Carolyn Bigg

Author's details

Name: Carolyn Bigg
Date registered: May 9, 2016

Latest posts

  1. CHINA: PRC Cybersecurity Law – take action and monitor developments to avoid losing your China business — June 21, 2017
  2. CHINA: PRC Cybersecurity Law – one week to go, and there are still new developments — May 24, 2017
  3. SINGAPORE: amended cybersecurity law introduces new criminal offences — April 25, 2017
  4. MALAYSIA: proposed whitelist for overseas data transfers — April 25, 2017
  5. CHINA: new Cybersecurity watchdog suggests greater compliance challenges ahead for overseas companies in China — February 15, 2017

Author's posts listings

CHINA: PRC Cybersecurity Law – take action and monitor developments to avoid losing your China business

The PRC Cybersecurity Law is three weeks old, and non-compliant international businesses are already facing severe consequences. Since 1 June, twenty-two people engaged by a global technology giant have been arrested, and sixty online entertainment news sites have been shut down.

The law continues to evolve. The latest guidance provides practical answers to previous areas of uncertainty. Whilst some questions remain, the key message is: do not ignore the PRC Cybersecurity Law. It is now in force and organisations must comply with it.

Read on if you:

  • Transfer personal information and important data out of China
  • Are concerned your organisation may be a key information infrastructure operator
  • Supply network and cybersecurity products and services to China
  • Are unsure if you handle “important data” in or from China

Five key developments that you need to know

1. What is now in force?

2. Are the new overseas data transfer rules in force?

Not yet. The draft measures proposing conditions/restrictions on overseas transfers of personal data and important data by network operators including KIIOs (Draft Measures) did not come into force on 1 June 2017, surprising commentators. Unofficial sources indicate the lead regulator (CAC) discussed a revised draft of the Draft Measures with key stakeholders and proposed toning down some of the more onerous obligations. For now, we await official announcements from CAC.

If and when the Draft Measures come into force, organisations should follow the newly-published Draft Guidelines for Data Cross-Border Transfer Security Assessment (Draft Guidelines). These set out detailed guidance on the security self-assessments for cross-border transfers. They include practical tips on how and when to conduct a self-assessment, including key factors to consider (legality, legitimacy, control of risks, technical and management skills, the recipient’s capability to protect data, and the recipient countries’ political and legal environment), and a rating system to apply. Practical examples are also given on how to assess the sensitivity and level of influence of personal/important data, and solutions to minimise the risks.

3. Am I a KIIO?

We still don’t have a definitive answer, but previously unofficial guidance has now been formally published. The National Internet Security Check Operational Guideline is primarily a guideline for Government agencies. A key infrastructure protection regulation is being prepared by the Chinese authorities (which may or may not refer to this guideline) and (according to CAC) is expected to be published for public comment soon. It is hoped this regulation will provide greater certainty. For now, who does the guideline indicate will be deemed a KIIO?

  • Websites: operators of:
    • Party/Government websites
    • Key news websites
    • Websites with more than one million visits per day
    • Websites where a network security incident would have a significant impact (i.e. on work/lives of over one million individuals or 30% of a district; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (relating to resources, mapping); or damage to/endanger government image, social order or national security)
  • Platforms: operators of platforms:
    • With registered users over ten million, or with over one million active users (with a login frequency of at least once a day)
    • With average daily orders or transactions over RMB 10 million
    • Where a network security incident would have a significant impact (i.e. direct economic loss of RMB 10 million or above; on work/lives of over ten million individuals; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (see above); or damage to/endanger government image, social order or national security)
  • Production Businesses:
    • Operators of systems for public/government/cities such as healthcare, security, fire service, emergency management, production scheduling, traffic control
    • Operators of data centres with over 1,500 standard servers
    • Businesses where a network security incident would have a significant impact (i.e. on work/lives of 30% of a district; affect the utilities or transport of at least 100,000 individuals; death of five or more individuals, or serious injuries to fifty or more individuals; direct economic loss of RMB 50 million or above; disclosure of personal information of over one million individuals; disclosure of large volumes of sensitive corporate information or “national basic data” (see above); or damage to/endanger government image, social order or national security)

4. Can I still sell my technology products in China?

Yes, but you now need to consider the supervisory assessment/certification scheme for suppliers of critical network and cybersecurity products and services to KIIOs or to be used for other networks and information systems that relate to national security. We now have an initial catalogue of those caught by the new scheme:

