Earlier this year, Access committed to providing you with quarterly updates on the latest legislation and regulatory news happening around the world. As described, our intent with these briefs, published chiefly for information governance and legal professionals, is to help keep you abreast of the industry’s latest regulatory updates and provisions. This quarter, just as we set out to do when we first launched in May, we want to help ensure that you have all the latest information to do your job as efficiently as possible and with the utmost confidence.
We also include notations, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo, as a courtesy to active clients. So without further ado, following is the latest on that front.
China’s New Personal Information Protection Law (PIPL):
On August 20, 2021, China’s top legislature passed the Personal Information Protection Law (PIPL), China’s first comprehensive data protection law. The PIPL, which goes into force on November 1, 2021, governs the processing of personal information of people within China as well as processing activities conducted outside of China of individuals located in China under either of the following circumstances: to offer goods or services to individuals in China; or to analyze and evaluate the behavior of individuals in China.
Similar to the GDPR, the law provides the data subject with rights such as the rights of access, correction, and deletion of personal information. It also requires a legal basis to process personal information, with “notice and consent” being the primary legal basis for lawful processing.
There are exceptions to when notice and consent is required. For example, entities may process personal information without consent where necessary to perform a contract, or for human resource purposes. However, separate consent is required for each of the following: the disclosure of personal information to a third party; the processing of “sensitive” personal information; and the transfer of personal information outside of China.
Additionally, concerning cross-border data transfers, PIPL requires personal information processors to meet one of the following conditions to provide personal information outside China:
- Receive approval from government authorities following a security assessment;
- Obtain certification from government authorities;
- Enter into a contract with the foreign recipient of the data in accordance with the standard contract drafted by the National Cyberspace Administration Department; or
- Comply with other conditions in law or regulations (a catch-all provision).
As it relates to the deletion of personal information, article 47 of the PIPL requires processors to take the initiative to delete personal information under any of the following conditions:
- The processing purpose has been achieved, cannot be achieved, or is no longer necessary to achieve the processing purpose;
- The personal information processor ceases to provide products or services;
- Individuals withdraw their consent;
- The personal information processor violates laws, administrative regulations, or violates the agreement to handle personal information
Penalties for serious violation of the PIPL include fines for up to 50 million Yuan (approx. $7.7M USD) or up to 5% of an entity’s revenue in the prior year.
All requirements from the PIPL are now included in Virgo.
California’s Service Industry Rehiring Law
Effective April 16, 2021, Cal Lab. Code § 2810.8 requires employers in the hospitality and mass services industries to offer to re-hire qualified former employees laid off due to COVID-19. If the employer hires someone else other than the laid off employee on the grounds of lack of qualification, the employer must provide the laid off employee with written notice within 30 days. This section also requires employers to keep related records for three years, including records of communications regarding the offers.
This regulation applies to employers who operate an “enterprise” which includes:
- Hotels with 50 or more guest rooms;
- Private clubs (either a membership-based business or nonprofit organization that operates a building that includes at least 50 guest rooms);
- Event centers (public or privately owned with more than 50,000 square feet or 1,000 seats, such as concert halls, stadiums, sports arenas, racetracks, coliseums, and convention centers. The term includes any contracted, leased, or sublet premises connected to or operated in conjunction with the event center’s purpose, including food preparation facilities, concessions, retail stores, restaurants, bars, and structured parking facilities);
- Airport hospitality operations that provide services in connection with the preparation of food or beverage[s] for aircraft crew or passengers at an airport. Airport hospitality operations also includes businesses that provide food and beverage[s], retail, or other consumer goods or services to the public at an airport. Airport hospitality operation does not include an air carrier certificated by the FAA;
- Airport service providers directly related to the air transportation of persons, property, or mail. The term includes businesses related to security, airport ticketing and check-in functions, ground-handling of aircraft, aircraft cleaning and sanitization functions, and waste removal. Air carriers certified by the FAA are not included in the definition of airport service provider; and
- Building services to office, retail, or other commercial buildings (janitorial, building maintenance or security services).
These legal requirements are now included in Virgo.
Virginia’s Consumer Data Protection Act
The following concerns the Consumer Data Protection Act (VA. CODE ANN. §§ 59.1-575 through 59.1-582), effective January 1, 2023. Some of the main takeaways of the law are as follows:
- The CDPA creates consumer rights, similar to CCPA, but also imposes security and assessment requirements for businesses.
- Under the CDPA, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.”
- The CDPA provides any persons residing in Virginia, acting in an individual or household (rather than commercial or employment) capacity, certain rights related to their personal data.
- There is no private right of action, but the Attorney General is empowered to issue a civil investigative demand whenever there is reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of the CDPA.
You can read more about this legislation here.
New and Important U.S. Federal Law on Drone Records Retention Requirements
All unmanned aircraft owners – be aware! There is now new and important drone records retention requirements that apply to owners/operators of drones, as follows:
- 14 C.F.R. § 107.140(c)(2): Maintain for 1 year, all records of maintenance, preventive maintenance, and alterations performed on the aircraft and ensure the records are documented in a manner acceptable to the Administrator. The records must contain the description of the work performed, the date the work was completed, and the name of the person who performed the work.
- 14 C.F.R. § 107.140(c)(3): Maintain (Retain and transfer with the aircraft upon change in ownership) all records containing—
- The status of life-limited parts that are installed on, or part of, the small unmanned aircraft;
- The inspection status of the aircraft; and
- The status of applicable airworthiness directives including the method of compliance, the airworthiness directive number, and revision date. If the airworthiness directive involves recurring action, the record must contain the time and date of the next required action.
- 14 C.F.R. § 107.165(a)(1): 2-year retention for information submitted for a declaration of compliance.
These requirements are now included in Virgo.
To learn more about how to help your team manage privacy compliance, check out our eBook: Data Privacy for the Information Management Professional.