Hi privacy pros! Greetings from Beijing.

Time flies and it is hard to imagine we are already in November and there are only 40 days to go before the new year!

In the privacy world, 1 Nov. is a date with special meaning because China’s Personal Information Protection Law came into effect on 1 Nov., 2021. In the past 12 months, many privacy pros at business organizations with operations in China were busy digesting the comprehensive requirements in the PIPL, updating China entity’s privacy documentation and, more recently, assessing the legal mechanism for cross-border transfers of data from China. The last piece has been particularly challenging, as the new rules on security assessment for cross-border data transfer became effective in September and companies only have a short compliance window until the end February 2023.

China’s data laws are never boring, because the data landscape is always evolving. On 8 Nov., China’s National Information Security Standardisation Technical Committee issued the revised draft of the guideline for security certification for cross-border data transfer for public consultation.

Along with the CAC-led security assessment and the China standard contractual clauses rules, security certification is one of three permissible mechanisms for cross-border data transfers provided under the PIPL. Security certification applies to the scenario where the cross-border data transfer takes place between multinational corporations or when a foreign company collects personal data from China based on the extra-territoriality of the PIPL.

The draft guideline sets out the fundamental legal requirements to be followed by the data exporter and foreign data recipient, including conducting self-assessment, having a legally binding data processing agreement, setting up the personal data protection department and appointing a data protection officer, and ensuring protection of data subject rights. The certification institution will refer to those legal requirements to assess whether the specific cross-border data transfer satisfies the expected security level. If adopted, this guideline will be another important part of China’s cross-border data transfer regime. Companies are recommended to keep a close watch on further development in this regard.

Mobile applications continue to be the primary targets for enforcement by Chinese regulators. The CAC recently caught 135 mobile apps for various PIPL violations including collection of personal information beyond the scope authorized by the data subjects, sharing geolocation data with third parties without consent, pre-tick of privacy notices, difficulty in reregistration and more. CAC either ordered rectification within a prescribed grace period or removed the problematic apps from the app store.

Robust enforcement actions have also taken place in Hong Kong. The Office for the Privacy Commissioner for Personal Data published two investigation reports on 14 Nov. in relation to the illegal sharing of patients’ personal data among various brands by a health care institution and the ransomware attack on the database of a well-known photo-printing chain affecting over 600,000 members and customers. The PCPD issued enforcement notices to the health care institution and photo-printing chain to remedy the situation and prevent recurrence of the contravention.

Hope you find what is happening in the privacy field in the Greater China is of interest. Until next time!