On 21 October 2020, the Personal Information Protection Law (Draft) (“Draft”) was finally unveiled to the public. By comprehensively deepening China’s personal information protection system, the Draft strengthens the protection of personal information while taking into account the complexity of economic and social life. The release of the nearly 8,000-character Draft marks China’s first attempt to systematically and legislatively define, establish, and integrate the provisions on the protection and regulation of personal information. The Draft not only incorporates China’s legislative, regulatory and practical achievements regarding data security in recent years, including the PRC Cybersecurity Law (“Cybersecurity Law”), but also learns from the varied legislative experience of the other jurisdictions in data protection such as the General Data Protection Regulation (“GDPR”).
Judging from its contents, the Draft lives up to the expectations of the legal profession. Its exciting legislative highlights are identified and explained in the industrial, academic and research circles. In addition to the legislative techniques worth being discussed, the legislation further protects “rights and interests in personal information” and “safeguards the positive ecology of cyberspace”. It is also “an important action to promote the healthy development of the digital economy”. The global digital economy is growing rapidly and the data isolationism is rising from digital sovereignty. Against this backdrop, the Draft reflects China’s rationale on personal information protection and the underlying development strategy of digital economy that should be considered from the perspective of data competition.
Due to length limit, we will discuss nine selected key legislative issues in the Draft by considering both comparative law and economic development to assess the profound significance and future implications of the legislation.
I. How Do We View the Possibly Extended Scope of “Personal Information”?
The definition of personal information is a core issue and logical starting point of the legislation on personal information protection as it directly defines the scope of what is intended to protect. Therefore, the definition is generally the result of the legislator’s weighing of various legal relationships repeatedly.
Difference between and change to identification standard and relevance standard
The connotation and denotation of personal information have been developed on its definition in several previous PRC laws and regulations. For example, pursuant to Article 76 of the Cybersecurity Law, personal information refers to “a variety of information that is recorded by electronic or other means and can be used separately or in combination with other information to identify a natural person”. In addition to the application of the above “identification” standard, the Civil Code includes “whereabouts and movements” as an additional category of personal information, to some extent echoing the definition of citizen’s personal information in the Interpretation of Several Issues regarding Application of Law to Criminal Cases of Infringement of Citizen’s Personal Information Handled by the Supreme People’s Court and the Supreme People’s Procuratorate ( “Interpretation”). Considering the legal relationship protected by criminal laws is particular and focused, the Interpretation includes the information that “may relate to the activities of a specific natural person” in the scope of personal information. This is generally construed to have extended the scope of personal information by following the “relevance” standard in addition to the “identification” standard.
The Draft will become a special law for personal information protection once passed and adopted. The definition of personal information under the Draft will have incomparable influence on civil, criminal and administrative legal relationships. Article 4 of the Draft defines personal information as “a variety of information that is recorded by electronic or other means and relating to an identified or identifiable natural person”. The definition combines the “identification” and “relevance” standards to a certain degree and allows a possibility to extend the concept of personal information.
Reference and localization
It is not easy, you may have found, from the legislative practices worldwide to clearly, accurately and properly define the specific meaning of personal information. The “identification + relevance” standard is applied in the GDPR, one of the comparative law sources for China’s legislation on data protection. Pursuant to Article 4 of the GDPR, “personal data” means any information relating to an identified or identifiable natural person. However, such definition is challenged as well. Some are of the opinion that it is “very vague and even ambiguous”, and may bring uncertainty to the application of the law. Some argue that an overly broad definition may make GDPR “the law of everything”, and the good intentions to provide the most complete protection possible are likely to backfire, resulting in system overload and imbalanced interests related to data industry.
In fact, the EU is also aware of the problem. The Article 29 Data Protection Working Party proposed in its opinion on the concept of personal data that the definition scope should not be overstretched. However, GDPR focuses on the protection of “identifiable” data without distinguishing it from “identified” data. Data will be deemed to be personal data so long as the ultimate purpose of its processing is to identify the data subject. The purpose of personal data processing is thus actually bound up with the identifiability of data, and practical problems and contradictions are still pending. Compared with the EU’s more radical “expansionist view”, the US adheres to the “reductionist view” under the guidance of common law practice, holding that only information that can be actually linked to a specific person is personal information. The California Consumer Privacy Act (“CCPA”) gives a specific definition by enumeration.
The world is still holding “identifiability” as a major element in the definition of personal information. With the development of identification technologies, however, the judgement of whether the personal data is identifiable is in fact a dynamic process. A large amount of previously unidentifiable information may become identifiable after being combined. The scope of personal information is thus directly extended. As a result, some scholars propose to distinguish the personally identified and identifiable information and design different protection measures. If put into the shoes of the regulators, we will see the necessity and urgency of strengthening the legislation on personal information protection in the context of rapid development of digital technologies and frequent occurrence of infringements upon personal information rights and interests. In view of legislative practice and experience of foreign jurisdictions, the good intentions to protect personal information may backfire if the concept of personal information is excessively extended. Illegal collection and abuse of personal information is widespread in practice. Notably, however, a subject may be identified or linked for the single purpose of verifying other than identifying any specific individual in many scenarios, including the commercial machine learning and technical research, taking place in China’s rapidly growing digital economy today. The vague or extended scope of personal information may limit the processing of data, and hinder the digital economy from reaching its full potential.
Undeniably, with digital economy blooming in the society, we may have to continue to work on the core concept of personal information in a long term. Is it necessary to distinguish the purposes of personal information identification? Is it necessary to define the scope of personal information in a certain scenario? Should the capacity to process and analyze data be considered? Is relative anonymity passible by de-identification before the sharing of personal information? With the development of technology and economy, these questions are calling for our deepened thinking: how to accurately define personal information allowing flexibility in practice to realize the balance of interests of multiple parties in the current stage of social development.
II. Is “Extraterritorial Application” A Temporary Countermeasure or A Trend Driven by Virtual Space?
The effect of the extraterritorial application provided for in the Draft is undoubtedly one of the most concerned and widely discussed legislative highlights. Pursuant to Article 3 of the Draft, the law shall apply to the processing of personal information within the territory of the PRC, and also to cross-border processing activities of personal information of the PRC individuals: (1) for the purpose of providing products or services to the PRC individuals; (2) for the purpose of analyzing and evaluating the activities of the PRC individuals; or (3) under other circumstances prescribed by laws and administrative regulations.
