Business conceptOn 7 November 2016, the Standing Committee of the National People’s Congress has formally passed China’s first comprehensive privacy and security regulation for cyberspace. Since the new Cyber Security Law (CSL) will come into effect on 1 June 2017, technology companies that are operating in or planning to expand to the Peoples Republic of China (PRC) are well advised to adapt their IT infrastructure and data architecture to the new law. Violations of the law may, at worst, lead to high fines, website shutdowns or license revocations. Some of the most significant changes brought about by the new law are briefly outlined below.

Who Is Affected and What Is New?

The CSL applies to operators of Critical Information Infrastructures (CIIs) and network operators. A network operator is defined as an operator of basic telecommunication networks, internet information service providers and key information systems. However, it is not clear which companies qualify as operators of CIIs. The exact definition of CIIs was left to the State Council of the PRC. So far, the Council has not given any specifications.

The new law includes several important and consumer protection provisions, but also some very controversial ones affecting technology companies.

Some provisions of the new law have aroused particular criticism. For example, instant messaging services and other companies qualifying as CIIs are only allowed to provide users with their full service if the users have registered under their real identities. In addition, CIIs are under an obligation to remove “prohibited content” from their service. In case of non-compliance with the latter requirement, CIIs are liable for a fine or worse. These requirements are believed to potentially restrict anonymity on the internet and to encourage self-censorship for online communication.

Under another controversial provision, companies are required to report to the relevant authorities any cyber security incident and vulnerabilities that they have experienced and to technically support and assist the authorities on national security matters and crime investigation. However, the nature and scope of the required technical support and assistance have not been defined. Thus, it is not clear whether the process might entail the provision of confidential information.

Among all the changes, the most significant change might be the so-called Data Localization Requirement. Under that provision, CIIs are required to store personal data and other important information within mainland China. However, it is not clear whether this provision only applies to personal data of Chinese citizens or to any personal data, including those of foreigners. In the first case, companies might be required to separate the personal data of Chinese citizens from the personal data of other individuals.

A Look Ahead

The CSL brings a lot of changes in the fight against cyber security threats. However, the law should be criticized for its lack of legal certainty, mostly resulting from overly broad formulated terms. As the CSL comes to effect in less than three months, technology companies are allowed little time to adapt to the new provisions. Compliance may in particular be of crucial importance for multinational companies with regard to the Data-Localization Requirement, as cross-border data transfer may be daily business. It remains to be seen whether the legal uncertainties will somehow be eliminated by the relevant authorities. Until then, affected companies need to be very cautious.

 

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.

Pokemon Go game in a hand. ZubatAccording to press reports, German car giant Volkswagen has banned its employees from using the wildly popular smartphone app Pokémon GO during work hours. Reportedly, the company cited impaired attention and distraction from work as the primary grounds for the prohibition, but data security and privacy issues are supposedly involved as well. Volkswagen has not yet made an official statement on the ban.

This app in particular and augmented reality in general pose many legal questions, especially, in the field of privacy law. The most pressing privacy issue with Pokémon GO seems to be the constant tracking of geolocation data. By agreeing to the Pokémon GO Privacy Policy, the user allows Niantic, the company behind the app, to track the user’s “device location […] and some of that location information, along with [the] user name” any time he or she uses the app.

The Concept of Augmented Reality

The app is based on the concept of “augmented reality,” meaning that the real world environment is “augmented” with virtual elements. The app relies on the users’ GPS location data and images taken by their smartphones’ camera devices to let them catch virtual Pokémon monsters on a map overlaying their real surroundings. The real world is used as the setting for the chase.

Data Protection and Privacy Concerns

All gathered data is processed at Niantic’s headquarters in San Francisco, California, United States. While, according to the privacy policy, “information that can be used to identify or recognize [the user]” will, in principle, not be shared, there are still concerns in the Pokémon community regarding the extent to which third parties can access that information. The users’ tracking data could provide information not only on their residency or workplace but also, for example, on their preferred mode of transportation, walking speed and frequency of smartphone use. This information could, by itself or in combination, be considered personal data.

The rules on the collection, use and disclosure of personal data differ among jurisdictions. For example, pursuant to section 3 para. 1 of the German Federal Data Protection Act, personal data is defined as “any information concerning the personal or material circumstances of an identified or identifiable individual.” Within the territory of application of that act, the collection, processing and use of personal data is only permissible in rare prescribed circumstances (see section 4) or with the consent of the data subject. The requirements might be significantly lower in other countries.

 

This article was originally published on AllAboutIP – Mayer Brown’s  blog on relevant developments in the fields of intellectual property and unfair competition law. For intellectual property-themed videos, Mayer Brown has launched a dedicated channel available here.