcement framework for big data and the detailed implementation rules remain to be formulated, we could learn from the experiences of other jurisdictions. Take cross-border data transmission as an example, the EU Regulation sets complete and detailed rules governing data transmission on the basis of the EU 1995 Data Protection Directive. The EU Regulation provides in general that “the personal data of the EU citizens could only be transmitted to nations that grant equal protection to such data”, while it also sets forth detailed and practicable rules in relation to legitimate data transmission which include rules regarding adequate decisions, binding corporate rules, standard data protection clauses, etc. For other critical issues like “the standards for identifying personal data”, “the reasonable approaches of data de-identification”, and “the criteria for determining the implied or express consent of users”, the experiences of other jurisdictions may serve as reference.
The global flow of data makes it necessary for companies to learn from the experiences of other jurisdictions. Companies doing businesses in multiple jurisdictions have to think about, on one hand, the different rules and restrictions for cross-border data transmission of different jurisdictions and whether their business activities involving personal data within one jurisdiction could be governed by the rules of other jurisdictions on the other hand.
For instance, the EU 1995 Data Protection Directive only applies to the processing of personal data by companies established in the EU, while the EU Regulation governs the data processing activities of companies as long as such activities involve the personal data of individuals in the EU, regardless of whether such companies are established within the EU. For companies established in the EU, the EU Regulation’s application scope remains the same, but the Regulation also makes it clear that it applies regardless of whether the processing takes place in the Union or not. For companies not established in the EU, as mentioned, the Regulation applies to the data processing activities of such companies where they have processed the personal data of the EU individuals during their offering of goods or services. In other words, both traditional industries and emerging sectors such as e-commerce and social network would be governed by the Regulation as long as the business operators have processed the personal data of the individuals located in the EU when providing services to such persons. Companies operating in different jurisdictions have to take the Regulation into consideration when making their internal compliance policies. As the big data industry evolves, multinational companies may need to establish a consistent, complete, and standard data compliance system, taking into account the data compliance rules adopted by various jurisdictions.
The year of 2017 has already arrived. The big data industry is expected to gain momentum in the near future and the compliance issue relating to big data is imminent. We will closely keep track of the global development of big data compliance, and embrace the challenges and opportunities of the big data era together with companies.
Editor’s note: this article was simultaneously published on Chinalawinsight.com
United States v. Spokeo, Inc.,(C.D.Cal.June 12, 2012)
United States v. Instant Checkmate, Inc., (S.D.Cal. filed Mar.24, 2014)
“An Interpretation on the EU General Data Protection Regulation”, by Wang Rong.
See Article 35 of the EU General Data Protection Regulation.
See “New Trends of the US Personal Data Protection – Key Points of the New FCC Rules”, by Susan Ning, Wu Han, Li Huihui and Wang Shisun at King & Wood Mallesons.
See French Competition Authority, Decision No.13-D-20 of 17.12.2013, and European Commission, “EDF/Dalkia en France”, COMP/M.7137.
Article 9 of the judicial interpretation provides that “where travel agencies or providers of other travel services disclose, or make public the personal information of travelers without their consent, and such travelers claim for damages against them, the people’s court should support such claims.”
“The State protects the electronic data identifiable to or relating to the privacy of individuals; no organizations or person shall steal or get the electronic data of any person illegally, or sell or provide such personal electronic data to others illegally.”
See “The New Cybersecurity Law – Five Things Companies Should Know”, by Jiang Ke and Yang Nan King & Wood Mallesons.
See Article 35 of the Cybersecurity Law.
See Article 37 of the Cybersecurity Law.