The purpose and practical dilemma of “long-arm jurisdiction”
With the increasing emphasis and awareness of data sovereignty, there is an objective need for countries to compete for data ownership and extraterritorial jurisdiction. GDPR, the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) of the US, and a series of foreign legislations contain “long-arm jurisdiction” provisions. The US and Indian governments initiated an array of investigations and disputes against overseas Chinese enterprises with excuses of national security and citizens’ data security. Given the above, there is a necessity for the Draft to make a positive response.
China is positioned to follow and respond to international legislation. Although the long-arm jurisdiction is established in the Draft, its rationality and application calls for further deliberation. Some are of the view that the extraterritorial application of GDPR is not the “best practice” in international law. In the absence of international rules on data protection, the extraterritorial application of GDPR actually constitutes a restriction on the data rights of non-EU citizens and an unreasonable obstacle to the shared benefits in the global data industry. Such jurisdiction may challenge the integrity of law enforcement powers of other sovereign countries and increase the possibility of trade and even diplomatic conflicts. In addition, the law enforcement agencies within the EU are of the opinion that it is not practical to require overseas enterprises to set up branches or designate representatives within the territory of host countries. Furthermore, the high costs in data compliance have “deterred” many enterprises, including multinational companies. Statistics show that 68% of the companies are expected to spend USD 1 million to USD 10 million on data compliance.
Moderate response and long-term consideration
It is generally acknowledged that the long-arm jurisdiction may not conform to the rules of international law and that restrictions or prohibitions of offshore data operation will compromise the operating power of multinational companies. However, it has become a trend to create necessary extraterritorial effect in the data legislation of the jurisdictions across the world. In addition to GDPR, some recent legislations on personal data protection such as PDPA of Singapore, POPIA of South Africa and PDPL of Egypt, as well as the Personal Data Protection Bill of India, all contain provisions on the domestic data processing carried out by extraterritorial enterprises.
However, compared with the detailed rules of GDPR and the CLOUD Act, which expressly resort to extraterritorial application, the Draft simply reflects China’s position of protecting personal information relating to the PRC individuals. For example, pursuant to GDPR and relevant guidelines on extraterritorial application of the European Data Protection Board (“EDPB”) of the EU, any entity that offers goods or services to the EU shall be subject to GDPR wherever it is established and processes personal data of data subjects who are in the EU. In addition, GDPR and those guidelines also provide for the application of extraterritorial monitoring.
It is common and necessary for multinational companies to process the data of users in the countries where their affiliates are located or of employees of the group. Although GDPR is adjusting its over-expanded jurisdiction as much as possible in various guidelines and practices, its “offering of services” standard technically covers almost all multinational companies that provide services to the EU, thus giving rise to a large number of jurisdictional conflicts. In contrast, the Draft contains a moderate extraterritorial application clause, which provides that only the processing of domestic personal information “for the purpose of providing products or services to the PRC individuals” shall be restricted. That means it adds “restrictions on the purpose of data processing” to the extraterritorial application.
In addition, more and more Chinese enterprises have been caught up in the long-arm jurisdiction of various jurisdictions in recent years. However, if multinational companies provide network services to China by operating offshore data center, in lack of adequate regulation, a large amount of domestic personal information may be transferred across borders without any safeguard. Only by adopting the extraterritorial application to make the offshore processing of personal data by multinational companies a history will reciprocal protection be provided for the personal information of PRC individuals in this era.
Regardless of the rules of reciprocity in international law and the reciprocal protection for domestic personal information, we may find that data/network-based rules on extraterritorial application are inevitable in the era of digital economy and globalization. The driving forces of the current global economy include the interconnection of networks and the global flow and integration of data. We must avoid the obstacles to the development of global economy due to disorders arising out of jurisdiction. In addition, the globalized interaction of virtual space requires countries to appropriately expand their extraterritorial jurisdiction from the perspectives of data security and data sovereignty, so as to maintain the order of market economy as well as public security and interests. In the long run, the absence of rules on extraterritorial jurisdiction will materially affect the protection of personal information rights and the exercise of data sovereignty.
By the way, in addition to the Draft, in order to offset the adverse impact brought by the extraterritorial long-arm jurisdiction of foreign countries, China has issued the Data Security Law (Draft) recently and are making other legislative efforts in two aspects – first, having in place policies such as data localization requirement for personal information protection and security review for critical information infrastructure and important data for self-protection; and second, leaving necessary flexibility for the extraterritorial application of domestic laws to allow for necessary countermeasures to safeguard the legitimate interests of the country and citizens under the “principle of reciprocity” in international law. For example, Article 24 of the Data Security Law (Draft) and Article 43 of the Draft provide for countermeasures against discriminatory measures imposed by foreign jurisdictions. With the enhanced awareness of data sovereignty, many countries have provided for extraterritorial application in their data legislation. It is imperative for multinational companies to keep cautious in their daily operations and have a well-developed data compliance system so as to avoid “disputes” over extraterritorial jurisdiction at an early stage.
III. Advantages and Disadvantages of the “Absolute” Right of Personal Information Subjects in Information Processing
Extension of legal basis for personal information processing
Article 13 of the Draft specifies for the first time that personal information processing is legal only if (1) consent has been given, or it is necessary (2) for the performance of a contract, (3) for the performance of statutory duties or obligations, (4) for coping with public health emergencies or the protection of the life, health and property safety of natural persons in an emergency, (5) for the defending of the public interest within a reasonable scope, and (6) in other circumstances provided for by laws and administrative regulations.
Although the Draft introduces new legal basis for personal information processing, there are still some differences with the GDPR. The fourth legal basis of the Draft is the necessity for the protection of the life, health and property safety of natural persons in an emergency, whereas the GDPR provides for the protection of vital interests of natural persons. By contrast, the Draft is more specific, avoiding vagueness in the concept of “vital interests”. In addition, while the Draft does not provide for the situations necessary to protect the legitimate interests of controllers or third parties, as the GDPR does, but the “other circumstances provided for by laws and regulations” in its catch-all clause can cover such situations to a large extent. Also, the circumstances expressly stipulated by laws are more definite and practical, avoiding any abuse of relevant terms that may cause damage to the rights and interests of information subjects.
