Articles 33-37 describe the PIPL's application to government agencies' handling of personal information, with Article 34 prohibiting them from handling personal information in a manner that exceeds the scope required to perform the agency's function. Nonetheless, some have questioned the extent to which the law will act as an effective restraint on what is perceived to be pervasive state monitoring. For instance, if an agency's function is to (lawfully) monitor citizens' movement and communications, this would potentially be permitted. Further regulatory guidance and/or case law will likely give us a clearer picture of the scope of application to government handling of personal information.
There will undoubtedly be much more virtual ink spilled analyzing, debating and preparing for compliance with the PIPL over the next two months before it becomes effective. In the meantime, be sure to read the full translation of the PIPL, available from Stanford's DigiChina Cyber Policy Center.
Here in Australia, the Office of the Australian Information Commissioner this week released its latest Notifiable Data Breaches Report. The report, covering January to June 2021. includes a mix of troubling and encouraging news. On a troubling front, breaches related to ransomware incidents increased 24%. Commissioner Angelene Falk suggested the number may be even higher, "some entities may not be reporting all eligible data breaches involving ransomware." On a positive note, breaches resulting from human error have decreased, and 44% of breaches affected fewer than 10 individuals.
Stay safe until next time!