Critical network equipment Specialised cybersecurity products
Routers All-In-One data backup
Switches Firewall (hardware)
Servers (rack-mounted) Web application firewall
Programmable logic controllers Intrusion detection system
Intrusion defence system
Security isolation and information exchange products (gatekeeper)
Anti-spam mail products
Network integrated audit system
Network vulnerability scanning product
Security data system
Website recovery products (hardware)

The new Trial Measures for Security Review of Network Products and Services (Trial Measures) provide practical guidance on how the scheme will be implemented. Whilst uncertainties remain, the Trial Measures clarify that:

  • Reviews will focus on “security and controllability” risks of products and key components, from manufacture through to sale, implementation and maintenance/support. Initially TC260 standards have been released for evaluating security and controllability of central processing units, operating systems and office software
  • Competition impact is a lesser concern, but reviews will look at dependence on certain providers
  • Reviews will also consider risks of providers accessing data and user information through their products/services
  • Reviews may be conducted in a lab, onsite, remotely or through background investigations. While some technical documentation must be provided, it is not yet clear whether source code must be disclosed; and what sort of test environment providers may need to make available to the authorities

5. What is “important data”?

“Important data” is broadly defined to include information that relates to national security, economic development, or social or public interest. Appendix A of the Draft Guidelines sets out an 11-page list of examples in key sectors such as utilities, telecommunications, geographical information, finance and e-commerce. The coverage is very broad, and is a useful reminder to organisations that the PRC Cybersecurity Law does not just affect personal data and has a very wide reach.

What other developments are anticipated?

Issue Development Impact
General personal data protection Draft Information Security TechniquesPersonal Information Security Specifications, published for public consultation and, according to reports, expected to be implemented soon.

This is in effect an update to the 2013 general data protection guidelines governing personal data, which is the current persuasive best practice, and practical guidance, on how to handle personal data in China

High: first statement of key data protection principles in China; significant changes to key terms such as “sensitive personal data” and “data controller”; greater clarity on privacy notices and terms to be included; additional security measures; and new DPO requirements
Minors’ data Draft Regulations on the Protection of the Use of Internet by Minors, published for public consultation in January 2017 Medium: additional protections for minors’ online, including safeguards for collection, use and disclosure of minors’ personal data by “network information service providers”
Encryption Draft PRC Encryption Law, published for public consultation in April 2017 High: more standardised approach to encryption and IT security in China (including mandatory national standards); use of encryption would be mandatory for some networks and data; encryption will remain heavily regulated; requirement for suppliers to provide decryption support
Consumer data Draft Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers, published in Summer 2016 High: strengthening of consumer personal data protection, including consent, mandatory data breach notification and record retention requirements
E-commerce data Draft E-commerce Law High: new data protection obligations including prior notice consent; explicit consent for subsequent changes of scope/purpose; data retention, use and security obligations: immediate data breach notifications: and irretrievable anonymisation of e-commerce data before disclosure

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-prc-cybersecurity-law-take-action-and-monitor-developments-to-avoid-losing-your-china-business/

CHINA: PRC Cybersecurity Law – one week to go, and there are still new developments

The final countdown is on. The PRC Cybersecurity Law comes into force on 1 June 2017. This date marks a significant evolution in both the legal and enforcement environment for data protection in China, and organisations can no longer afford to ignore it.

Indeed, there have been important new developments in the last few weeks and days:

