China

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

FTC Amends GLBA Safeguards Rule to Impose Significant New Privacy Obligations on Financial Institutions – Consumer Privacy World

Killware: The New Cyber

China Publishes New Draft Measure on Cross-Border Data Transfer

On October 29, 2021, China released the Draft Measures on Data Cross-Border Security Assessment (the “Draft Measures”) for public comments. Following its two previous versions in 2017 and 2019, this new draft is developed based on the very recent adoption of the Personal Information Protection Law

A Brief Analysis of Several Provisions on the Security Management for Automotive Data (Trial Implementation)

Connected vehicles capable of connecting to the internet and sharing data with external parties are experiencing exponential growth in China. Despite the apparent benefits of new technologies, they have also raised significant concerns over personal information protection, data protection and cybersecurity. As they are in many other countries, regulators in China are making tremendous efforts to catch up with these new technologies.

On August 16, 2021, China’s first regulation on automotive data security, Provisions on the Security Management for Automotive Data (Trial Implementation) (hereinafter referred to as the “Provisions”), was unveiled and goes into effect on October 1, 2021. The Provisions establish a preliminary compliance framework for automotive data security in China by defining automotive data and regulated entities, stipulating principles for data processing, specifying obligations of data processors, and setting forth rules for cross-border data transmission.
Continue Reading A New Era of Automotive Data Compliance is Coming

As reported in our recent post, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”). The implementation date is set for November 1, 2021, though we await some additional detail via promulgation orders on a number of important provisions, as set forth below, from the regulatory authorities.
Continue Reading New PRC Personal Information Protection Law Passed: A Deeper Dive into the Provisions

After three rounds of revisions, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China officially passed the Personal Information Protection Law (the “PIPL”).

  • Fundamental Principle. The fundamental principles under the PIPL is that collection and processing PI should be limited only the minimum level as necessary to fulfill the specific purpose of PI processing; or the so-called “as minimum and as necessary” principle. PI processing beyond the level of minimum and necessity may be found a violation of the PIPL, even if individual consent is obtained or other formality is fulfilled. PI processing and compliance program should be set up always with the fundamental principles in mind.


Continue Reading NEW: China’s Personal Information Protection Law

The People’s Republic of China (China), has been active lately in passing several new laws and regulations relating to data privacy and security. Here are 2 of the recent laws which tend to focus more on those handling data national security and/or public interest (ala Critical Information Infrastructure or Important Data).
Continue Reading China Passes New Data Privacy and Security Laws

China continues to be a hotbed of activity in the areas of privacy and cybersecurity legislation.  For background on the draft Personal Information Protection Law (“PIPL”) and proposed modifications published in April 2021, please see:

China’s Personal Information Protection Law: What It Means to Companies (Client Alert)

China Releases Second Draft of the Personal Information Protection Law: Comparison of Proposed Changes to First Draft (Security & Privacy // Bytes Blog)

China’s Personal Information Protection Law (Second Draft) – What to Expect (Consumer Privacy World Blog)

In a related development, on April 26, 2021, the Ministry of Industry and Information and Technology of People’s Republic of China (the “MIIT”) issued draft Interim Measures on Personal Information Protection of Mobile Internet Applications “Measures”), for public comments.

This draft Measures follow several rounds of enforcement actions relating to mobile applications (“apps”) in recent years, targeting the over-collection of users’ personal information (“PI”) by demanding access to camera, microphone, photos, contact lists, etc. Currently, these activities are covered by two app-related practical guidelines, and the proposed Measures are the first comprehensive rules on the topic. The draft Measures specify various requirements and obligations applicable to app developers, distribution platforms, third-party app service providers, mobile device manufacturers and network access service providers. Other important provisions may be summarized as follows:
Continue Reading China Issues Draft Interim Measures on Personal Information Protection of Mobile Internet Applications

On April 29, 2021, the National People’s Congress Standing Committee of the People’s Republic of China released a second draft of the Personal Information Protection Law (the “PIPL”) for public comment. In general, the second draft does not deviate much from the prior version released in October 2020. For further details on the original draft of the PIPL, please see our previous blog and client alert.

China’s Personal Information Protection Law: What It Means to Companies (Client Alert)

China’s Personal Information Protection Law (Second Draft) – What to Expect (Consumer Privacy World Blog)

We have summarized the highlights of the proposed changes contained in the second draft below:
Continue Reading China Releases Second Draft of the Personal Information Protection Law: Comparison of Proposed Changes to First Draft

The Cyberspace Administration of China (the “CAC”) launched a public consultation on the draft Administrative Measures on Data Security (the “Draft Measures”) on May 28, 2019. This consultation falls in the middle of the publication of the drafts for two other data protection rules, namely the Measures for Security Assessment for Cross-border Transfer of Personal Information and the Measures for Cybersecurity Review.

Together, these three measures will implement a significant portion of the Cyber Security Law (the “CSL”) and become the first set of binding laws focused solely on data protection, adopting certain rules from the non-binding Personal Information Security Specification. The Draft Measures were published just over a year after the General Data Protection Regulation (the “GDPR”) came into effect in the EU and certain similarities between the two regimes are apparent.
Continue Reading China’s Draft Data Security Measures and How They Compare to the GDPR