Chinese Go Board

China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime

[Originally published as a Feature Article: China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime, by Carolyn K. Luong, in Orange County Lawyer Magazine, April 2020, Vol. 62 No.4, page 31.]

By Carolyn Luong

U.S.-China relations have been a trending topic throughout the past year due to several conflicts involving the alleged encroachment upon free speech principles and perceived threats to U.S. national security. The NBA and Activision-Blizzard, both U.S.-based organizations, fielded criticisms in October of 2019 for supposed political censorship motivated by the fear of losing Chinese customers. Furthermore, as the U.S. races to build out its 5G infrastructure, the U.S. government has explicitly restricted U.S. corporations from conducting business with Chinese technology manufacturer Huawei upon apprehension that Huawei equipment may contain backdoors to enable surveillance by the Chinese government.[1]

Dr. Christopher Ford, Assistant Secretary of the U.S. State Department’s Bureau of International Security and Nonproliferation remarked in September that, “Firms such as Huawei, Tencent, ZTE, Alibaba, and Baidu have no meaningful ability to tell the Chinese Communist Party ‘no’ if officials decide to ask for their assistance—e.g., in the form of access to foreign technologies, access to foreign networks, useful information about foreign commercial counterparties . . . .”[2] These Chinese firms in response firmly deny any allegations of contemplated or actual instances of required cooperation with the Chinese government to compromise user information or equipment.

Continue Reading China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime
Lock on a computer screen held to edges by chains

What Is Happening in Children’s Online Privacy?

Children’s online privacy has always been an important topic, but a number of recent developments around the world have many businesses taking it more seriously. In September, Google agreed to pay a record $170 million fine to the U.S. Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA) by illegally collecting personal information from children without parental consent and using it to profit through targeted ads. A few weeks later, China’s own version of COPPA called the “Measures on Online Protection of Children’s Personal Data,” came into force, providing further clarity on protecting children’s personal data online under China’s Cyber Security Law. On October 7, the FTC hosted a public workshop to explore whether to update COPPA, which is over 20 years old and in need of a refresh due to the emergence of new technologies. (Just think of all those smart devices, social media platforms and educational apps and technologies that were not around in 1998). Finally, the California Attorney General recently released proposed regulations to the California Consumer Protection Act, which goes into effect in January 2020, that would require a business that knowingly collects the personal information of children under the age of 13 to establish, document and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child.

Many children start using the Internet at an early age, raising privacy issues distinct from those for adults. First, children may not understand what data is being collected about them and how it is used. Second, children can easily fall victim to criminal behavior online by providing seemingly innocuous information to web users who can appropriate such information for malicious purposes. Third, children cannot give the same meaningful consent to data collection and use activities as an adult. 

In the U.S., Congress passed COPPA in 1998 to protect children’s use of the Internet—particularly websites and services targeted toward children. COPPA requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires affirmative consent by parents prior to collection of personal information for children under the age of 13. Recognizing that teenagers between the ages of 13 and 18 are not protected under COPPA, many individual states have made efforts to address privacy issues for this age group.

Recognizing the need to update COPPA to keep up with the times, the FTC considered the following topics at the October workshop, among others:

  • How the development of new technologies, the evolving nature of privacy harms, and changes in the way parents and children use websites and online services, affect children’s privacy today;
  • Whether COPPA should permit general audience platforms to rebut the presumption that all users of child-directed content are children, and if so, under what circumstances;
  • Whether COPPA should be amended to better address websites and online services that do not include traditionally child-oriented activities, but that have large numbers of child users.

It remains unclear how these issues and others will be resolved. Eager to tap into the new revenue streams that children represent, many tech companies will try to carve out exceptions to COPPA—openly or not. On the other side, child advocates and politicians such as Senator Edward Markey, one of the original authors of COPPA, are pushing back and even trying to tighten restrictions related to children’s online privacy. 

Sometimes the issues are not so black and white. For instance, many well-intentioned companies—tech and otherwise—that have no interest in marketing to children might still be unable to verify the age of users that visit their websites, resulting in inadvertent marketing to minors. Even those that attempt to verify the age of users may face challenges, given the thousands of websites dedicated to helping users bypass age gates and parental controls. Finally, some age verification techniques may run counter to data minimization and privacy concerns – e.g. the collection of credit card data to verify age, when it is not necessary for the provision of the service. Regardless of what happens with COPPA at the FTC and with new privacy laws that are springing up across the world, companies will need to be extra-cautious about how they approach children’s online privacy—continually reviewing their practices and policies to ensure that they are not running afoul of the multitude of laws and regulations out there. Those that do not run the risk of becoming subject to both regulatory and legal action.

American Privacy Laws in a Global Context: Predictions for 2018

Should putative class members have privacy rights in class action claims under the CCPA?
Image Credit: kmicican from pixabay.com

[Originally published as the May 2018 Cover Story: Data Privacy and the Law – American Privacy Laws in a Global Context: Predictions for 2018, by Lily Li, in Orange County Lawyer Magazine, May 2018, Vol. 60 No.5.]

Cybersecurity Attacks Are Inevitable

Cybersecurity attacks are on the rise. According to the non-profit organization, Identity Theft Resource Center, there were over 1,579 publicly reported data breaches in 2017, compared to 1,091 in 2016, and 780 in 2015. Not only are these cyberattacks happening at high-profile companies like Equifax, Uber, and Yahoo, they are increasingly happening to businesses of all sizes. Any entity able to pay a ransom is now a potential target.

Law firms are no exception. In 2017, DLA Piper was hit with a “wiper-ware” attack, following previous email hacks of Cravath and Weil Gotshal in 2016. Earlier this year, UK-based cybersecurity firm, RepKnight, reported that almost 800,000 UK law firm email addresses and affiliated passwords were available on the dark web, with over 50% of these credentials posted in the last six months. These law firms did not just include local UK firms, but global law firms with a UK presence.

Given these alarming statistics, what should legislators do?

In the EU, Canada, and China, legislators have decided to develop and implement national data privacy and cybersecurity frameworks: GDPR, PIPEDA, and CSL respectively. The United States, by contrast, still relies upon a patchwork of sectoral laws and inconsistent state rules. This article will take a brief look at developments in the EU, Canada, and China, discuss the current United States privacy framework, and predict likely developments in U.S. privacy law over the next year.Continue Reading American Privacy Laws in a Global Context: Predictions for 2018