  • If you breach or ignore data protection laws: new criminal sanctions have been introduced. In early May, the Chinese authorities made clear that unauthorised collection, disclosure and receipt of “citizen’s personal information” now constitutes a criminal offence under the PRC Criminal Law, with a range of sanctions taking into account (amongst other things) the degree of harm, amount of illegal gains and repeat offences, including fines of up to five times the amount of any illegal gains. This is according to the Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information. This should act as a further incentive to organisations to get their house in order prior to 1 June 2017.
  • If you use cookies in China: notice and consent requirements apply. Separately, the above mentioned interpretations clarify that information reflecting an individual’s activities, but which does not necessarily identify an individual, constitutes “citizen’s personal information”, which appears to indicate that collection of information via cookies in China does require notice/consent. This has not always been standard practice in China, so organisations are advised to review and update online privacy policies.
  • If your organisation provides “important network products and services” to KIIOs or other networks and information systems that relate to national security in China: the new supervisory assessment regime will also come into force on 1 June 2017. It was confirmed earlier this month that the new security and controllability assessments scheme for network products and services purchased by KIIOs that may impact national security, or other networks and information systems that relate to national security, will come into force on the same date as the PRC Cybersecurity Law. For further information, see our update: New Cybersecurity watchdog suggests greater compliance challenges ahead for overseas companies in China. It has also been suggested that products and services that fail these assessments will be blacklisted from future procurement by KIIOs. Therefore, it is important for suppliers of such products/services to be addressing compliance issues now, and factoring in potential delays in procurement processes in the coming months. If your organisation is a KIIO, you need to plan ahead and consider how to source replacements if any of your existing products/services fail the assessments.
  • If your organisation is regulated by the securities regulator: you may have keep certain data within China. The CSRC has recently published for public consultation the draft Measures for the Information Technology Management of Securities and Funds Operators (Draft Measures) which, if implemented propose introducing data localisation rules for securities and funds operators (Operators) as regards: (i) “Important Information Systems” (i.e. systems that support an Operator’s key business functions which, if breached, would have a significant impact on the securities market and investors, such as trading systems, sales and account opening systems/sites and clearing and audit systems); (ii) “important data” (currently undefined); and (iii) “Customer Information” (which includes customer’s name, ID number, bank account number, contact information, transaction password, transaction history, commission and inquiry records, transaction terminal information and transaction-related customer behaviour information), in each case collected and generated from business activities of securities and funds, subject to certain exemptions (including transactions with foreign counterparties or on foreign trading platforms (where permitted) and currency exchange transactions). These are wider restrictions than the existing data localisation rules imposed on the banking industry in China by the CBRC. The Draft Measures also propose (amongst other measures): specific data protection and data security obligations on Customer Information, including apparent restrictions on data sharing “to other organisations and individuals”; and regular (at least annual, and in some cases quarterly) IT management internal audits.
  • If your organisation uses or provides encrypted products and encryption-related services in China: a proposed new encryption law may impose additional obligations. A new Draft Encryption Law was published for public consultation by the Chinese authorities in April 2017, proposing a more standardised approach to encryption and IT security, with different national standards applying to “core encryption” and “common encryption” (for state secrets) and “commercial encryption”. While use of encryption would now be mandatory for some networks and data, it appears encryption will remain a heavily regulated area in China and the requirement for licences for encryption technologies will remain. A likely source of concern to some international businesses operating in China is the requirement for decryption support: for national security reasons or for criminal investigations, certain Government bodies would be legally entitled to require telecommunication operators and internet service providers to provide “decryption technology support”. In practice, if passed this will increase the compliance obligations on those providing and using encryption technologies in China.

What should I do?

For those organisations who have not yet done anything about updating their China data protection compliance programme, now is the time to do it. Our overview of the key requirements under the PRC Cybersecurity Law is here: see Significant changes to data and cybersecurity practices in China and China Data Protection Update (January 2017)

For those who have started work on complying with the PRC Cybersecurity Law, you are strongly advised to monitor and act on the latest developments mentioned above as well.

Don’t forget that other draft regulations are still under consideration by the Chinese Government, so yet more changes may be on the way. These include: the Draft E-Commerce Law and proposed changes to consumer protection laws, both of which would impose additional data protection obligations; draft regulations regarding the handling of minors’ data; and proposed changes to guidance in China on the definition of “sensitive personal information”

What about overseas data transfers?

Finally, we recently reported on the draft measures proposing conditions, restrictions and, in some cases, absolute prohibitions on transfers of certain data outside of China: see China’s new cyber security law is only 6 weeks away. We see this as being one of the most potentially disruptive and involved aspects of the new China data protection/security environment, particularly on international organisations operating in China. The consultation period has now closed, and early indications are that the authorities propose to bring the measures into force on 1 June as well, but are now considering an 18 month grace period. We understand a revised draft of the measures are now under consideration, with some amendments proposed as a result of feedback during the consultation, including some more practical guidance on what organisations may have to do, particularly regarding the scope and form of security assessments and how to obtain consent, and as regards the thresholds for regulatory assessments. We will provide another update on progress of the draft measures as details further unfold.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-prc-cybersecurity-law-one-week-to-go-and-there-are-still-new-developments/

SINGAPORE: amended cybersecurity law introduces new criminal offences

Singapore has recently passed amendments to the Computer Misuse and Cybersecurity Act introducing new criminal sanctions for serious data protection and cybersecurity breaches.