The relationship between the two bases “necessity for the performance of statutory duties or obligations” and “other circumstances provided for by laws and administrative regulations” is also worth discussing. The “statutory” requirement of the former requires that the circumstances to which it applies be based on laws and regulations, which is consistent with the meaning of the latter. However, the former further requires that the processing have to be “necessary” in addition to being “statutory”, which in practice may mean situations where there are no clear exceptions for personal information collection under laws and regulations, but such personal information must be processed as required by statutory requirements. In addition, considering the pandemic prevention and control, the Draft also introduces the legal basis of “necessity for coping with public health emergencies”, which fully reflects that the law keeps pace with the times.
Rights of personal information subjects in different stages of economic development
In 2012, the Standing Committee of the National People’s Congress, in its Decision on Strengthening Network Information Protection, proposed for the first time that the collection and use of personal information shall be subject to the consent of the person whose personal information is to be collected. Since then, unless otherwise provided by laws and administrative regulations, the “consent” of personal information subjects has been the main legal basis for personal information processing in China. Some scholars even believe that this basis endows the personal information subject with the “absolute right” of personal information. Article 13 of the Draft for the first time introduces more legal basis for personal data processing from a legislative perspective. Is the change from a single legal basis to multiple basis reasonable? What are the considerations behind this?
Although it was only after the introduction of the Civil Code that the recognition of personality rights in the rights and interests of personal information became relatively clear, at the early stage of personal information protection, especially at a time when the right to privacy and the right to personal information have not been completely distinguished, giving the personal information subjects relatively “absolute” control is of positive significance for the protection of personal information rights and interests, especially personality rights and interests. However, with the development of big data and high technology, the multiple interests attached to personal information, such as the interests of the information subject, the interests of the information user and the public interests, are gradually manifested. The interests of the information subject are mainly manifested in the protection of personal dignity and freedom. Because personal information is social, instrumental and functional, the interests of information users should also be protected to promote the use and circulation of personal information. In addition, when it comes to public interests, the information subject may need to give up or sacrifice some of his or her personal interests in order to ensure public management.
In view of this, making informed consent the only legal basis for personal information processing in fact gives the data subject a more absolute right of control over his/her personal information. Unlike other relatively mature rights such as intellectual property rights, “ownership” or “control” of personal information has yet to be defined, and therefore a more absolute right of control may adversely affect the establishment of a bundle of rights system over personal information, and may hinder the distribution of rights among different subjects. Thus, this system of absolute control in personal information processing with the participation of multiple subjects may lead to high costs of authorization as well as dampened technological and social development, causing great difficulties in economic practice. By contrast, the GDPR provides for five legal bases in addition to consent in order to achieve a balance between personal data protection and data flows. In terms of safeguarding data flow, the CCPA of the United States does not even strictly take consent as a precondition for processing, but rather uses “notice + opt-out” as a way to protect consumer rights and interests. The international community prefers not to take the protection of the rights and interests of personal data subjects as the sole purpose of personal data protection, but to seek a balance between data protection and data flow as far as possible.
Shift from personal control to multi-party control to fully safeguard data rights and interests
The Civil Code has already included “as otherwise provided for by laws and regulations” as an exception to consent, leaving room for maneuver, and has included the processing of personal information that has been lawfully disclosed, the protection of public interests or the legitimate rights of natural persons as exemptions from liability. The Draft further specifies four other legal bases in addition to consent and “other circumstances provided for by laws and regulations”, reflecting that the personal information protection system is gradually moving from individual control to social control and multi-party control. This is not only in line with the development of the times, but also in line with the trend of the international community. The shift from personal control to multi-party control does not hinder the protection of personal information subjects’ personality rights and interests to control personal information, and allows subjects involved in the different stages of personal information processing to give away their control derived from absolute consent, making it possible for them to seek property rights and interests which may be claimed for personal information. At present, the key and difficult problem of data legislation is data right confirmation. By adding more subjects of personal information control, it will be beneficial to break the theoretical and practical restrictions, and set to realize a new rule on data rights that balances the rights and interests of personal information subjects and other processing subjects.
IV. The Dilemma of “Consent”
The Draft elaborates on the rules on consent in different situations. According to Article 14 of the Draft, consent shall be given by an individual on the condition of full knowledge, and through a voluntary and explicit expression of his/her intention; where laws and regulations require separate or written consent, such laws and regulations shall prevail. Article 24 of the Draft provides that separate consent shall be obtained from the personal information subject before sharing relevant personal information. Article 30 of the Draft also states that separate consent must be obtained from individuals before processing sensitive personal information, and where laws and regulations require written consent to such processing, such laws and regulations shall prevail. The Draft for the first time attempts to classify “consent” in different scenarios for legislative purpose. It remains to be seen whether it is feasible to accurately define “consent”, “separate consent” and “written consent” in practice.
Rationality and difficulty in classifying rules on consent
Legislation on data protection worldwide all touches upon the concept of “consent” yet under variant rules. The Draft defines “consent” as “voluntary and explicit expression of intention by individuals with full knowledge”. Compared with the GDPR which requires consent be given by a statement or a clear affirmative action, the Draft provides more diversified means of expression for consent. Compared with general consent, separate consent places more emphasis on the authorization given by a personal information subject based on full knowledge and prudential consideration to process personal information. As a reinforcing measure to general consent, it is theoretically necessary.
For sharing personal information with a third party and processing sensitive personal information, two scenarios of highly sensitivity, separate consent indeed secures fuller and more effective consent from the information subject to a certain extent. Since there lacks a specific definition of separate consent under the Draft, it is in practice usually considered as a form of authorized consent as opposed to general consent, and realized in the form of separate prompts or pop-ups. However, if separate consent is obtained online, especially when real-time data collection or sharing is required, it may cause disturbance to users while failing to protect the free will of the personal information subject.
By way of example, according to Article 24 of the Draft, personal information processors shall obtain separate consent from an individual before providing his/her processed personal information to a third party. However, it is a common practice of sharing personal information with a third party through SDKs, a widely accepted and efficient business cooperation model. For large enterprises, their services may incorporate multiple SDKs from different third parties with different processing purposes and methods, and such SDKs may be updated from time to time during their service provision. Obtaining separate consent in the form of a pop-up window for each type of SDK may lead to excessive costs and unfriendly user experience. Therefore, considering the cost of compliance in practice and the difficulty in implementation, work remains to be done to design a consent mechanism that meets the requirements of separate consent without causing inconvenience to users.
