Greetings, fellow privacy professionals!

It has been a very eventful June. We have seen several new cases of data breaches, as well as proactive measures in Australia, where in NSW, there are discussions ranging from pushing forward with mandatory data breach laws to organizations putting privacy back into their own hands by incorporating consumer privacy rights into its data architecture. However, the talk of the town right now is the China cybersecurity and data protection measure drafts released for public consultation.

Some of these drafts were released as recently as last week, so I think it is too early to comment on them, but I would like to share some useful resources to get you and your privacy, security and legal/compliance teams up to speed so you are up to date with the relevant changes. I’ve included the translated draft titles and links for you to dive deeper into the topic.

Provisions for Cybersecurity Vulnerabilities Management

Personal Information Outbound Transfer Security Assessment Measures

Critical Network Equipment Security Testing Implementing Measures 

Data Security Management Measures

Cybersecurity Review Measures

As you can see, China’s cybersecurity regulations continue to evolve, and it is important companies that operate in China or have business ties to China pay close attention to the existing and upcoming potential changes. It is imperative to look at this from a risk perspective and understand, for example, that cross-border data transfers are tightening up, and it is better to err on the side of caution and perform security and privacy impact assessments before entering China or when there is a legitimate business reason to perform one. According to the Global Times, “The latest draft guideline will prevent the flow of personal information overseas if it ‘risks undermining national security and public interests’, or if the security of personal information cannot be effectively guaranteed… the draft covers not only operators of critical information infrastructure referred to in the cybersecurity law, but also 'network operators', a much wider scope of businesses operating in China — essentially every business that operates network infrastructure in mainland China.” [Here]

I look forward to providing more in-depth analysis in the future if/when the above become finalized and joining privacy pros for more industry sharing in July if you are in Singapore.

We are only a few weeks away from the RSA Conference in Singapore this year. There are several key sessions that will touch on regional data regulations so be sure to register early for the events. I am moderating an IAPP panel on data breaches with industry experts, including Twitter’s global data protection officer, and two sessions at RSA Conference SG this year on cybersecurity strategies for fintech companies, as well as data protection demands regionally and globally.

Hope to see you in Singapore.

Stay safe; stay secure.

Jason Lau
IAPP Regional Leader, Hong Kong
CIPP/E, CIPM, FIP