This development reflects similar moves by data protection authorities elsewhere in Asia to impose criminal sanctions for the worst data protection offences, and as such indicates Singapore’s resolve to step up data protection compliance and enforcement. This step also appears to reflect a recent statement by the Personal Data Protection Commission (“PDPC“), Singapore’s data protection authority, that enforcement decisions to date have largely involved data security breaches, as well as the Monetary Authority of Singapore’s focus in recent months on cybersecurity in the financial services and insurance sectors.

The amendments introduce two new offences:

  1. Misuse of personal information obtained from a computer crime: this offence prohibits the obtaining, retaining, supplying, offering to supply, transmitting or making available of personal information which the person knows or has reason to believe has been obtained by committing a computer crime. Exceptions apply if the activity was done with a legitimate purpose (e.g. for undertaking data breach investigations), or if the person lacked the requisite knowledge or belief. In practice, this means that organisations should avoid buying, selling, or in general, processing personal information from an unknown or questionable source.
  2. Misuse of access to computer or any item capable to commit a computer crime: this offence prohibits the obtaining, retention, supply or offering to supply of, or making available, an item or access to a (or part of a) computer to commit, or which is capable of being used to commit, a computer crime. This includes access to devices, computer programs, passwords, access codes or any data offering such access. While the Ministry of Home Affairs of Singapore has made clear that the aim of this new offence is to criminalise illegal access of computers by hackers, this may also serve as a reminder to organisations with operations in Singapore to put in place reasonable security arrangement over the use of electronic devices to avoid becoming an easy target to computer hackers.

The new offences apply regardless of whether the individual or organisation is resident or located in Singapore, or whether the activities are targeting a server in Singapore or overseas. The test is whether the prohibited action causes or creates a significant risk of serious harm in Singapore. That said, how in practice criminal proceedings may be brought against those outside Singapore is unclear.

The amendments significantly increase the potential sanctions for certain serious data protection offences. For a first time conviction for either of the new offences, the offender may be liable to a fine of up to SGD 10,000 and/or imprisonment for a term up to 3 years. Currently the existing data protection framework in Singapore under the Personal Data Protection Act (“PDPA“) allows the PDPC to impose fines of up to SDG 1 million for failing to ensure sufficient security is in place to protect personal data. That said, the heaviest fine imposed to date by the PDPC is just SGD 50,000, and so it remains to be seen whether the Singapore courts and authorities will pursue the highest level of criminal sanctions in such cases under these latest amendments.

The new offences apply to both individuals and organisations, and so data protection officers in Singapore (who strictly under the PDPA are responsible for their organisations’ data protection compliance) should be particularly aware of the potential reach of the new offences.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/singapore-amended-cybersecurity-law-introduces-new-criminal-offences/

MALAYSIA: proposed whitelist for overseas data transfers

Malaysia has issued a public consultation paper Personal Data Protection (Transfer Of Personal Data To Places Outside Malaysia) Order 2017, including a draft initial “whitelist” of jurisdictions deemed adequate for overseas data transfers. The consultation closes on 4 May 2017.

The draft whitelist, if passed, will be the first of its kind in the region, and may serve as the blueprint of similar whitelists for neighbouring jurisdictions whose laws anticipate a whitelist (although the test for adequacy varies between the data protection laws across Asia). While the draft whitelist reflects the jurisdictions in the EU adequacy list, it is by contrast notably longer and contains a much more diverse range of jurisdictions, including some with very new data protection regimes.

The proposed whitelist in the draft is as follows:

  1. European Economic Area (EEA) member countries
  2. United Kingdom
  3. The United States of America
  4. Canada
  5. Switzerland
  6. New Zealand
  7. Argentina
  8. Uruguay
  9. Andorra
  10. Faeroe Islands
  11. Guernsey
  12. Israel
  13. Isle of Man
  14. Jersey
  15. Australia
  16. Japan
  17. Korea
  18. China
  19. Hong Kong
  20. Taiwan
  21. Singapore
  22. The Philippines
  23. Dubai International Financial Centre (DIFC)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/malaysia-proposed-whitelist-for-overseas-data-transfers/

CHINA: new Cybersecurity watchdog suggests greater compliance challenges ahead for overseas companies in China

Developments this month continue to signpost a more challenging compliance environment ahead for non-Chinese technology companies and those operating online in China.