Compared with general consent, written consent emphasizes not only the right of full knowledge of the information subject and the validity of authorization, but also the verifiability of the consent given. Although this concept is touched upon in the Draft, more specific application scenarios and the definition of effective written consent are still awaited. For example, the Russian Law on Personal Data (Federal Law No.152-FZ of 27 July 2006) provides that “consent in the form of an electronic document signed with an electronic signature shall be regarded as equivalent to a written consent containing the handwritten signature of the personal information subject”. Similar provisions help clarify the boundaries of written consent in the new economic environment, especially the internet economy.
New mechanisms of giving consent calls for new business forms
It is of necessity to distinguish different types of consent based on different scenarios from a legislative perspective. However, as how different types of consent are defined will significantly affect the rights and interests of relevant subjects, it remains to be further clarified by relevant regulations or guidelines on the specific definition of consent and its application. Meanwhile, how to satisfy different requirements on consent to adapt to the new mechanism will be a closely-watched challenge for enterprises.
V. Policy Considerations for the Allocation of Processor’s Liabilities: How to Strike a Balance Between the Protection of Rights and Interests in Personal Information and the Promotion of Industrial Development?
One of the legislative highlights lies in Article 21 of the Draft where it provides joint and several liabilities for two or more processors who jointly process personal information. Specifically, individuals whose rights and interests in personal information are infringed upon as a result of joint data processing shall have the right to claim all damages from any of the joint processors. From the perspective of providing strong protection for personal information, the joint and several liability is undoubtedly conducive to safeguarding individual’s right to claim, encouraging the joint processors to fully agree upon the security obligations for joint processing, and urging them to actively supervise each other over data protection. However, in the context of promoting digital economy, how should the strong-protection policy approach represented by the joint and several liability for joint processors respond to the needs for developing new business forms that “promote the integration & transformation and cross-sector cooperation of enterprises”?
Let’s assume a scenario: an OEM wants to build its own Internet of Vehicles (IOV), in which the navigation service is operated by a third party. The third-party navigation service directly employs sensors to collect users’ locations to provide navigation and positioning services as a direct personal information processor. Meanwhile, the OEM uses such locations obtained and processed by the navigation service for intelligent refueling, intelligent parking, travel information and other IOV services as a joint processor of such personal information. Pursuant to the Draft, if the OEM disclosed such location information to others in its on-board delivery service, the third-party joint processor shall also bear the joint and several liability. Given the accessibility of the IOV scheme, the third party cannot fully foresee the possibility and risk of such information breach. Thus, in order to avoid the joint and several liability, it is likely to reduce its cooperation with the OEM or restrict the application scope of the OEM’s IOV scheme through contracts, thus hindering the development of and cooperation with the IOV industry.
The above scenario indicates that if the joint data processing can be divided into parts and the division of labor is clear, it may be unfair and discourages enterprises from engaging in such industrial cooperation as one of the processors is required to bear joint and several liability for another’s data processing. Nevertheless, where the users cannot rationally and clearly understand the division of labor in the suspected infringement of the joint processors, it is obviously justifiable and necessary to place joint liability on the joint processors to safeguard personal rights and interests. This is also recognized in China’s judicial practice. As a matter of fact, our legislation has always been cautious towards the joint and several tort liability – the joint and several liability in the Civil Code which imposes restrictions on Internet service providers sets a good example. Meanwhile, from the perspective of international legislation, although Paragraph 3, Article 26 of GDPR provides that “the data subject may exercise his or her rights in respect of and against each of the [joint] controllers”, it is still highly controversial as to whether this can be construed as joint and several liability for joint controllers. Apparently, there is still a long way to go in policy studies on how to balance the protection of individuals’ rights and interests and the promotion of industrial cooperation and development in the allocation of processor’s liabilities – should a rational understanding of the division of labor of the processing activities be taken as the judgment criteria of liability allocation? Will this criteria cost too much in judicial practice so that it is more feasible to provide for joint and several liability once and for all?
Similar policy concerns also arise in Article 65 of the Draft, which provides that “If the personal information processor can prove that it is not at fault, its liability may be mitigated or exempted” for its processing activities that infringe upon the rights and interests in personal information. This Article seems to have adopted the presumption of fault liability, that is, it shifts the burden of proof to the processor as a defendant who is required to prove that it is not at fault in personal information processing. However, this Article can also be understood that if the processor proves that it has no fault, its liability for damages may only be mitigated, which seems to provide for the fair allocation of liability. In addition, this Article, together with Article 21 of the Draft, raises another tricky question for the allocation of liability: assuming that two joint processors under joint and several liabilities are only responsible for different stages of personal information processing, and Party A can prove that it is not at fault while Party B cannot, if the infringed individual requires Party A to bear the liability for damages pursuant to Article 21, can Party A resort to Article 65 as a defense? How to construe the allocation of liability in Article 65 against the joint and several liabilities of joint processors so as to eliminate conflicts, and how to strike a balance among the rights and interests of Party B at fault, Party A without fault and the infringed individual? Regardless of the allocation theory of processors’ liabilities, this Article will undoubtedly increase the litigation costs of the processors and reduce their enthusiasm to seek innovation in the digital economy industry. It is imperative to have further extensive discussion on how to achieve a subtle balance between addressing the challenges in protecting personal information by litigation and safeguarding industrial development.
VI. How Do We Draw a “Reasonable Boundary” for Processing Disclosed Personal Information?
Limited “disclosure” of personal information
Article 28 of the Draft regulates the processing of disclosed personal information by providing that the disclosed personal information may only be processed to the reasonable extent of purposes of disclosure; otherwise, processors are required to inform the individual and obtain his/her prior consent. This is to say that “disclosure of information” cannot justify unrestricted processing of personal information. Article 1036 of the Civil Code has included “the reasonable use of disclosed personal information” in the grounds for exemption from liability for personal information processing (unless personal information subjects explicitly refuse or the processing of such information infringes upon their vital interests). Article 28 of the Draft, built on previous provisions, further prescribes that: (1) the use of personal information shall generally be limited to the “purposes for which personal information is disclosed”; where the use of personal information is beyond the reasonable scope related to such purpose, the “notification-consent” principle shall be exercised; (2) the personal information shall be used in a reasonable and prudent manner, and if it has a material impact on an individual, the “notification-consent” principle shall be exercised. Considering the publicity or openness within a certain scope of disclosed personal information, “consent” is no longer a principle to follow or of necessity for information processing. However, it can be seen from the above provisions that “reasonable care” and “compliance with purpose” are the key elements in defining the boundary of processing disclosed personal information. For modern enterprises, a vast amount of personal information processing activities cannot happen without using disclosed personal information, such as the common practice of “crawling” publicly available information on the internet. As such, it has become a public concern about drawing a reasonable boundary of disclosed personal information processing for individuals and enterprises, including information collection for commercial use and recognition of human faces and other biometric information “exposed” in public places.
