On September 9, 2021, the long-awaited recast of the EU Dual-Use Regulation (the Regulation) will enter into force. It provides for new rules on cyber-surveillance technology, the provision of technical assistance, as well as export restrictions for reasons of public security and human rights considerations. Additionally, the new Regulation provides for large project authorizations as well as two new EU General Export Authorizations.
Continue Reading Revised EU Dual-Use Regulation to Enter into Force
Data Privacy
China Builds Out Data Security Architecture With New Regulations on Cross Border Data Transfers
In 2015, the People’s Republic of China (PRC) enacted the first part of its comprehensive data security regime with the promulgation of the State Security Law, which provided a statutory basis for the construction of a nationwide network and information security system. The Cybersecurity Law (CSL), which followed in 2017, addressed cybersecurity protection and introduced the concept of a “Critical Information Infrastructure Operator” (CIIO). Subsequently, other laws, regulations, and rules have been promulgated addressing the requirements of China’s digital economy, related state security matters, and personal information privacy rights. Among those, the Data Security Law (DSL) became effective on September 1, 2021, and the Personal Information Protection Law (PIPL) will go into effect on November 1, 2021. After subsidiary regulations and rules addressing implementation of the DSL and PIPL have entered into force, China’s new data security architecture should be largely complete.
…
Continue Reading China Builds Out Data Security Architecture With New Regulations on Cross Border Data Transfers
US Commerce Department Identifies Prohibited Transactions Involving WeChat and TikTok
On September 18, 2020, the US Commerce Department announced the prohibited transactions (which would be effective as of September 20, subject to a court-ordered suspension discussed below) aimed at limiting the use of WeChat (and possibly also TikTok) within the United States. These prohibitions may have some effect outside the United States as well. Technology companies, Internet infrastructure companies, financial institutions, and other companies that support these apps should take particular note since the prohibitions are directed at business-to- business engagement, as opposed to individual users of these apps. However, users should consider that their ability to continue to use WeChat in particular within the United States may become severely restricted, and perhaps eventually eliminated. The Commerce Department’s September 18 announcement explains that these prohibitions are intended to “protect users in the U.S. by eliminating access to these applications and significantly reducing their functionality.”
As background, on August 6, President Trump issued Executive Orders 13942 and 13943, directing the Secretary of Commerce to identify, within 45 days, specific types of prohibited transactions related to ByteDance Ltd. (including TikTok) and WeChat. See our earlier blog post for more detail. In two Notifications issued on September 18 (the WeChat notice is available here, and the ByteDance / TikTok notice is here), the Commerce Department identified a broad set of business-to-business transactions involving WeChat and ByteDance / TikTok that would be prohibited under US law.
Importantly, the timing for these prohibitions is different for each of the two Notifications.
- The WeChat prohibitions were to take effect on September 20. However, they were temporarily blocked by a preliminary injunction issued by a US federal magistrate judge on September 19. The outcome of this litigation remains uncertain.
- The limited ByteDance / TikTok prohibitions that were slated to take effect on September 20 were suspended by the Commerce Department until September 27 at 11:59 p.m. eastern. In a press release issued after the Notifications themselves, the Commerce Department stated that this delay was provided “in light of recent positive developments . . . at the direction of President Trump.” The effective date of most of the ByteDance / TikTok prohibitions as stated in the Notification is not until November 12, 2020, which would align with the 90-day period for divestment of TikTok in the United States that was ordered by the President on August 14. A proposed divestment or other type of partnership to operate TikTok within the United States is currently under review by the Committee on Foreign Investment in the United States (CFIUS). President Trump stated that he has given the most recent proposed deal for TikTok his “blessing,” but the CFIUS process is not yet complete; nor has the deal closed. Commerce’s press release states that “the President has provided until November 12 for the national security concerns posed by TikTok to be resolved. If they are, the prohibitions in this order may be lifted.” The Chinese government has also indicated that any such deal would be subject to its approval as well.
Executive Orders Aim to Restrict US Dealings with Chinese App Makers TenCent, ByteDance within 45 Days
On August 6, 2020, the White House issued a pair of Executive Orders (EOs) (available here and here) under the International Emergency Economic Powers Act (IEEPA) that could limit US users’ access to mobile apps from China’s Tencent Holdings Ltd. (Tencent) and ByteDance Ltd. (ByteDance). The EOs, which direct the Commerce Department to identify prohibited transactions within 45 days, could also limit other transactions involving US-origin goods, technology, and software to the companies and certain subsidiaries.
The two EOs build on the IEEPA national emergency declared in EO 13873 of May 15, 2019, Securing the Information and Communications Technology and Services Supply Chain, which, among other things, directs the Commerce Department to restrict the “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service” that is “designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.”
(Click here to read Steptoe’s earlier blog post on EO 13873.)…
Three Recent Cybersecurity and Information Systems Management Rules Impact Government Contractors
In the past two months, the federal government has issued several cybersecurity-related regulations that are or will be directly or indirectly applicable to a wide variety of federal contractors and subcontractors. Additional rules (including a blanket FAR provision) are expected, but the three rules below present an interrelated set of requirements and standards that federal…
European Commission Endorses EU-US “Privacy Shield”
Yesterday, the European Commission (EC) adopted its long-awaited decision endorsing the EU-US privacy shield. This is the latest milestone in restoring a stable legal basis for transatlantic flows of personal data, since the Court of Justice of the EU annulled the EU-US Safe Harbor program in its judgment in the Schrems case in October 2015.
Continue Reading European Commission Endorses EU-US “Privacy Shield”
Turkey Enacts Data Protection Law
Last month, Turkey’s new “Law on the Protection of Personal Data” entered into force. It provides a framework similar to the European Union’s data protection regime. The law applies to personal data processed “wholly or partly by automatic means” and to non-automatic processing of personal data “which form part of a filing system.” The law also requires the establishment of a Data Protection Authority and a Data Protection Board by October 7, 2016 to oversee its provisions, including establishing and maintaining a registry of active data controllers, which must register with the Board.
The law defines “personal data” as any information relating to an identified or identifiable living individual. It defines “sensitive data” (on which additional processing obligations are imposed) as information that reveals racial or ethnic origin; political opinions; religious or philosophical beliefs; appearance; memberships in unions, associations or foundations; as well as information about health, sexual life, criminal records, punitive measures, and biometric and genetic data.
Continue Reading Turkey Enacts Data Protection Law
EU and US Propose “Privacy Shield” for Data Transfer
The proposed new “Privacy Shield” agreement for data transfer from the European Union to the US was released on February 29, 2016 by the European Commission and the US Department of Commerce. The new agreement aims to replace the invalidated Safe Harbor agreement (as previously discussed here, here and here) but will not…
More on the ECJ “Safe Harbor” Decision
Following up on our earlier post, see Steptoe’s Cybersecurity Advisory for more details regarding the European Court of Justice decision on the EU-US “Safe Harbor” agreement.
This Cybersecurity Advisory was authored by Stewart Baker, a partner in Steptoe’s Washington office; Michael Vatis, a partner in Steptoe’s New York office; and…
European Court Invalidates Safe Harbor Program
The US-EU Safe Harbor was invalidated by the European Court of Justice (ECJ) yesterday in Schrems v. Data Protection Commissioner, meaning that the Safe Harbor no longer provides a legal basis for transfers of personal information from the EU to the United States. Companies that have relied on the Safe Harbor to justify the…