Tag:China

1
China Will Issue Safe Harbor Rules to Facilitate Cross-Border Data Flow
2
Beijing CAC Approved the First China SCC Filing
3
Key Dates for China’s standard contractual clauses compliance
4
New concerns over China’s ability to access user data on WeChat
5
What is Required under The PIPL: A PRC-Based Representative or a Personal Information Protection Officer?
6
And it’s here! China’s new privacy laws come into effect
7
Get with the program – China’s new privacy laws are coming
8
Zooming In: “Zoom’s” Significant Privacy and Data Security Risks brought to Light Again (and Again)
9
Doctor, how are we tracking? China, South Korea, Singapore and Thailand Using Smart Phone Applications to Halt the Spread of Corona Virus
10
China in breach of cyber-security pact

China Will Issue Safe Harbor Rules to Facilitate Cross-Border Data Flow

By Amigo L. Xie and Dan Wu

On 28 September 2023, the Cyberspace Administration of China (CAC) released draft Provisions on Regulating and Facilitating Cross-Border Data Flow (in Chinese) for a public comment period ending on 15 October 2023.1

Read More

Beijing CAC Approved the First China SCC Filing

By Amigo L. Xie, Lingjun Zhang, and Dan Wu

About four months after the Cyberspace Administration of China (CAC) released the Measures for the Standard Contract for the Export of Personal Data from China (China SCC Measures), and 15 working days after the China SCC Measures became effective, Beijing CAC published a notice announcing that a Beijing-based company passed the first-ever China SCC filing on 25 June 2023 (Notice).

Based on the Notice, the first China SCC filing relates to a cross-border personal data transfer from a Beijing-based data exporter, an online data service provider, to a Hong Kong-based data recipient. The type of data exported by the Beijing-based data exporter is personal data related to credit references as disclosed by the Notice.

The completion of the first-ever China SCC filing conveyed some positive messages to the market:

Read More

Key Dates for China’s standard contractual clauses compliance

By Amigo L. Xie

2023 is destined to be a big year for the hottest issues of the China Personal Information Protection Law (PIPL) for MNCs doing business in or with China especially in the areas of: cross-border personal data transfers, localization, compliance, and enforcement.

It is worth noting the following milestones in your timeline for China data privacy compliance in 2023:

Read More

New concerns over China’s ability to access user data on WeChat

By Cameron Abbott and Hugo Chow

A recent report by cybersecurity firm, Internet 2.0, has raised concerns about the Chinese Communist Party’s ability to access the data of millions of users around the world of social media and payment application, WeChat.

WeChat is significant as it is the application that nearly all citizens in China use on a daily basis for communication, payments for services and as a way for citizens to connect through social media. Although the majority of WeChat’s more than 1 billion users are located in China, there are approximately 600,000 users in Australia, 1.3 million users in the UK, and 1.5 million users in the United States.

One of the concerns the report outlines is that although WeChat states that its servers are kept outside mainland China, all user data that WeChat logs and posts to its logging server goes directly to Hong Kong. And the report argues that under Hong Kong’s new National Security Legislation, there is little difference between Hong Kong resident servers and servers in mainland China.

As a result, due to China’s National Intelligence Law which requires organisations and citizens to “support, assist and cooperate with the state intelligence work”, there are concerns that the WeChat logging data that goes to servers in Hong Kong may be accessed by the Chinese Government upon request. The report states that the data that goes to Hong Kong is log data, which includes the user’s mobile network, device information, GPS information, phone ID, the version of the operating system of the device, but does not include information such as content of a conversation.

Another concern the report outlines is that although there was no evidence that chats were stored outside the user’s device, the report found that WeChat had the potential to access all the data in a user’s clipboard. This means that there is the potential for WeChat to access the data that is copied and pasted by users on WeChat, which is a risk to people using password managers that rely on the clipboard feature to copy and paste their passwords.

We expect to hear more about these sorts of concerns from a range of jurisdictions.

What is Required under The PIPL: A PRC-Based Representative or a Personal Information Protection Officer?