Reference and application of the principle of reasonable expectation of privacy
How disclosed personal information may be processed in a “reasonable and prudent” manner when such information is disclosed for unclear purposes? The principle of “reasonable expectation of privacy” can be used as a reference. Since the ruling in Katz v. the United States case was made in 1967, the principle has been applied by a citizen to resist to searches by public authorities when his/her privacy may be infringed as a result of such searches (“Law Enforcement Privacy”). Nowadays, with the rise of the digital economy, theorists to discuss and study “information privacy” have used this principle. Theoretically, the boundary of rights and interests that an individual enjoys over information shall be determined in the information relationship in a specific scenario (Context), and the important standard thereof is “reasonable expectation of privacy”- the collection, processing and transfer of personal information shall meet the reasonable expectation of the individual. It is generally believed that when the processing of personal information is beyond the reasonable expectation of a normal and rational individual in the society, the personal information processor must expressly notify the individual so as to ensure that he/she understands the risks associated with such processing, and obtain his/her explicit authorization. In a real-world scenario, for example, a well-known video uploader publicly shares certain personal information in a video. Owing to the characteristics of media communication, such personal information may be “taken out of the context” or “edited at will”, leading to the weakening and even erasing of the purpose of such disclosed personal information. But at least it can be reasonably expected that the uploader does not want the disclosed personal information to be processed in any way that is unfavorable to him/her.
Dynamically adjusted standard of reasonable expectations along with industry and technological developments
In practice, it is far from easy to determine reasonable expectation, the biggest uncertainty of which lies in the dynamic evaluation method that combines scenarios with individual cases. As an alternative principle for disclosed personal information processing, it should be better economically comparative to the “notification – consent” principle, or otherwise, the system design of reasonable expectations will be of no practical significance. At the same time, the judgment of reasonable expectation of privacy relies on the specific law enforcement and judicial practices in relation to personal information protection. Enterprises, as personal information processors, will have to go through a process similar to experience accumulation before forming beneficial interaction in the practice of processing of disclosed personal information.
Reasonable expectation of privacy is based on the privacy consciousness perceptible to individuals. Relatively speaking, it is especially important to define the reasonable scope of processing clearly and explicitly when it comes to personal biometric information such as human faces that is collected and recognized in public places as such collection is less perceptible. The sensational first case involving the use of face recognition in China, was just a dispute over the reasonable application scope of the face recognition technology. According to Article 29 of the Draft, face information falls into the scope of sensitive personal information. As it is generally “exposed” in public places, the imperceptible processing of such information may result in serious consequences without necessary legal restrictions. As stipulated in Article 27 of the Draft, the processing of such information shall be confined to the sole purpose of maintaining public security, and enterprises are required to set up prominent signs. Therefore, the legislation clearly excludes human faces and other biometric information from disclosed personal information, and strictly restricts the scope of processing of face information collected and recognized in public places without the separate consent of an individual by mandatory provisions.
However, it is worth noting that, except those necessary for public security, biometric information such as human faces, iris and gait has incomparable accuracy and authenticity compared with personal identification information such as current device identification code, mobile phone number and IP address, which is expected to have a broad commercial application. With the popularization of unmanned supermarkets, smart business districts, smart communities and even smart cities, is it possible for people to reasonably expect that the exposed biometric information will be collected to a limited extent after they step into a similar open or semi-open space that (1) has conspicuous marks, and (2) is able to greatly facilitate its users? For similar new business forms, it is worth thinking ahead about whether it is necessary for us to make dynamic adjustment to the standard of reasonable expectation.
VII. From Cybersecurity to Data Security：How Do We Set down Rules for China’s Data Localization and Cross-border Transfer?
Multiple pathways for cross-border data transfer and additional requirements on localization
Rules setting for data localization and cross-border flow has long been the highlight of legislation on data protection worldwide. In addition to the requirements on “full knowledge” and “separate consent”, the Draft further enriches the rules on data localization and cross-border transfer under the Cybersecurity Law. The Draft expands the subjects of data localization obligation from “operators of critical information infrastructure” to “personal information processors who process personal information in an amount reaching the threshold specified by the national cyberspace administration”, and requires that the two types of subjects pass the security assessment of the national cyberspace administration before providing personal information overseas. Other enterprises are authorized to transfer data overseas in multiple ways under the Draft if they meet any one of the following three conditions: 1) “passing the security assessment by the national cyberspace administration (with exceptions provided)”; 2) “being accredited by a professional organization designated by the national cyberspace administration”; or 3) “having concluded a contract that secures the same standard of personal information protection as this law provides”. Therefore, the Draft facilitates the cross-border data transfer by processors of low risks in an effort to satisfy commercial needs.
The Draft bears some similarities to the GDPR in that the requirement of “accreditation by designated organizations” is similar to GDPR’s Binding Corporate Rules, and the “conclusion of contract” requirement is related to the Standard Contractual Clauses under GDPR. In addition, according to Article 12 of the Draft, the State will actively participate in the drafting of international rules on personal information protection and promote mutual recognition of rules and standards for the personal information protection with other countries, regions and international organizations. This suggests that more regional alliances for the free flow of data will come into being in the future through international mutual recognition and other means. Meanwhile, the legal basis for cross-border data transfer will also be enhanced through the binding provisions under private agreements and relevant recognition standards.
Network-centric security policy to data-centric security policy
The core of regulation over cross-border data flow under the Draft lies in the requirement of data localization. From the perspective of national strategy, it serves as an important function to safeguard national data sovereignty and defend against transnational cyberattacks or threats. For example, the United States has started its strategic deployment of cybersecurity very early. Recently, the Trump administration is active in releasing strategic policies such as the National Security Strategy, the Cybersecurity Strategy and the National Cyber Strategy. The National Cyber Strategy, in particular, lays special emphasis on the protection of data and underlying infrastructure and will provide extended protection for data rested on the internet in addition to just the cyberspace. On 8 October 2010, U.S. Department of Defense released the first DoD Data Strategy, which is considered as a shift from a network-centric to a data-centric security model.
