Hello privacy pros.

The big privacy news in our region and around the world is China's passage of its Personal Information Protection Law 20 Aug. The law takes effect 1 Nov. and imposes substantial obligations on organizations' collection and use of personal information.

On the surface, many of the law's provisions bear a striking similarity to the EU General Data Protection Regulation, with some notable differences. The PIPL places a much stronger emphasis on consent for processing and, separately, for disclosures to third parties and cross-border transfers of personal information out of China. It requires a lawful basis for processing personal information but has no comparable lawful basis to the GDPR's "legitimate interests." Breaches must be notified "immediately" to the regulator rather than within the GDPR's 72-hour timeframe.

Articles 33-37 describe the PIPL's application to government agencies' handling of personal information, with Article 34 prohibiting them from handling personal information in a manner that exceeds the scope required to perform the agency's function. Nonetheless, some have questioned the extent to which the law will act as an effective restraint on what is perceived to be pervasive state monitoring. For instance, if an agency's function is to (lawfully) monitor citizens' movement and communications, this would potentially be permitted. Further regulatory guidance and/or case law will likely give us a clearer picture of the scope of application to government handling of personal information.

There will undoubtedly be much more virtual ink spilled analyzing, debating and preparing for compliance with the PIPL over the next two months before it becomes effective. In the meantime, be sure to read the full translation of the PIPL, available from Stanford's DigiChina Cyber Policy Center.

Here in Australia, the Office of the Australian Information Commissioner this week released its latest Notifiable Data Breaches Report. The report, covering January to June 2021. includes a mix of troubling and encouraging news. On a troubling front, breaches related to ransomware incidents increased 24%. Commissioner Angelene Falk suggested the number may be even higher, "some entities may not be reporting all eligible data breaches involving ransomware." On a positive note, breaches resulting from human error have decreased, and 44% of breaches affected fewer than 10 individuals.

Stay safe until next time!