Cyber Law Watch | Insight on how cyber risk is being mitigated and managed across the globe.

New concerns over China’s ability to access user data on WeChat

Jun 21 2022

A recent report by cybersecurity firm, Internet 2.0, has raised concerns about the Chinese Communist Party’s ability to access the data of millions of users around the world of social media and payment application, WeChat.

WeChat is significant as it is the application that nearly all citizens in China use on a daily basis for communication, payments for services and as a way for citizens to connect through social media. Although the majority of WeChat’s more than 1 billion users are located in China, there are approximately 600,000 users in Australia, 1.3 million users in the UK, and 1.5 million users in the United States.

One of the concerns the report outlines is that although WeChat states that its servers are kept outside mainland China, all user data that WeChat logs and posts to its logging server goes directly to Hong Kong. And the report argues that under Hong Kong’s new National Security Legislation, there is little difference between Hong Kong resident servers and servers in mainland China.

As a result, due to China’s National Intelligence Law which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”, there are concerns that the WeChat logging data that goes to servers in Hong Kong may be accessed by the Chinese Government upon request. The report states that the data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, the version of the operating system of the device, but does not include information such as content of a conversation.

Another concern the report outlines is that although there was no evidence that chats were stored outside the user’s device, the report found that WeChat had the potential to access all the data in a user’s clipboard. This means that there is the potential for WeChat to access the data that is copied and pasted by users on WeChat, which is a risk to people using password managers that rely on the clipboard feature to copy and paste their passwords.

We expect to hear more about these sorts of concerns from a range of jurisdictions.

Queen’s speech heralds UK GDPR overhaul

May 25 2022

By Claude-Étienne Armingaud and Nóirín McFadden

In the Queen’s speech at the state opening of parliament on 10 May 2022, the UK government announced its intention to change the UK’s data protection regime in a new Data Reform Bill. This follows a consultation last Autumn on how the UK GDPR could be reformed following the UK’s exit from the European Union (EU).

The government claims that the new Bill would:

Create a data protection framework focused on “privacy outcomes” that would reduce the burdens on businesses, and a “clearer regulatory environment” to encourage “responsible innovation”.
Ensure that citizens’ data is “protected to a gold standard”, while enabling more efficient sharing of data between public bodies.
Modernise the Information Commissioner’s Office and require it to be “more accountable to Parliament and the public”.

The Queen’s speech also announced plans to replace the Human Rights Act 1998, which incorporated the European Convention on Human Rights into UK law. According to the government a new “Bill of Rights” would “end the abuse of the human rights framework and restore some common sense to [the] justice system”. This would be achieved by “establishing the primacy of UK case law”, which means that UK courts would no longer be required to follow the case law of the European Court of Human Rights.

Taken together, both of these proposed new legislative measures could change the balance of protection of individuals’ rights in the UK, both generally and in the specific area of personal data regulation. Their development will be closely watched by data protection professionals, because any significant changes in the UK data protection regime could prompt the EU to review its post-Brexit UK adequacy decision, potentially leading to the end of decades of seamless transfers of personal data from the EU to the UK.

What is Required under The PIPL: A PRC-Based Representative or a Personal Information Protection Officer?

Jan 17 2022

By Dr. Amigo L. Xie, Xiaotong Wang, Grace Ye and Yibo Wu

Multinational entities with operations in or having businesses with the People’s Republic of China (PRC) should take note of the PRC’s new Personal Information Protection Law (PIPL), which took effect on 1 November 2021 and is extraterritorial in scope and effect.

This alert lays out the differences between the requirements under Article 52 PIPL (PIPO appointment) and Article 53 PIPL (PRC-based representative appointment / establishment of an agency in the PRC). It also examines statutory obligations under PIPL upon designated personnel and highlights important sector-specific regulations and provincial and municipal government practices.

Click here to read the full alert.

EU-REPUBLIC OF KOREA ADEQUACY DECISIONS FINALIZED

Jan 14 2022

By Claude-Etienne Armingaud, Andrew L. Chung, Camille Scarparo and Eric Yoon

Following the conclusion of the adequacy talks in March 2021, the European Commission has adopted on 17 December 2021 an adequacy decision addressing the transfers of personal data to the Republic of Korea under the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Both texts prohibit the transfer of personal data to “third countries” unless (a) the destination country benefits from (i) an adequacy decision or (ii) appropriate safeguards, such as standard contractual clauses (see our alert here) or codes of conduct (see our alert here); or (b) one of the limited derogations under Article 49 GDPR applies.