The localization rule established under Article 40 of the Draft also mirrors the current transition of sovereignty dispute from over cyberspace to over data. If it is considered that the localization requirement under the Cybersecurity Law for critical information infrastructure operators are based on cybersecurity, then the inclusion of “processors who process personal information in an amount exceeding a certain threshold” for such requirement under the Draft focuses on data security. It shows that the legislative focus of localization requirements has extended from the cybersecurity level to the data security level, as well as the progress of legislation thinking from network-centric to data-centric. It is a positive response made by legislators in the context of the rivalry for data sovereignty worldwide.
Whether it is feasible remains to be seen
In law enforcement, there may be uncertainties regarding “processors that process personal information in an amount reaching the threshold”. One aspect of the uncertainties is that it may be controversial on how to determine the amount of personal information processed. According to the Interpretation, calculation of the amount of personal information processed is based on the size of personal information subjects. In practice, however, the amount of personal information processed by enterprises is constantly changing, causing certain difficulties in determining the specific amount. Under extreme circumstances where the data relating to the employees of a multinational company reaches the threshold set by the national cyberspace administration, will the company need or be required to localize all the data of its employees collected in China while currently stored overseas as provided under the Draft? Another aspect is that amount-based calculation may lead to the circumvention of regulations. Enterprises may store the data separately on different information systems operated by its subsidiaries or process the data in the name of its affiliates to circumvent the localization requirements. If it works, considering cross-border transfer or overseas storage may happen to the same amount of data materially, is it necessary to be further regulated by invoking cross-border security assessment and other relevant rules?
Therefore, it may still require detailed regulations or guidelines from the competent cyberspace administration to establish specific rules. Of course, there may be de facto concurrence between critical information infrastructure operators and, for example, personal information processors with the amount of personal data processed reaching the threshold. If it is further confirmed that the personal information processors triggering the threshold requirement are viewed as operators of critical information infrastructure, and thus the localization requirement will be limited to those critical information infrastructure operators in legislation, it may help solve the above problem to some extent.
VIII. Right to Data Portability: a “Utopia” or a “Straw”?
The rights of individuals in personal information processing have always been a focus of wide attention in personal information protection legislation. Chapter IV of the Draft further clarifies and details the issue based on the existing provisions under the Cybersecurity Law and the Civil Code. In the Draft, the rights of an individual to be informed, to decide, to restrict, to refuse, to consult and copy, to correct and delete his or her personal information, in the information processing are further confirmed. Domestic legislation on the rights of personal information subjects is similar to the GDPR, Brazil’s Data Protection Law, LGPD, and other related provisions. However, the “right to data portability” under Article 20 of the GDPR is not included under the Draft, the Cybersecurity Law or the Civil Code. As stated in notes of the Draft, there should be necessary room left for some theoretical issues that are still controversial. Despite the practical difficulties and legislative considerations for the right to data portability, it is still advisable to consider the necessary adjustments for such right and its possible future developments in light of the characteristics of the times.
According to the GDPR, the right to data portability mainly includes two aspects: 1) “the data subject shall have the right to download his or her personal data stored at the data controller”, and 2) “the data subject shall have the right to have his/her personal data transmitted directly from one controller to another, where technically feasible”. The GDPR also provides for exceptions where “the exercise of the right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority, and shall not adversely affect the rights and freedoms of others”. The right to data portability has been questioned since the day it was introduced, in terms of both technical feasibility and economic costs. It has been argued that such a right would undermine the efficiency of data use and therefore has no value. What is the consideration behind the exclusion of the “right to data portability” under the Draft? Are we currently well prepared to implement data portability? To answer these issues, we need to discuss the balance of rights and interests of the multiple parties behind data portability, respectively.
Consideration on the scope of interest of information self-determination of data subjects
From the perspective of the data subject, the theoretical basis of the right to portability is based on the right to information self-determination, which was originally established in the German federal constitutional case “Census Act”. In fact, however, it is a misinterpretation of the judgment that information self-determination is understood as absolute control over personal information. The exclusive attribution of personal information to the data subject as an object does not create a clear prohibition on the actions of others, and therefore cannot constitute a civil right in the sense of a private right protected by tort law. It is generally believed that the exercise of the right to self-determination in order to protect the privacy interests of personal information should also be reasonably restricted. The reasonable restrictions is to a considerable extent out of the considerations that digital enterprises enjoy certain “property interests” in relation to user data. It should be considered that the right to data portability, while strengthening the absolute control of individuals over their personal data, causes enterprises to incur high costs to maintain their data resources at the expense of their interests and unreasonably increases their operating costs. Therefore, it should be explored whether such scope for information self-determination is too broad and would affect the effective functioning of the social and industrial order.
Protection of the competitive interests of data enterprises
Data portability is regulated under not only personal data protection law, but also the competition law. From the perspective of data as strategic resources, the high market share of user data resources has become a unique competitive advantage for modern digital-driven enterprises, which is proved by many cases of unfair competition between enterprises for data, such as the competition between ByteDance and Tencent. However, trying to use data portability to break the data monopoly may be wishful thinking of the “utopia”. Some people believe that granting personal data subjects the right to data portability can effectively restrict the monopoly of internet giants on data, promote the free flow of data, and break down barriers to data market access. However, this viewpoint only applies to the head giants. In fact, the rash introduction of data portability system before a mature digital industrial system has been formed could lead to a sharp increase in the burden on SMEs. According to the theory of “lock-in effect”, enterprises that enter the market early and has accumulated a large number of users (enterprises of first-mover advantage) have an absolute advantage over the data. In the possession of a large amount of data, in order to protect their developed advantageous position, the enterprises of first-mover advantage will take various ways to raise the industry entry barriers, among which the most typical one is to block the data to increase the cost of users to switch service providers. In addition, the implementation of data portability may also trigger and indirectly encourage unfair competition of “free-riding” among enterprises, which may lead enterprises to circumvent the technological suppression of data portability and intensify the “fragmentation” of data, and finally cause the monopoly of several giant enterprises. This situation runs counter to the purpose of the data portability system, and thus creates the potential risk for breaching the basic order established by competition law.
