DPB-the highlights

As stated, the DPB comprehensively incorporates most of the governing norms on data protection.

Comprehensive Incorporation of Core Principles on Data Protection

There are several internationally recognised core norms for data protection. These include Fair and lawful processing of personal information, Purpose specification, Minimality, quality, Openness and transparency, Data subject participation, Sensitivity, Security and confidentiality and Accountability.[1]

The DPB mandates data controllers to process information fairly, in a transparent manner and subject to the data subject giving consent.[2] This suffices as lawful processing of personal data under the DPB. Section 19 of the DPB also requires specific treatment for sensitive personal data. The DPB requires purpose specification for the processing of personal data, minimality, quality.[3] Data subject participation is guaranteed under part IV of the DPB which outlines the rights of a data subject. Data security is comprehensively regulated under Part V of the DPB. In all this, it is easy to appreciate how comprehensive the DPB is in embracing the international norms and standard on data protection.

Cross-Border Transfers of Personal Data

The DPB adopts a comprehensive framework for cross-border transfer of personal data.[4] This is a great step towards ensuring data protection in cross-border online transactions. This is because the DPB effectively provides a platform against which cross-border flows of personal data can be regulated. This can be sharply contrasted from the old Electronic Transactions and Cyber Security Act, which did not contain any provisions regulating cross-border flows of personal data in electronic transactions.

The DPB can be commended on many fronts including the condition of making data flows primarily subject to a decision on the adequacy of data protection in the foreign country to which the data will be transferred. [5]  The DPB is progressive in that data transfers can be authorised where the foreign country has a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that afford an adequate level of protection.[6] This list is exhaustive enough to ensure sufficient facilitation of cross-border flows. In the absence of an adequate level of protection of any of the foregoing, a data transfer can be authorised under these conditions: if the data subject gives consent; if the processing is necessary for performance or conclusion of contract involving the data subject; and where consent cannot be practicably given, the transfer is nevertheless in the best interest of the data subject and the data subject would not have objected to it had he been asked.[7] These exceptions are broad enough to ensure the pace of international transactions is not unnecessarily hindered.

Data Protection by Design and Default

The DPB is also very progressive in that it accords the Authority with the power to publish directions on good practices and codes of conduct in data protection including the application of data protection principles by design and default in the processing of personal data.[8] Data protection by design is a concept that dictates that in light of progressive data protection regimes, companies must ensure that in their activities they incorporate data protection. Essentially since the companies must comply with data protection they must not wait for breaches before they address data protection but rather from the commencement of any action or process data protection must be incorporate and addressed.

On the other hand, data protection by default entails that for those computer products already released, there must be adherence to the highest standard of privacy to ensure data is kept safe and secure. Further, any data necessary for the operation of the product should only be kept for the minimum possible amount of time. The incorporation of these concepts in the DPB is a remarkable step in ensuring that privacy will be respected as technology gets more sophisticated.

The DPB clearly updates the data protection landscape in Malawi to comparable international standards.  This is indeed a shift in the right direction and will ensure that Malawi takes part in the information age. In my next article I shall explore some of the weaknesses in the DPB that may yet be improved to ensure comprehensive legislation is enacted.

Author: Gonjetso Dikiya LLB(Hons) University of Malawi; LLM candidate in Information and Communications Law, University of the Witwatersrand.

Head of Legal Services- Dispute Settlement Services

This content appears as a courtesy of Ritz Attorneys at Law, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit https://ritzattorneys.com/.

[1] Roos Anneliese ‘Core Principles of Data Protection’ 2006 CILSA 102-130.

[2] S. 18 of the DPB

[3] S. 23 of the DPB.

[4] Part VI of the DPB.

[5] S. 34(1)(a) of the DPB.

[6] S. 34(1)(a) of the DPB.

[7] S 36 of the DPB.

[8] S. 13 of the DPB

The post Insights into Personal Data Protection Bill appeared first on China Collaborative Group.

The Personal Information Protection Law of the People’s Republic (“PIPL”) takes effect from 1 November 2021. Companies engaged in processing the personal information of individuals located in China are obliged to implement necessary measures.

Below, we highlight the mandatory requirements for foreign companies under the PIPL:

1. User Consent

Under PIPL, companies may only collect personal information when the individual’s consent is obtained. The consent shall be voluntary and the individual shall be explicitly informed. Individuals can request how their personal information is collected, stored, and require such information to be corrected and deleted.

Companies processing personal information (‘the processors’) are obliged to allow the individual to decline. When users withdraw their consent, the processors shall halt the collection or promptly delete the collected personal information.

Companies outside of China are not exempted from PIPL. Any company outside of China and processing the personal information data of individuals in China can be subject to PIPL. Specifically, PIPL outlines the following circumstances for companies outside of China:

• Where the purpose of the activity is to provide a product or service to an individual located within China;
• Where the purpose of the activity is to analyze or assess the behavior of an individual within China; or
• Any other circumstance as provided by law or administrative regulations.

Practically, companies outside of China should conduct a risk assessment of their personal information database.

2. Equal treatment for consumers

PIPL forbids companies from utilising automated decision-making functions to increase online sales. A company cannot implement unreasonable differential treatment of individuals – such as prices or terms. In other words, special discounts for new customers cannot be utilised, without reasonable grounds. Individuals shall also have the option to withdraw from any push marketing based on automated decision-making.

3. Stricter stance to sensitive personal information

The PIPL classifies the following as sensitive personal information and companies may only process such data for a specified purpose.

• Religious beliefs;
• Biometrics;
• Specific identities, medical and health;
• Financial accounts, whereabouts and other information of a natural person;
• Personal information of minors under the age of fourteen

Companies shall adopt strict measures to protect such data and inform the individual of the necessity and the impact on their rights and interests. For personal information of a minor under the age of fourteen, processors shall obtain the consent of a parent or guardian of the minor.

The stricter stance towards data collection of sensitive personal information significantly affects human resources and educators (minors under the age of fourteen). We advise such departments to align data management policies under the PIPL provisions, without any further delay.

4. Cross-border data transfers

Under PIPL, companies may only transfer personal information outside of mainland China by meeting one of the following conditions:

• Where a security assessment organised by the national cyberspace authority has been passed;
• Where a certification of personal information protection has been provided by a professional institution, under the regulations of the national cyberspace authority;
• Where a contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties; or
• Where any other condition prescribed by law, administrative regulations, or the national cyberspace authority are met.

For companies, especially multinationals working with the personal information of employees and suppliers located in China, implementing the provisions to transfer personal information is essential to avoid penalties.

PIPL shall significantly affect businesses processing the personal information of individuals located in mainland China. Particularly, PIPL stipulates specific rights of individuals in activities related to the processing of personal information, including the right to access and make copies of the personal information processed.

Violators can face fines up to RMB 50 million (US$7,74 million), or up to five percent of annual turnover. Violators located outside of mainland China may be included in a blacklist and publicly announced.

Therefore, we recommend companies doing business in or with China to conduct a data mapping assessment including a thorough review to identify which data is collected, stored, process, and employee access to such data. Data management policies should be revised and relevant training provided to employees, so that PIPL is correctly implemented into the company.

This content appears as a courtesy of Horizons Corporate Advisory, a proud member of the China Collaborative Group (CCG Association). It is informational in nature and does not constitute legal advice or establish an attorney-client relationship between you and its author, publisher or any member of CCG. For more information, please visit www.horizons-advisory.com. 

The post Getting prepared for the first Personal Information Protection Law in China appeared first on China Collaborative Group.