The Chinese Government’s continued scrutiny over cyberspace continues apace, with the announcement of a new cybersecurity watchdog. As well as monitoring cybersecurity threats and co-ordinating national cyberspace policy and practices, of greatest significance to organisations operating in China is the watchdog’s proposed role in evaluating non-Chinese organisations’ online products, services and content. 

In particular network products and services used within information systems that relate to national security or the public interest will have to pass a security and controllability assessment conducted by the Chinese authorities. Professionals say that the review is not universally applicable – only network products and services purchased by “key information infrastructure operators” (“KIIO“) (as defined in the new PRC Cybersecurity Law – for further information, click here) that may impact national security have to pass the security review in order for the procurement to proceed. Whether a network product or service purchased by a KIIO may impact national security shall be determined by the Department of Key Information Infrastructure Protection.

It appears that the supervisory assessments will focus on the security and management of the products and services; will look at risks of illegal control, disruption or interruption (such as “loopholes” allowing access by foreign governments and illegal collection of personal data); and also consider potential anti-competitive effects that may be harmful to users’ interests. It has also been suggested that products and services that fail these assessments will be blacklisted from future procurement by KIIOs.

The security review is not mandatory. It can be initiated by notification from the authorities, suggestions by national industry associations, responses from the market and an organisation’s own application, but it will in no way become a kind of routine scrutiny.

Additional challenges may arise through mandatory compliance with new national standards, which are yet to be announced but will be at the discretion of the new watchdog.

These measures were announced through the recent publication for public consultation by the Cyberspace Administration of China of the Measures for the Safety Review of Network Products and Services (Draft for Comment) (“Draft Measures“). Public consultation on the Draft Measures closes on 4 March 2017. This latest announcement reflects the guiding concept of the recently published PRC Cybersecurity Strategy (for more information click here), namely “Internet sovereignty”, defined as China’s right to police the Internet within its borders and participate in managing international cyberspace.

The Chinese Government has sought to reassure overseas organisations, with officials reportedly saying “the review will not hinder foreign products from entering the Chinese market, but will only to boost confidence in such products and services…. Authorities will treat Internet products and services from home and abroad equally” (according to the official news agency, Xinhua). However, the Chinese market may now become more challenging for overseas providers of online products, services and content. Such organisations are strongly advised to keep abreast of developments in China and start to plan their compliance strategy in anticipation of the new measures coming into force. In particular, it would be sensible to take into account new national standards, and to plan ahead for the likely lead time required to obtain clearances from the new watchdog, for any products, services or content to be launched in China.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-new-cybersecurity-watchdog-suggests-greater-compliance-challenges-ahead-for-overseas-companies-in-china/

HONG KONG: new guidance on privacy protections for IoT

Those involved in the IoT industry in Asia should take note that data protection compliance can no longer be ignored in favour of rapid technological and market opportunities. Even though many data protection laws – including in Hong Kong – were drafted in the days of filing cabinets, cutting edge technologies in today’s digital world must operate within the existing compliance frameworks.

Hong Kong’s Privacy Commissioner for Personal Data (“PCPD“) is the latest privacy authority – and one of the first in the Asia Pacific region – to study and make recommendations on privacy protections amid rapid developments in the Internet of Things (“IoT“). A local study last year by the PCPD highlighted IoT device manufacturers and associated app designers in the local market were not adequately notifying device users of data privacy and security rights and measures.

The new, non-binding but persuasive guidance in particular recommends:

  • Improved and accessible data protection notices: a reader-friendly privacy policy should be provided and easily located, containing all information required to be provided under Hong Kong’s data protection laws. Clearly the task of making a data privacy notice readily available in the context of machines talking to each other is more challenging, but cannot simply be ignored.
  • Adopting “privacy by design” from the outset, including as regards data collection (not being excessive) and data security (incorporating appropriate safeguards when transmitting and storing personal data). While this is recommended for all new projects across all industries, many data protection authorities consider this a “must” for new technologies such as IoT and will – if a complaint were made – question why privacy was not taken into account during the initial design phase.
  • Adopting “privacy by default”, namely adopting default settings which are least privacy intrusive. This includes not being excessive in data collection. For example, a IoT manufacturer should offer opt-out choices if its supporting mobile app would access data in the user’s smartphones that is not directly relevant or necessary; or, preferably, engineer the system from the outset so that only directly relevant or necessary data is collected.
  • Allowing data subjects to exercise their rights, including providing clear instructions to allow users to delete data, as well as contact details to allow access/correction of personal data etc. Again, this can be more challenging in the IoT environment but, just because a system involves limited human interaction, the PCPD has made clear that an individual’s right to enquire about how their personal data is handled must be recognised and acted upon.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/hong-kong-new-guidance-on-privacy-protections-for-iot/

CHINA: significant changes to data and cybersecurity practices under PRC Cybersecurity Law

After a third deliberation, the Chinese government passed the new PRC Cybersecurity Law on 7 November 2016. The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China.