Although the right to data portability is highly controversial and its implementation is extremely difficult, it is still worth considering the original intent of the legislation based on the rights and interests of personal information subjects, as well as its technical neutrality and “utopian” spirit. In the era when data is a factor of production, it may not be possible to change the trend from individual control of personal information to multi-party control, and it may be difficult to standardize data and promote conditional free flow of data through the right to portability or other rights. Still, we expect that similar rights will play a greater role in the intelligent era when data bottlenecks are overcome.
Currently, there is still room for portability to survive in special scenarios. In some industries where data transfer is strictly regulated, such as financial and healthcare industries, data cannot be transferred safely and the value of data cannot be brought into full play as, due to the lagging legislative developments, organizations without relevant qualifications are prohibited from processing industrial data. At this particular time, there is actually no resistance to the right of portability on the part of organizations or enterprises, and there is no conflict of interest between the enterprise and the personal information subject in terms of data. Personal information subjects may even actively exercise their right to portability to achieve an orderly flow of data. Therefore, it is still necessary to discuss whether it is possible to achieve a balance between the interests of multiple subjects and to guarantee the personal information security through the conditional establishment of the right to portability.
IX. How Do We View the High Penalties for Personal Information Violations?
In line with the characteristics of China’s legislative system, the Draft takes a whole chapter, Chapter VII, to stipulate the “legal liability” for personal information violations. Article 62 of the Draft stipulates in two paragraphs the administrative supervision responsibilities for the personal information processing in violation of the Draft or failure to take necessary security measures. What has arouse great concern is that the Draft has greatly increased penalties on top of the Cybersecurity Law and adopted similar penalty methods as the GDPR, with maximum fines and 5% of the annual turnover as the penalty caps. In view of the urgent need of personal information regulation, the Draft provides strong legal support for regulators to enforce penalties for personal information violations.
The classic theory of “efficient breach” in Anglo-American common law system may explain the reasonableness of increasing penalties to some extent. If a personal information processor, after comparing the costs of violation (including fines) with economic benefits, believes that it would still be profitable to give up compliance efforts or even optimize its revenue structure, the regulatory penalties are necessarily unenforceable. However, regulatory penalties are more than just punishing violations. One of the indicators for evaluating penalty mechanisms is whether it is able to help correct personal information violations. According to the European Commission’s assessment report on the second anniversary of the GDPR, between 25 May 2018 and 30 November 2019, 785 fines were imposed by the Data Protection Authorities (DPAs) in 22 EU/EEA. In terms of volume, there were quite a few administrative penalties, but in terms of effectiveness, Access Now, an NGO, notes that the number of fines is still small compared to the number of complaints received by the DPAs, which means that “a large number of complaints remain unresolved”.
The Draft increases penalty amounts legislatively, which is in line with the current situation and trends. At the same time, one possible direction for further refining the penalties in the future might be assessing the implementation of specific regulatory penalties by deciding on whether the violators rely mainly on personal information processing for economic profit, which in different scenarios may be supported by applying “revocation of licenses”, “suspension of personal information processing” and other penalty tools.
Summary and Prospect
As a special legislation for personal information protection in China, the Draft, based on the specific practice in the China’s information field and drawing on the experience of foreign legislation, is a response to the hot issues and challenges in the current industry and legal practice. It has in a sense revealed the future trends in legislation and law enforcement, such as strictly regulating the form of authorization and consent, regulating cross-border data transmission from the perspective of data localization, and increasing the penalties for illegal activities. While matching international rules and standards on personal information protection, and building on the relevant laws and regulations such as the Cybersecurity Law and the Civil Code, the Draft has left the door open for further enactment of supporting regulations in the future, demonstrating a pragmatic attitude based on national conditions and contributing a Chinese solution to international legislation on personal information protection. Strategically, the Draft aims to promote the sound development of the digital economy. More importantly, it lays a solid foundation for China’s transformation to a digital society in which data is the new factor of production by focusing on shifting personal information protection from network-centric to data-centric and taking into account the complexity of economic life. We can expect that the Personal Information Protection Law, after being thoroughly discussed and improved, will strike a balance between the protection of the rights and interests of personal information and the orderly and free flow of personal information. It will regulate personal information processing, protect the rights and interests of personal information, stimulate the digital industry, and bring new opportunities for the development of China’s digital economy in an international environment characterized by intense competition over data sovereignty.
 He Bo: Discussion on the Definition of Personal Information, published on Information and Communications Technology and Policy, 2018 (6).
 Nadezhda Purtova: The law of everything. Broad concept of personal data and future of EU data protection law, https://www.tandfonline.com/doi/full/10.1080/17579961.2018.1452176, last accessed on 23 October 2020.
 Cheng Deli, Zhao Lili: Study of “Identification” Element in Personal Information Protection, published on Hebei Law Science, 2020 (9).
 WP29: Opinion 4/2007 on the concept of personal data, https://www.clinicalstudydatarequest.com/Documents/Privacy-European-guidance.pdf, last accessed on 23 October 2020.
 For example, the Patrick Breyer case, where a dynamic IP address that could not be used to directly identify an individual was protected by the CJEU as personal data, it has directly enlarged the scope of personal information. See Patrick Breyer v. Federal Republic of Germany, http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN, last accessed on 23 October 2020.
 Liu Hongyan, Tang Lin: Legal Classification of Personal Information Based on “Identifiability” Risks Through Comparison of Personal Information Legislation in EU and US, published on Journal of Shanghai University of Political Science and Law (The Rule of Law Forum), 2020 (5).
 Paul M.Schwartz, Daniel J.Solove. The PII Problem: Privacy and a New Concept of Personality Identifiable Information. New York University Law Reviews, 2011(86).
 Berkeley law: PII 2.0 law.berkeley.edu/article/pii-2-0/, last accessed on 23 October 2020.
 Shakila Bu-Pasha. Cross-border issues under EU data protection law with regards to personal data protection, https://www.tandfonline.com/doi/full/10.1080/13600834.2017.1330740. Last accessed on 23 October 2020.
 Excerpt from Professor Wang Xixin’s speech themed Game of Data Sovereignty: Origin and Expansion of the Principle of Long-arm Jurisdiction at a Tencent Research Institute C-Law lunch meeting, https://mp.weixin.qq.com/s/NU1xaTZDdAwcxGZARU8r9g. Last accessed on 23 October 2020.
