Privacy Insider: August 24, 2021

The big news this week is that China has passed a baseline privacy laws that applies to both the private and public sectors. The headlines call it one of the strictest privacy laws in the world and compare it to the GDPR.

But what struck me as I read the highlights is, "The law would impose some of the world's strictest controls on private sector handling of information about individuals but appears not to affect the ruling party's pervasive surveillance or access to those corporate data." 

The law responds to both privacy and antitrust concerns in the country. As the AP report states, it "follows complaints that companies misused or sold customers' data without their knowledge or permission, leading to fraud or unfair practices such as charging higher prices to some users." 

The law's passage reflects China's ongoing work to reign in the tech industry's appetite for consumer data. But, as an admittedly somewhat nervous person, I'm so much more concerned about the government's appetite for data than any single company. 

After all, the "ruling party has been accused of using data gathered about Uyghurs and other members of predominantly Muslim ethnic groups in the northwestern region of Xinjiang to carry out a widespread campaign of repression," AP reports. 

I'm not in a position to tell you if that's true. Frankly, I have no idea. But what I certainly know is history has shown us that mass government surveillance can be so dangerous if the wrong government takes office. 

Do you have the same visceral memories of learning about Nazi occupation during World War II? I can still see the yellowed images projected onto our classroom chalkboard: Identity cards, issued by the German government, marked "J" with Jew. Or we can look to the Internment camps during World War II, for which the U.S. Census Bureau provided the Secret Service with census data on who was of Japanese ancestry. 

Throughout history, there are plenty of examples to feel very nervous about governments having unfettered access to data, especially data that belongs to the private sector. I may grant my Uber app the ability to know my location to make catching a cab easier. But I certainly don't want my government watching my every move. What need would there be for that? 

Excessive data collection can be dangerous for any organization. You'll see that reflected in plenty of data privacy or cybersecurity laws' provisions on data minimization. The data you don't collect is data that can't be breached or misused. Why shouldn't the same kinds of rules apply to massive government bodies with tentacles that reach far beyond a single organization. 

It's not just a Chinese problem. There's so much concern about U.S. government overreach that the EU is having trouble finding a data-transfer agreement that it can sleep with at night. But at least we can blame that on the fact that Congress can't get it together enough to pass a baseline privacy law. In addition, the allegations that the Chinese government is already targeting ethnic minorities should be a red flag. 

So, while there hasn't been a ton of discourse yet on the fact that this "GDPR-like" law doesn't change Beijing's broad access, I think we have to start talking about it. 

Do you? 

We're going to talk about this and more on our next Twitter Spaces chat on Thursday, Sept. 2, at 4 p.m. Eastern, 1 p.m. Pacific. I hope you can join us! Click here to set an in-Twitter reminder. 

Enjoy reading, and I'll see you next week! 

China passes strict data protection law with rules on consent 

China has passed a comprehensive data privacy law aimed at protecting users, The Verge reports. It comes into effect quickly. Organizations in both the private and public sectors have until Nov. 1 to come into compliance. The Personal Protection Information Law requires companies to obtain a user's consent before collecting their data and mandates companies to protect information for transfers out of China. 
Read Story

Marketers beware: Apple's mail update to change the game on metrics 

Every dollar an organization invests in email marketing yields $36 in return, reports TechCrunch. That's why Apple's new Mail Privacy Protection rollout has marketers worried. It "attempts to eliminate metrics and data associated with email," often an organization's lifeblood. The feature is part of Apple's iOS 15 update and allows Apple Mail users to hide their IP addresses and additional data from senders. 
Read Story

Hacker selling stolen AT&T data for $1M, T-Mobile investigating breach

There's a lot of breach news this week. First, AT&T has denied that it suffered a data breach after a well-known anonymous hacker said they were selling 70 million customers' personal information. The going price for the allegedly stolen database is $1 million. Second, T-Mobile has confirmed that more than 40 million former or prospective customers' records were stolen. In addition, the hack exposed more than 850,000 pre-paid customers' data. And Pearson, an education software company, will pay $1 million to settle charges that it "misled investors about a 2018 data breach" affecting millions of student records. 
Read Story

UK data privacy authority wants your input on future of data transfers

The U.K. Information Commissioner's Office is launching a consultation on protecting personal data in cross-border transfers. The ICO is developing a U.K.-version of standard contractual clauses (SCCs), the data transfer tool widely used to transfer data out of the EU and to another legal jurisdiction. Brexit required the U.K. to develop its own rules under the U.K.'s data protection law. The ICO wants to know what you think the rules should look like, and you have until October 7 to submit feedback. Access the tools you need to submit feedback here.
Read Story

Senators want answers from TikTok CEO on biometric data collection

Earlier this year, TikTok expanded the information it collects from more than 100 million U.S. users to include faceprints and voiceprints. Now, two U.S. Senators are asking TikTok to explain what that means, NPR reports. Sens. Amy Klobuchar, D-Minn., and John Thune, R-SD, wrote to TikTok's CEO to say they were "alarmed" by recent changes to its privacy policy allowing for biometric data collection. They've asked TikTok to respond by defining "faceprint" and "voiceprint" and explaining if the data is shared with third parties. 
Read Story

Why are companies failing at data protection? 

It's evident now that breaches have severe consequences for organizations' bottom lines and reputations. So why are so many companies failing at data protection? There are several reasons. One is that to evaluate the risk/reward of storing sensitive data versus its utility, "there needs to be a sufficient data discovery process." An organization can only truly understand what data must be secured once it has mapped all the data to the associated risks, Security Magazine reports. (Editor's note: For more on how to do data discovery, see our guide.)
Read Story