Happy New Year, privacy pros! Warmest greetings from China! I hope you all had a restful holiday and are ready for 2023! 

The new year promises to be busy and dynamic, full of opportunities and challenges. With the significant relaxation of China’s COVID-19 policies starting in early December, the Chinese government is shifting its focus to economic development. And the digital economy was identified as one of the highest-priority sectors in an important governmental guideline issued by China’s State Council 19 Dec. 2022.

This guideline, briefly referred to as the 20 Data Measures, emphasizes China's building of a comprehensive and profound mechanism for data ownership, utilization, sharing, management and supervision. China will take steps to give full play to the value of data assets and achieve a proper balance between data monetization, data governance and security. China vowed to relax entry barriers for companies and other stakeholders to gain access to data. Business organizations are required to follow the data classification and categorization, national security review, fair competition and personal information protection requirements for data activities in strict accordance with the Cybersecurity Law, Data Security Law, Personal Information Protection Law, Competition Law, Anti-Monopoly Law and other applicable regulations. 

In terms of cross-border data transfer, the 20 Data Measures support bilateral and multilateral collaborations for orderly international data flows. Multinational corporations and other international investors are encouraged to do business in industry sectors open to foreign investment under Chinese laws and regulations. Specific sectors, including cross-border e-commerce, cross-border payment, supply chain management and service outsourcing, may enjoy more flexibilities for cross-border data transfers. It is worth keeping a close watch on what detailed rules will be issued in the coming months to implement the 20 Data Measures. 

It is also interesting to note the thin line between data privacy and anti-trust compliance requirements is getting increasingly blurred, and data-rich companies are subject to augmented scrutiny from both data protection and anti-trust regulators. On 26 Dec. 2022, China’s top anti-trust regulator closed its year-end by imposing a big-ticket fine of RMB 87.6 million (approximately $12.5 million) on CNKI, China’s largest academic literature database company, for the abuse of market-dominant position in violation of the Anti-Monopoly Law. CNKI is also being investigated by China’s top data regulator, the Cyberspace Administration of China, for alleged violations of Chinese data and cybersecurity laws in parallel with the anti-trust investigation. It remains to be seen whether, and when, the other cyber investigation shoe will drop! 

Moving down to Hong Kong, there is an important breakthrough for data privacy enforcement. On 15 Dec. 2022, the Hong Kong court ordered eight-month’s imprisonment to a 27-year-old male defendant, who was found guilty of disclosing a victim’s name, photos, residential address and other personal information on social media platforms without the victim’s consent, with an intent to cause specified harm to the victim or her family members. This is the first sentencing case of the new doxxing offence under the Hong Kong Personal Data (Privacy) Ordinance.

There is no doubt that more data legislation and enforcement developments in the greater China region will be on the horizon and we will keep you posted. I hope you have enjoyed this digest. Until next time!