 Wang Rong, Zhu Junbiao (Tencent Research Institute): The Second Anniversary of GDPR – Reflection and Enlightenment from the EU Members, https://mp.weixin.qq.com/s/Iw1J0lYQOa5Kl8fszvqkgw. Last accessed on 23 October 2020.
 Xinhuanet: “No Data Protection” or “No Access”? How to Improve the “Chinese Approach” to Privacy Protection, http://www.xinhuanet.com/legal/2019-07/16/c_1124757320.htm. Last accessed on 23 October 2020.
 Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – version adopted after public consultation
 Gao Fuping. “The Lawful Basis for the Use of Personal Information: Analysis from a Data Interest Perspective,” 2019 (2), Journal of Comparative Law.
 Gao Fuping. “Personal Information Protection: From Personal Control to Social Control,” 2018 (3), Chinese Journal of Law.
 NDRC, et al: Opinions on Supporting Sound Development of New Business Forms and New Modes to Activate Consumer Market and to Increase Employment, Fa Gai Gao Ji  No.1157
 See the first-instance civil judgment of the dispute between the plaintiff surnamed Huang and the defendants Tencent Technology (Shenzhen) Co., Ltd., Guangzhou Branch and Tencent Technology (Beijing) Co., Ltd. over the network infringement of privacy and rights and interests in personal information, (2019) Jing 0491 Min Chu No. 16142. In this case, the Beijing Internet Court held that ordinary users could not clearly understand the division of labor between Tencent Computer, the operator of WeChat and WeRead committing the infringement, and Tencent Beijing and Tencent Shenzhen, therefore the three defendants were ordered to bear joint and several liabilities.
 Article 1195 of the Civil Code provides that where a network user has used network services to commit an infringement act, the network service provider shall bear joint and several liabilities in respect of the escalated damage when it fails to adopt requisite measures in a timely manner upon receipt of notice. Article 1197 thereof provides that where a network service provider is or should be aware that the network user has used its network services to commit any infringement act but fails to adopt requisite measures, it shall bear joint and several liabilities with the network user.
 Many believe that this provision shall be understood as joint and several liability, however, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data set up under the Data Protection Directive of the EU had an in-depth discussion on the issue of joint and several liability of joint controllers in its opinion (Opinion 1/2020 on the Concepts of Controller and Processor) in 2010 and raised different opinions. According to the Working Party, joint control does not necessarily invoke joint and several liability, and joint and several liability shall be applied as default only when there is no agreement among joint controllers or no equally clear and effective allocation of liabilities. GDPR does not explicitly include the in-depth discussion and suggestions of the Working Party into its statement on joint and several liability, that is to say, it leaves some room for the construction of whether Article 26 provides for joint and several liability. See WP169, Opinion 1/2010 on the concepts of “controller” and “processor”. In addition, in the judgment of Wirtschaftsakademie Schleswig-Holstein (C-210/16) in 2018, the Court of Justice of the EU points out that the “joint liability” of “joint controllers” in the Data Protection Directive, the predecessor of GDPR, does not mean equal liability, and the degree of liability of each controller shall be determined by taking into account all relevant circumstances of the case. This to some extent provides a negative answer as to whether GDPR has established joint and several liability for joint controllers.
 See Katz v. United States, 389 U.S. 347 (1967).
 Helen Nissenbaum, “Privacy as Contextual Integrity”, Washington Law Review, 2004, 79(01).
 Ding Xiaodong: On the Ideological Origin and Basic Ethics of the Legal Protection of Personal Information – Analysis Based on Fair Information Practice, 2019 (3), Modern Law Science.
 Xinhuanet: The first case involving the use of face recognition in China http://www.xinhuanet.com/tech/2019-11/08/c_1125206288.htm, last accessed on 23 October 2020.
 Security Evaluation Center for New Internet Technology and Business: U.S. Cybersecurity Policy Developments and Its Revelation, https://www.secrss.com/articles/10782, last accessed on 24 October 2020.
 Xu Ye: Precautions in U.S. National Cyber Strategy against China and Suggestion on Countermeasures, http://www.casted.org.cn/channel/newsinfo/7656, last accessed on 24 October 2020.
 Gao Fuping, Yu Chao. Comments and Analysis on EU Data Portability. Big Data, 2016 (4).
 Swire P, Lagos Y. Why the Right to Data Protability Likely Reduce Consumer Welfare: Antitrust and Privacy Critique. Maryland Law Review, 2013(2).
 Zhang Zhe. Exploration and Enlightenment: A Study on Data Portability of the GDPR. Journal of Guangxi Political Science & Law Institute, 2016(6).
 Yang Fang. The Theory of the Right to Self-Determination of Personal Information and Its Review: Object of Protection under the Personal Information Protection Law. Journal of Comparative Law, 2015 (6).
 Peng Litang, Rao Chuanping. The Attribute of Network Privacy: from Traditional Personality Rights to the Right to Information Self-determination. Law Review, 2006(1).
 Internet enterprises enjoy a certain “property interest” in data products derived from the processing of their users’ data, which has been adopted in China’s judicial practice. For details, see: Taobao (China) Software Co., Ltd. v. Anhui Meijing Information Technology Co., Ltd. over unfair competition, (2017) Zhe 8601 Min Chu No. 4034. In the judgment of the case, Hangzhou Railway Transport Court held that in the absence of legal provisions or special contractual agreements, internet users have no property rights and interests in user information; network operators shall be subject to the control of network users and only enjoy limited rights to use the original data; network operators have independent property rights and interests in the data products they developed.
 Fu Xinhua. Discussion and Analysis on the Dual Path of Data Portability — Focusing on Personal Data Protection Law and Competition Law. Journal of Henan University (Version of Social Science), 2019(5).
 Xie Lin, Zeng Junsen. Review of the Right to Data Portability. Electronics Intellectual Property, 2019(1).
 Gabriela Zanfir, The right to Data portability in the context of the EU data protection reform. International Data Privacy Law, 22012,2 (03).
 Huo Zhengxin, Comparative Law Study of Efficient Breach of Contract, 2011 (1), Journal of Comparative Law
 See Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0264&from=EN, last accessed on 24 October 2020.
 Jiang Lin, The First GDPR Assessment Review: Has Data Protection in the EU Improved after Two Years of Implementation of the GDPR? https://mp.weixin.qq.com/s/p4s9G-7QISglgy0NfFt0Iw, last accessed on 24 October 2020.
Regulatory and Compliance Group King & Wood Mallesons