Hi privacy pros! Greetings from Beijing!
In China, October normally starts with the Golden Week for the National Day holiday, when people take some time off for relaxation and reunion with family and friends. But in the data privacy space, things are always buzzing.
This year, 1 Oct. marks the effective date of a new Shanghai regulation for promoting the development of the artificial intelligence industry. This new AI regulation is an important piece of local law by which Shanghai authorities will double down the digital economy to build Shanghai into an internationally influential AI powerhouse. This AI regulation in particular encourages business organizations to explore the use of AI technology in business scenarios such as financial, education, health care, elder care, logistics and manufacturing. Financial incentives will be provided to qualified investors and developers. But at the same time, the AI regulation also stresses the importance of protection of personal data and privacy, and companies must strictly follow China’s Personal Information Protection Law, Cybersecurity Law, Data Security Law and the applicable ethic principles in developing AI technologies and products.
China’s data and cybersecurity industry standards have always been an essential part of China’s regulatory regime, as some industry standards are mandatory standards of compulsory effect. Even for those that are not mandatory, they provide practical and helpful guidance for businesses and are often referenced by regulators as best practices. On 19 Oct., China’s National Cybersecurity Standardization Commission and the State Administration of Market Regulation jointly issued 14 national cybersecurity standards, covering multiple important fields including biometric data, personal information engineering, automobile data, facial recognition information, human gait recognition, instant messaging telecommunication, logistics services, e-commerce, online payments, online audio services and online transportation services. Detailed and comprehensive security requirements are provided in these industry standards in relation to clear and sufficient notification to data subjects when handling sensitive personal data and important data, data minimization and avoidance of excessive use of personal data, desensitization of personal information, security measures and control for data storage and transfer, and prevention of data breach incidents. All of these 14 industry standards will become effective 1 May 2023.
In terms of enforcement, Chinese regulators stay active in making investigations against noncompliance of data laws. In October, the national and local regulators conducted further investigations and more mobile applications were found in breach of the PIPL. The violations range from collection of personal information beyond the contemplated purpose, excessive requests for authorization, to illegally sending push messages. The regulators have vowed to monitor the compliance on an on-going basis by “looking back” at the apps investigated before.
Enhanced enforcements are taking place not only in mainland China but also in Hong Kong. On 6 Oct., the Hong Kong Court convicted a 27-year-old male on seven charges of “disclosing personal data without consent,” contrary to section 64(3A) of the Personal Data (Privacy) Ordinance. This is the first conviction under Hong Kong’s new anti-doxxing regime that took effect 8 Oct.
Hope you have enjoyed this APAC Digest. Until next time!