The new PRC Cybersecurity Law intends to combat online fraud and protect China against Internet security risks. In short, it imposes new security and data protection obligations on “network operators”; puts restrictions on transfers of data outside China by “key information infrastructure operators”; and introduces new restrictions on critical network and cybersecurity products.

The new law has been widely reported in both the local and international press. While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law, there has been widespread international unease since the first reading. Commentators have expressed concern that competition will be stifled; regarding the handover of intellectual property, source codes and security keys to the Chinese government; as to perceived increased surveillance and controls over the Internet in China; and in relation to the data localisation requirements. Other new obligations, including increased personal data protections, have been less controversial, but are a clear indicator of the increased focus within the Chinese authorities on data protection, and could signal a change to the data protection enforcement environment in China.

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia):

  • Chinese citizen’s personal information and “important data” gathered and produced by “key information infrastructure operators” (“KIIO”) during operations in China must be kept within the borders of the PRC. If it is “necessary” for the KIIO to transfer such data outside of China, a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws permit the overseas transfer. While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection, such as public communications and information service, energy, transportation, water conservancy, finance, public service and e-government, the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors. “Personal information” is defined as including all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including, but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth. However, the types of information that might constitute “important data” is currently unclear. In any case, these data localisation rules are likely to create practical issues for international businesses operating in China.
  • A range of new obligations apply to organisations that are “network operators” (i.e. network owners, network administrators and network service providers). A “network” means any system comprising computers or other information terminals and related equipment for collection, storage, transmission, exchange and processing of information. Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networks/infrastructure or even just websites in China.
    • In terms of data protection, network operators must make publicly available data privacy notices (explicitly stating purposes, means and scope of personal information to be collected and used); and obtain individuals’ consent when collecting, using and disclosing their personal information. Network operators must adopt technical measures to ensure the security of personal information against loss, destruction or leaks, and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities. They must also comply with principles of legality, propriety and necessity in their data handling, and not be excessive; not provide an individual’s personal information to others without the individual’s consent; nor illegally sell an individual’s personal data to others. The rules do not apply to truly anonymised data. There are also general obligations to keep user information confidential and to establish and maintain data protection systems. Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided. While an earlier draft specifically provided protection to personal information of “citizens”, the final law does not make this distinction, and so seemingly offers a broader protection to all personal information. These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China.
    • As regards network security, network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity, which includes (amongst other things): formulating internal security management systems and operating instructions; appointing dedicated cybersecurity personnel; taking technological measures to prevent computer viruses and other similar threats and attacks, and formulating plans to monitor and respond to network security incidents; retaining network logs for at least six months; undertaking prescribed data classification, back up, encryption and similar activities; complying with national and mandatory security standards; reporting incidents to users and the authorities; and establishing complaints systems.
    • Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes, and will be subject to government and public supervision. The form and extent of such co-operation is not currently clear, and international businesses have expressed concerns over the extent to which this may require them to disclose their IP, proprietary and confidential information to the Chinese authorities.
    • More general conditions on network operators carrying out business and service activities include: obeying all laws and regulations, mandatory and industry national standards, social mores and commercial ethics; being honest and credible; and bearing social responsibility. There are also requirements on network operators to block, delete and report to the authorities prohibited information and malicious programmes published or installed by users.
    • Network operators handling “network access and domain registration services” for users, including mobile phone and instant message service providers, are required to comply with “real identity” rules when signing up or providing service confirmation to users, or else may not provide the service.
  • Additional security safeguards apply to KIIOs, including: security background checks on key managers; staff training obligations; disaster recovery back ups; emergency response planning; and annual inspections and assessments. Further, strict procurement procedures will apply to KIIOs buying network products and services.
  • Providers of “network products and services” must comply with national and mandatory standards; their products and services must not contain malicious programs; must take remedial action against security issues and report them to users and relevant authorities; and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers. These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and, in particular, the contractual terms on which they are offered to customers.
  • Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided. This potentially catches a wide range of software, hardware and other technologies being sold – or proposed to be sold – by international companies in the China, since the definitions used in the law are drafted very broadly. Further guidance by way of a catalogue of key network products is expected in due course. There are concerns that this may create barriers to international businesses looking to enter the Chinese market.
  • Each individual and organisation shall be responsible for its own use of websites, and may not set up websites or communication groups for the purpose of committing fraud, imparting criminal methods, producing or selling prohibited items, or engaging in other unlawful activities. Again, there is scope for this to be interpreted and applied broadly.
  • Institutions, organisations and individuals outside China that cause serious consequences by attacking, interfering or destructing key information infrastructure of China shall be responsible for any damage, and the relevant public security department of the State Council may freeze assets and impose other sanctions against them. While these provisions would appear to have an extra-territorial effect, and could be interpreted very broadly, it is unclear what sanctions could in practice be enforced against organisations without a presence in China.
  • Other new rules relate to: network/online protections for minors; the establishment of schemes for network security monitoring, early warning and breach notification to relevant authorities and the public, as well as rights for individuals and organisations to report conduct endangering network security; opening of public data resources; and prohibitions on hacking and supporting activities.

