Greetings from Beijing! I hope you are enjoying the early summer (autumn) sunshine! The privacy space in the Greater China region continues to be filled with hot and exciting news and you never get bored!

1 to 4 May is the Labour national holiday in China and several important privacy regulations and industry specifications were issued in the weeks before and after the Labour holiday.

China’s National Technical Committee for Information Security issued draft Technical Specifications for Cross-border Handling of Personal Information and are seeking comments until 13 May. The Technical Specifications are intended to provide practical guidance on how multinational corporations can perform security certification, one of the four permissible mechanisms for cross-border transfers of personal data under China's Personal Information Protection Law.

The draft sets out suggested best practices for privacy notices, data transfer agreements and technical and organizational measures to consider. After the Technical Specifications is finalized and implemented, there are still aspects that will need further clarity regarding the qualified certification institutions, actual certification procedures and timeline, etc. We hope these will be addressed in the final version.

Owing to high smartphone penetration and booming ecommerce, China has become the biggest and most lucrative mobile application market in the world, but the regulators and public have increasing concerns about the expansive — even illegal — collection and use of personal data by mobile apps. Multiple regulations and rules have been issued and adopted in the past months to enhance the oversight over mobile apps. On 7 May, the Ministry of Industry and Information Technology issued a new set of mobile app standards to provide specific requirements and guidelines for how to evaluate if a mobile app complies with the legal principles of necessity, legality and minimization in collecting and processing personal data, including geolocational data, images and SMS. The public can submit their opinions to the authorities until 6 June.

The laws have no “teeth” if they are not strictly enforced. Since PIPL and the Data Security Law came into force last year, Chinese regulators have been active in taking strong enforcement actions. Last week, the Ministry of Public Security of China held a press conference where officials indicated more than 9,800 personal data infringement cases were investigated last year with approximately 17,000 criminal suspects being arrested for violating the PIPL and Data Security Law.

The same tendency that regulators are stepping up for enforcement against breach of privacy laws can also be seen in Hong Kong. On 11 May, the Office of the Privacy Commissioner for Personal Data in Hong Kong conducted a joint operation with the police in a doxxing investigation. During the operation, a 23-year-old Hong Kong man was arrested for, among others, suspected contravention of Section 64(3C) of Hong Kong’s Personal Data (Privacy) Ordinance relating to the offence of “disclosing personal data without consent, causing specified harm to the data subject or his/her family member.” Since the amendments to the Personal Data (Privacy) Ordinance came into force in 2021, the PCPD has been empowered to carry out criminal investigation and institute prosecutions.

The privacy field is a dynamic and fast changing landscape, with the emerging technologies, burgeoning laws and tightening scrutiny. It is extremely important for businesses to keep track on regulatory and technical changes, analyze the key implications for their operations and take appropriate compliance and risk management actions, although this can be challenging in practice.

Until next time!