Hi privacy pros! Greetings from Beijing, China! I hope you managed to take some time off to get away from the heat wave the past weeks. Here in Beijing, the summer heat is gradually fading off, and Beijing is moving into its best season of the year: autumn!

On the data and privacy front, the coming September may have an important impact on companies that need to transfer data between subsidiaries in China and the global headquarters and affiliates outside China. From 1 Sept., the long-awaited Rules of Cybersecurity Assessment for Cross-Border Data Transfer will come into force. China has a complex legal regime for international data transfers and these Cybersecurity Assessment Rules provide helpful clarification and guidance for companies to handle cross-border data transfers in compliance with Chinese laws and regulations. Companies whose data collection and processing activities fall within the new rules are required to prepare and submit the necessary documents to the competent authorities for a security assessment. Failure to comply with the obligations would expose the organization to legal and administrative risks.

Chinese authorities remain active in implementing China’s Cybersecurity Law, Data Security Law, Personal Information Protection Law and the implementing regulations, local rules, and best industry practices. The significant penalties recently imposed by Chinese authorities on violating companies undoubtedly indicate that Chinese authorities are never shy in taking strict enforcement actions against noncompliance. A few days ago, one deputy director of the Cyberspace Administration of China commented that the authorities will expedite the process of formulating further detailed rules for protection of personal data and the enforcements must have “sharp teeth.”

Another CAC deputy director also recently said that the CAC is in the process of establishing the Cyberspace Enforcement and Regulatory Bureau in order to continuously beef up the regulation over the internet and online business operations. This is the first time the CAC made an official announcement on establishing this new enforcement body. All these new developments are a clear message that the tightening of scrutiny over data protection and cybersecurity will continue in the months and years to come.

On the international collaboration side, on 18 Aug., China decided to set up the working group for accession to the Digital Economic Partnership Agreement. The DEPA is the world’s digital-only trade agreement, promoting digital trade by regulating emerging issues such as artificial intelligence, financial technology, and digital identity and inclusion. It also aims to enable cross-border data transfers and create trust in data sharing and data protection in the digital economy. This groundbreaking pact has been signed by the three founding countries of Chile, New Zealand and Singapore, and many other economies such as Canada and South Korea have shown great interest in joining the club.

China’s accession to the DEPA appears in line with its moves to upgrade the economy from traditional industries to high-tech, digitalized sectors. According to an announcement by China’s Ministry of Commerce, China will go ahead with substantive discussions with the DEPA member countries and make complete preparation for accessing the DEPA. Worth keeping a close watch on the developments in this regard.

Hope you have enjoyed this digest. Until next time!