While criminal sanctions, administrative penalties and civil liabilities potentially await those (both organisations and, in some circumstances, individual employees and officers) who violate the new law, unfortunately great uncertainties remain as to how the new legislation will be enforced, who exactly is caught by the various new rules, and the precise steps that organisations must take to comply with them. It is hoped that the Chinese authorities will publish more detailed, practical guidance in the coming months. In the meantime, organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017, and to keep these under review as further guidance becomes available.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-significant-changes-to-data-and-cybersecurity-practices-under-prc-cybersecurity-law/

HONG KONG: can outsourced marketing companies have “direct liability” under the PDPO?

Two recent enforcement actions have brought into focus the issue of whether persons engaged by a company to carry out a direct marketing activity in Hong Kong on their behalf – whether agents or outsourced service providers – can have direct liability for mishandling personal data.

The general position under the Personal Data (Privacy) Ordinance (“PDPO”) is that the data user – i.e. the person(s) who control the collection, holding, processing or use of the data – is liable for compliance with the PDPO, including the activities of its data processors (i.e. the person who processes personal data on behalf of the data user and not for its own purposes). Therefore, unlike data privacy laws in other jurisdictions (for example, Singapore’s Personal Data Protection Act and the forthcoming EU General Data Protection Regulation) the PDPO does not impose direct obligations or sanctions on data processors.

However, in an enforcement decision announced on 16 May 2016 a marketing company engaged by a hotel (the “Marketing Company“) was fined for breaching the direct marketing provisions in the PDPO when conducting marketing on behalf of the hotel.

The complainant in the case made a reservation with a restaurant of a hotel in Hong Kong and, in the process of doing so, provided his surname and mobile number, following which he received calls which promoted membership of the hotel. On receiving a call from the Marketing Company, which was engaged by the hotel to provide marketing services, the complainant immediately informed the caller that he was not interested in membership and that he did not wish to be contacted again. However, he subsequently received a further call from the Marketing Company, which prompted the complaint to the Privacy Commissioner.

In this instance, it was the Marketing Company (i.e. the outsourced service provider engaged by the hotel to provide marketing services), that was prosecuted for the offences under the PDPO and not the hotel itself. Mr Stephen Kai-ya Wong, the Privacy Commissioner, when commenting on the case, stated that “in order to comply with the marketing target’s data subject’s opt-out request effectively, marketing companies (data users) have to maintain a list of all customers who have indicated that they do not wish to receive further marketing approaches…“. He further noted that marketing companies should have standing procedures in place and provide appropriate training in relation to compliance with opt-out requests from data users.

Interestingly in his comments on the case the Privacy Commissioner clearly identified the Marketing Company as a data user, though the Marketing Company itself was not seemingly responsible for the original collection of data, and was presumably acting under the direction of the hotel. The case was heard in the Magistrates’ Court, and so the decision is unfortunately not publicly available. Nonetheless, it may be surmised that the actions of the Marketing Company in this instance were considered to have constituted a sufficient degree of ‘control’ over the data, perhaps in its ability to decide on the nature of the marketing campaigns the Marketing Company was contracted to undertake, to be deemed a joint data user with the hotel and thus directly liable under the PDPO.

