August 24, 2021
Today, there is a big opportunity for companies to take a more mindful approach to consumer privacy and to design a holistic customer experience while doing so. Consumers do want a better, more customer- focused experience, with 65% willing to share more personal data in return. However, the emergence of legal and regulatory regimes in the European Union (EU) and in several U.S. states (e.g., California) and in other countries (e.g., Canada, Brazil, India, and China) complicate company efforts to develop a holistic approach and a balanced strategy to secure and sustain customer trust. That is why handling data responsibly is a fast-emerging component of corporate accountability.
There are two primary differences between the Cybersecurity Framework and the Privacy Framework. First, the Cybersecurity Framework was developed and exists in a largely unregulated environment for cybersecurity purposes. In contrast, many American businesses large and small are already subject to laws that impact consumer and employee privacy. Consumer data is regulated by a range of laws, such as the EU’s General Data Protection Regulation, and soon by the China Privacy Act. Those, along with several sector-specific laws and others designed to protect children, compel many companies across industries to design and manage their privacy programs around compliance in a complex legal and regulatory environment.
We recommend the Privacy Framework be organized around common privacy principles upon which existing laws and regulations and companies’ privacy programs are generally based. We recommend categorizing those as:-
China has passed a new privacy law aimed at protecting users’ personal data. The new law comes as Chinese tech firms have come under renewed scrutiny in the country and sets rules around how companies handle users’ information. The law takes effect on or before November 1st.
The precise wording of the new Personal Information Protection Law (PIPL) has not yet been finalized. However, to a large degree it parallels the EU’s General Data Protection Regulation (GDPR) and requires companies to limit their collection of personal data and obtain user consent for its use. Companies may not refuse service to users that don’t agree to data collection unless it is impossible to provide those services without. Users can withdraw their consent at any time, and companies cannot invoke a “legitimate interest” defense. The personal data of children under 14, meanwhile, is subject to tighter laws. As with GDPR, there are also strict rules around the transfer of personal data outside the country, with fines for non-compliance.
The law—formally called the Personal Information Protection Law — calls for companies to get users’ consent before collecting personal data and has rules for how companies should ensure users’ data is protected when it’s transferred outside of China.
Tech companies that handle personal information must have a designated person tasked with overseeing its protection, and companies must conduct regular audits to be sure they’re complying with the law.
Foreign companies are required to appoint a local representative to oversee compliance and will be regulated by the Cyberspace Administration of China (CAC). They must appoint boards to review privacy issues and publish social responsibility reports, as well as conducting risk assessments before transferring data abroad or using data for automated decision making.
Violating the new privacy law could come at a high cost for companies. Illegal activities that are considered serious could result in a fine of several millions of dollars. The good news is that if companies are compliant with Europe’s GDPR, they are going to be fine complying with the Chinese privacy law. At a more operational level, the privacy framework includes a thoughtful approach to privacy engineering. For example, our privacy engineers advise on the granular administration of data aligning with privacy objectives and principles in addition to relevant security objectives.
Finally, the Privacy Framework would benefit from language around managing privacy in a world where artificial intelligence and machine learning become more ubiquitous and how businesses can leverage those tools to achieve the privacy principles (e.g., identifying uses of data for things other than the originally intended purpose). We have one overarching recommendation – to make your privacy framework more relevant to all applicable laws (e.g., CCPA, GDPR, China’s law etc.).