Photo of Scott Warren

Scott Warren

CPW’s Scott Warren will be providing a keynote discussion on the Challenges in Handling a Multi-Jurisdictional Data Breach from 12:45 to 1:15 pm EST at the virtual Cyber Security ConfEx on Thursday, December 16th.  In addition, from 2-4 pm EST, Kristin Bryan will be providing her perspective on data privacy and cybersecurity litigation trends as

Handling digital evidence in Asia has gotten increasingly complicated in Asia over the years.  In this podcast with FTI, CPW’s Scott Warren covers this topic from a historical perspective, looking at practical, technical, logistical and legal challenges over the last 20 years.  In addition, he covers current developments and provides suggestions on how to handle

As reported in our recent post, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”). The implementation date is set for November 1, 2021, though we await some additional detail via promulgation orders on a number of important provisions, as set forth below, from the regulatory authorities.
Continue Reading New PRC Personal Information Protection Law Passed: A Deeper Dive into the Provisions

After three rounds of revisions, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China officially passed the Personal Information Protection Law (the “PIPL”).

  • Fundamental Principle. The fundamental principles under the PIPL is that collection and processing PI should be limited only the minimum level as necessary to fulfill the specific purpose of PI processing; or the so-called “as minimum and as necessary” principle. PI processing beyond the level of minimum and necessity may be found a violation of the PIPL, even if individual consent is obtained or other formality is fulfilled. PI processing and compliance program should be set up always with the fundamental principles in mind.


Continue Reading NEW: China’s Personal Information Protection Law

Japan FlagIn the midst of revising the Japan Civil Code and the foreign attorney laws, Japan has recently passed amendments to its data privacy law, the Act on the Protection of Personal Information (“APPI”).  Some of these changes put Japan’s law closer in line with the EU’s General Data Protection Regulation “GDPR” as to which both have recognized the adequacy of each other’s data privacy regimes.  As a result, transfers of personal information from Japan to all third countries will be subject to stricter controls when the amendments become fully enforceable, which is expected to occur in 2022.
Continue Reading New Amendments Passed to Japan’s Data Privacy Law

I was recently helping a client in Tokyo respond to a serious and sophisticated cyber breach where hackers executed a transfer of nearly US$1M out of the client’s Hong Kong bank account. In this instance, the hackers had hacked into the CEO’s cloud-based corporate e-mail account and had determined a way to create a transaction that his intermediary company believed to be genuine. The hackers sat on top of the e-mail to intercept any queries and assure colleagues that this was an authorized transfer. The transaction was made on a Friday, in the hopes that it would not be noticed until the following week. Indeed, our client only realized that the transaction had happened on the following Monday, when he received by mail hard copies of the transfer documents from his intermediaries.

In these types of situations, it is essential to act quickly and to focus on the efforts most likely to bear fruit. But what to do when every second that passes makes it more likely that the funds have been transferred to other accounts in other jurisdictions?

Here are some critical things to consider, with many of these actions needing to occur concurrently:

Continue Reading Executive Hacks and What To Do

The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).[1] This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here.

Japan’s data protection authority, the Personal Information Protection Commission (PPC), has also adopted its equivalent decision on Japanese personal data flows to the EU. This mutual recognition allows the safe free flow of personal data between the two territories, creating the world’s largest arena of secure data flows.

Continue Reading European Commission Adopts Adequacy Decision on Japan

To any good lawyer, the answer is ‘both’ are important.  However, most in-house counsel know the answer is which receives the limited available budget.  Compliance budgets usually follow the greatest risks for the company.  Therefore, in Europe, where the EU’s General Data Protection Regulation is the scariest new compliance issue, it stands to reason that data privacy will take a larger portion of the budget than cybersecurity.  However, in the US, where the penalties for poor cybersecurity can be huge (from governmental penalties, to class action and shareholder derivative lawsuits), I believe it is generally the opposite. 
Continue Reading Data Privacy or Cybersecurity: Which is More Important?

What’s New?

On 5 September 2018, the EU Commission commenced proceedings to adopt an Adequacy Decision in relation to Japan’s protection of personal data by issuing a draft ‘Commission Implementing Decision’. This is an important step towards the culmination of discussions between the EU and Japan that were initiated in January 2017, with the aim of permitting the free flow of personal data between the parties. These discussions were part of the broader free trade negotiations between Japan and the EU, which concluded with a successful agreement on 17 July 2018. 
Continue Reading Procedure Launched for Japan and the European Union to Become the World’s Largest Area of Safe Data Transfers

As 2018 picks up steam from its start, we are beginning to see traction in relation to various new regional data privacy and cybersecurity laws.  Many of the provisions seem designed to enable countries to seek an EU Adequacy Finding, which is akin to the Privacy Shield provisions between the EU and the US.  This would allow the easier transfer of EU data between the countries.
Continue Reading Security and Privacy: A View from Asia and the Middle East