Similarly, in April 2016, it was announced that an insurance agent received a community sentence order for breach of the direct marketing rules, despite acting as an agent for an insurer whose products he was presumably promoting. Again in that case reference was made to “data user” compliance with the PDPO.

At the time of writing no enforcement action against either the hotel or insurer in question has been announced.

These cases would, therefore, appear to place direct liability on those outsourced service providers and agents – usually labelled as data processors – for direct marketing offences under the PDPO when undertaking direct marketing on behalf of their customers and principals. It is not clear whether this could extend to outsourced service providers in other contexts, but a parallel could certainly be drawn with other data processors where there is a level of ‘control’ or discretion over their use and handling of the relevant data. This is an area where we hope there will be further clarification in due course. In the meantime, service providers must note the potential consequences for breaches of the PDPO when dealing with personal data, whether or not they were initially involved in or responsible for the collection of the personal data in question.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/hong-kong-can-outsourced-marketing-companies-have-direct-liability-under-the-pdpo/

CHINA: data localisation – a growing trend?

Foreign companies operating in China, or looking to enter the Chinese market, are increasingly concerned as to whether Chinese law restricts cross-border transfers of personal data collected in China. In light of recent developments, is there a growing trend in China towards data localisation?

As is generally the case with China’s data privacy framework, there is not one comprehensive law in China that regulates cross-border data transfers. Instead, the current legal landscape comprises a mixture of different laws, regulations and guidelines. Therefore, the compliance obligations involved – and the approach to enforcement – vary depending on the industry or the type of data involved.


As a starting point, personal data of Chinese citizens that is handled in information systems by private sector organisations can be transferred outside of China provided that explicit consent is obtained from data subjects (or if express authorisation from relevant authorities is obtained, or specific laws permit the transfer). This is set out in a guideline drafted under the guidance of the Ministry of Industry and Information Technology so that, while not legally binding, it may be used as a base standard for compliance, and the Chinese authorities encourage compliance with it.

Other rules and regulations require organisations more generally to obtain consent from individuals before their personal data is handled and disclosed (within and outside China). These include rules relating to personal data of consumers (under consumer rights laws); Internet users (under telecoms and Internet laws); and employees (under employment laws, by which employers must get employees’ written consent to disclose their personal information to third parties).

But some prohibitions

However, for some industries and some data there are specific requirements to keep the data on servers within the People’s Republic of China. For example:

  • Some Chinese industry regulators prohibit the offshore transfer of certain personal data. For example, transfers of “personal financial information” by banks, and of “personal health information” by certain organisations within the healthcare sector, are not permitted.
  • Personal data constituting “state secrets” should not be transferred outside of China.
  • The draft PRC Cyber Security Law, issued in July 2015, requires “key information infrastructure operators” to store Chinese citizens’ personal information and other important data gathered and produced during operations within the territory of the People’s Republic of China. The draft law suggests cross-border transfers of such data may be permitted if required for operational reasons, provided the organisation complies with security measures (to be) formulated by the relevant authorities. Detailed guidance is awaited as to how this would be interpreted in practice.

Practical steps

In light of uncertainty over the legal environment in China, foreign organisations should consider the following:

  • Identify the personal data within your China operations that you would like to transfer outside of China, and ascertain whether it falls within the classes of data that should not leave China. If appropriate, consider data segregation.
  • For personal data not subject to absolute prohibitions on data transfer, obtain explicit consent from data subjects before transferring the data.
  • For data that is required by law or regulations to stay in the People’s Republic of China, server localisation may be the only practical solution, whether by establishing local data infrastructure or via third party solutions.
  • According to some regulators, encryption and anonymisation are currently not considered to be adequate practical workarounds to the data transfer rules, because of the risk of de-encryption or re-identification. This may change, but for now do not assume you can rely on these.
  • Put in place appropriate data security safeguards and data use and retention policies to ensure that personal data transferred overseas remains compliant with relevant Chinese data protection rules.


There is a growing body of regulations requiring certain data within specific industries/organisations to be retained within the borders of the People’s Republic of China. However, this must be assessed on a case by case basis, as in many circumstances obtaining individuals consent may well be sufficient provided that the data does not involve national secrets or violate national security. Where transfer prohibitions apply, compliance strategies should be carefully considered in light of potential enforcement activities and sanctions. Unfortunately there is not always clear guidance on how the rules will be interpreted and enforced in practice, and so any compliance programme in China should be kept under regular review.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/china-data-localisation-a-growing-trend/