With regards to the adequacy talks, the Republic of Korea agreed on the implementation of additional safeguards. Accordingly, the reform of Republic of Korea’s data protection framework (the Personal Information Protection Act) in August 2020, implemented several additional safeguards including transparency provisions and enforcement power strengthening of the Personal Information Protection Commission (§70).

The Republic of Korea adequacy decision complements the Free Trade Agreement (FTA) of July 2011 and allows a seamless flow of personal data between the Republic of Korea and the European Union.

Unlike the UK adequacy decision which contains a sunset clause (see our alert here), the Republic of Korea adequacy decision is not limited in time. However, pursuant to Article 45.3 GDPR, the European Commission carry out a first review of the decision after three years to evaluate any evolution in the Republic of Korea data protection framework, that would lead to divergence with the EU regulations (§220).

The Republic of Korea now belongs to the increasing group of third countries benefiting from an adequacy decision (including, since GDPR’s entry into force, Japan and the UK).

The firm’s global data protection team (including in each of our European offices) remains available to assist you in achieving the compliance of your data transfers at global levels.

Critical Vulnerability: Vulnerability in Widely Used Open Source Software is Discovered

Dec 24 2021

By Cameron Abbott, Rob Pulham, Max Evans and Ella Krygier

A critical security vulnerability has been discovered in Apache Log4j, an open-source logging library used by many popular Java applications to provide logging functionality for troubleshooting purposes, according to the Australian Cyber Security Centre (ACSC).

The software’s vulnerability, known as Log4Shell, allows for remote code execution, which, if left unfixed, could allow cybercriminals to take control of IT systems, steal personal data, passwords and files, and install backdoors for future access, simply by adding an additional line of arbitrary code. According to the ACSC, malicious cyber actors have used this vulnerability to target and compromise IT systems globally and in Australia, which led the ACSC to publish advice on mitigation and detection recommendations.

Mask Off: Social Media Giants to Unmask Trolls or Risk Themselves Becoming Liable for Defamation Payouts

Dec 01 2021

By Cameron Abbott, Rob Pulham, Warwick Andersen, Max Evans and James Gray

In a significant development in online regulatory oversight, the Australian government announced over the weekend that it will introduce new laws handing Australian courts the power to order social media companies to reveal the identities of anonymous trolls or risk themselves being liable for defamation payouts.

The so called “social media anti-trolling legislation” which the government has said will be introduced into parliament this week proposes to require social media companies stand up a functional and easy-to-use complaints and takedown process for users, who upon suspecting they are being defamed, bullied or attacked may file a complaint with the social media platform requesting that the relevant content be removed.

If that request is denied, the complainant can ask the social media company to provide the details of the “troll” so as to enable the complainant to commence an action. If this request is further denied, or if the social media platform is “unable to do this”, complainants may apply to obtain a court order requiring the social media company to release the identification details of the anonymous user so that a defamation action may be pursued. Failure to comply with such a court order will render the social media company themselves liable for the defamation claim.

Significantly, the reports indicate that these new laws will push legal responsibility for defamatory content from the author or page manager to the social media company which runs the platform. This represents a key move away from social media platforms being distributors of content but rather, in the eyes of online safety, being deemed publishers themselves. We will keep you posted as these proposed laws progress.

Privacy Pandemic: Australians Losing Trust in Institutions’ Use of Their Data

Dec 01 2021

By Cameron Abbott, Rob Pulham, Max Evans and James Gray

In the age of QR code check-ins and vaccination certificates, as Australia edges towards a post-pandemic (or mid-pandemic, it increasingly seems) “normal”, new research from the Australian National University (ANU) has revealed that Australians have become less trusting of institutions with regards to data privacy.

The ANU researchers said that the decrease in public trust between May 2020 and August 2021 was small but “statistically significant”. A key reason for this decrease, according to the researchers, was concern around “how their private data from check-in apps might be used by major institutions” as lockdowns and the use of apps for contact tracing intensified.

The institutions which experienced the greatest loss of trust were social media companies (10.1% decline), telecommunications companies, and federal, state and territory governments. This echoes sentiment from the OAIC following its recent ‘community attitudes to privacy’ survey that Australians trust social media companies the least when it comes to handling personal information, followed by the government.

