Hi privacy pros!

With the quickly increasing summer temperatures, I hope you are enjoying summer barbecues and fizzy drinks. But even with the heat wave, the regulators in China have been working around the clock, as the past several weeks have witnessed a wave of new data regulators and law enforcement actions.

Some of you probably noticed that China’s top data regulator, the Cyberspace Administration of China, issued the draft "Regulations of Standard Contracts for Cross-border Transfer of Personal Information," unveiling the long-awaited China standard contractual clauses terms. Although sharing some similarities with the EU General Data Protection Regulation SCCs, China SCCs maintain quite some significant Chinese characteristics, such as application scope, governmental filing, governing law and dispute resolution clauses.

Treading on the heels of the China SCCs draft, 7 July CAC enacted the "Rules for the Security Assessment for Cross-Border Data Transfer," which will become effective 1 Sept. These rules provide further clarity regarding under what scenarios companies will need to do security assessments for cross-border data transfers and what requirements and procedures should be followed. The rules seem to apply to previous data exports retroactively under certain circumstances and rectification must be done within six months if required. If you are a data exporter in China, you may want to start the self-assessment and get ready for the security assessment before going on the summer vacation. Given the length of this digest, I cannot have a deeper dive into the rules. Please feel free to reach out if you would like more details.

While active on the legislative side, Chinese regulators are never shy from enforcement actions. On 7 July, Shanghai telecom authorities announced the 2022 network and data security inspections, focusing on personal data protection and network security. Telecom and internet companies are the main targets for this round of inspections and they are required to take self-assessments and finish remedial actions before 31 Aug. The Shanghai authorities will carry out spot checks until 30 Sept.

Another eye-catching enforcement activity recently took place in Guangzhou. The local public prosecuting organ initiated the first pro bono litigation against four individuals who illegally collected and traded facial recognition information of consumers. The Guangzhou court indicted those four individuals for violation of the Personal Information Protection Law and the China Criminal Law. Both criminal and civil liabilities were imposed on them and the court also ordered them to participate in community services, which seem to be new attempts being explored by China’s law enforcement for wrong-doer rehabilitation.

Moving broader to the rest of the Asia-Pacific region, Hong Kong and Singapore privacy regulators renewed the Memorandum of Understanding 13 July to further develop bilateral platforms for the advancement of personal data protection. The authorities from both sides will step up collaborations in exchange of information and sharing of best practices involving data protection policies and enforcement actions, mutual assistance in joint investigations into cross border data incidents, and cooperation in education and training.