While it remains to be seen whether this loss of trust becomes a permanent trend, one way to make Australians more comfortable with an organisation’s data practices – as reinforced by the OAIC – is to ensure the purpose of the collection and use of personal information is clearly understood. The OAIC has found that Australians are increasingly questioning data practices where the purpose for collecting personal information is unclear.

With increased penalties for privacy non-compliance looming, there’s never been a better time to revisit your privacy policies and collection statements to make sure that these are clear, so your organisation can stand out against this trend and build consumer trust.

New GDPR Guidelines on Data Transfers

Dec 01 2021

Claude-Étienne Armingaud, Camille Scarparo and Bastien Pujol

On 19 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines on the interplay between Article 3 GDPR (territorial scope) and Chapter V GDPR (transfer of personal data to third countries or international organization) of the General Data Protection Regulation (“GDPR”).

Those draft Guidelines aim at clarifying the mechanism of international transfers and more specifically provide a necessary assistance to controllers and processors in the European Union (“EU”) or otherwise subject to GDPR, including guidance on when a data importer would be subject to GDPR and an interpretation of the concept of international transfer.

In order to characterize a processing as a “transfer”, the EDPB relied on the three following cumulative criteria:

The data exporter (a controller or processor) is subject to the GDPR for the given processing;
- As a reminder, while GDPR generally applies to all entities processing personal data and established in the EU, it can also have an extra territorial reach for certain processing operations consisting in (i) offering products or services to individuals in the EU (e.g. ecommerce and apps) or (ii) monitoring of EU individuals’ behavior taking place in the EU (e.g. cookies and other tracking technologies).
The data exporter transmits or makes available the personal data to the data importer (another controller, joint-controller or processor); and
- In that regard, the mere remote access to the data would still qualify as a “data transfer” and it remains to be hopefully clarified in the final Guidelines whether the sharing of personal data among joint-controllers (both subject to GDPR from the inception of the processing operations) would in and of itself be considered as a data transfer.
The data importer is in a third-country or is an international organization.

In addition, a processing that meets these three criteria will be considered a transfer when the importer is established in a third-country and subject to the GDPR following provisions of article 3.2 GDPR. The EDPB considered that when the controller located in a third-country is already subject to GDPR, “less protection/safeguards are needed”. Nevertheless, conflicting national laws, government access in the third-country as well as the difficulty to enforce and obtain redress against an entity outside the EU should be addressed when developing relevant transfer tools.

The EDPB specified that personal data directly collected from the data subjects, at their own initiative, should not to be considered as a transfer.

An online public consultation is opened on the matter until 31 January 2022.

And it’s here! China’s new privacy laws come into effect

Nov 22 2021

By Cameron Abbott, Rob Pulham and Ella Richards

On 1 November 2021 the People’s Republic of China (PRC) effected the Personal Information Protection Law (PIPL).

The PIPL joins existing Cybersecurity Law and Data Security Law to broaden privacy obligations within the PRC. This comprehensive legislation governs the treatment of personal information within the PRC and strengthens the existing data localisation requirements.

Our colleagues have summarised the PIPL Draft Bill here and prepared advice on the collection of employee’s personal information under the PIPL here.

FACIAL RECOGNITION REVERSION – FACEBOOK TO SHUT DOWN FACIAL RECOGNITION SYSTEM, AUSTRALIAN REGULATOR CRACKS DOWN

Nov 08 2021

By Cameron Abbott, Rob Pulham, Max Evans and James Gray

Facebook (now referred to as Meta) has announced that it will shut down its decade-old Face Recognition system as part of a company-wide move to reduce the use of facial recognition.

The shutdown will see Facebook delete more than one billion individuals’ facial recognition templates and cease automatically recognising them in photos and videos posted to the platform. Facebook is no stranger to facial recognition controversy, having reached a $550 million USD settlement following an Illinois class action over the non-consensual collection and storing of users’ biometric information.

In its announcement, Facebook highlighted the benefits of facial recognition technology, such as improving accessibility for the visually impaired, but also conceded that regulatory uncertainty and growing concerns about the potential misuse of the technology outweighed those positive use cases.

The voluntary move by Facebook may be a prudent risk reduction step in Australia given there have been recent moves by the Australian privacy regulator against the indiscriminate use of facial recognition tools, including recently ordering an organisation to cease collecting and to destroy its existing facial images and biometric templates in respect of Australian individuals.

This certainly isn’t the end for facial recognition systems. Facebook suggested in its announcement that it intends to develop future applications for the technology once the IT environment allows for greater transparency, user control and privacy. We will keep you posted.