By Dr. Amigo L. Xie, Xiaotong Wang, Grace Ye and Yibo Wu

Multinational entities with operations in or having businesses with the People’s Republic of China (PRC) should take note of the PRC’s new Personal Information Protection Law (PIPL), which took effect on 1 November 2021 and is extraterritorial in scope and effect. 

This alert lays out the differences between the requirements under Article 52 PIPL (PIPO appointment) and Article 53 PIPL (PRC-based representative appointment / establishment of an agency in the PRC). It also examines statutory obligations under PIPL upon designated personnel and highlights important sector-specific regulations and provincial and municipal government practices.

Click here to read the full alert.

And it’s here! China’s new privacy laws come into effect

By Cameron Abbott, Rob Pulham and Ella Richards

On 1 November 2021 the People’s Republic of China (PRC) effected the Personal Information Protection Law (PIPL).

The PIPL joins existing Cybersecurity Law and Data Security Law to broaden privacy obligations within the PRC. This comprehensive legislation governs the treatment of personal information within the PRC and strengthens the existing data localisation requirements.

Our colleagues have summarised the PIPL Draft Bill here and prepared advice on the collection of employee’s personal information under the PIPL here.         

Get with the program – China’s new privacy laws are coming

By Cameron Abbott and Ella Richards

The People’s Republic of China (PRC) passed the Personal Information Protection Law (PIPL) on Friday the 20th of August 2021. The new privacy regime strengthens the protection around the use and collection of personal data and introduces a new requirement for user consent.

The PIPL, closely resembling the European Union’s General Data Protection Regulation, prevents the personal data of PRC nationals from being transferred to countries with lower standards of data security; a rule that may pose inherent problems for foreign businesses. The PIPL was introduced following an increase in online scamming and individual service price discrimination – where the same service is offered at different prices based on a user’s shopping profile. However, while businesses and some state entities face stronger collection obligations, the PRC state security department will maintain full access to personal data.

Although the final draft of the PIPL is yet to be released, the new law is set to commence on the 1st of November 2021. Companies will face fines of up to 50 million yuan ($7.6 million USD), or 5% percent of their annual turnover if they fail to comply. For an in-depth discussion of the Draft PIPL released in August 2020, see our K&L Gates publication here.

Zooming In: “Zoom’s” Significant Privacy and Data Security Risks brought to Light Again (and Again)

By Cameron Abbott, Warwick Andersen, Rob Pulham, Allison Wallace and Max Evans

It hasn’t even been 10 days since our previous Blog on Zoom, which highlighted a number of privacy and data security issues prevalent in the use of the popular telecommunications software, and already further privacy issues have been alleged. Let’s put these allegations under the magnifying glass:

Disclosure to Facebook: Even If You don’t have an Account

Firstly, Vice reports that the iOS version of the Zoom app transfers analytics data to Facebook, even if Zoom users don’t have a Facebook account, without disclosing as such in its Privacy Policy.

Read More

Doctor, how are we tracking? China, South Korea, Singapore and Thailand Using Smart Phone Applications to Halt the Spread of Corona Virus

By Cameron Abbott, Warwick Andersen, Rob Pulham and Max Evans

A slew of Asian countries have begun to use telecommunications networks, Smart Phone Applications and messaging services to assign, inform, track and/or monitor individuals which may have contracted COVID-19, including those which are required to undertake a process of self-isolation, according to articles from Wired, Channel News Asia and Bangkok Post.

In China, apps such as WeChat and AliPay have been utilised to assign individuals health codes, referred to as colour codes, to determine whether they should undertake a process of self-isolation. According to the NY Times a green code enables its holder to move about unrestricted, a yellow code asks the individual to stay home for seven days whilst a red code requires a two-week quarantine. In South Korea, government authorities have sent out texts detailing the movements of specific people infected with COVID in addition to using a smartphone app to ensure people who are required to self-isolate are staying home.

Read More

China in breach of cyber-security pact

By Cameron Abbott and Wendy Mansell

It has been a fairly turbulent week in the cyber-espionage space following accusations that China’s Ministry of Security Services is behind the surge of intellectual property theft from Australian companies.

The news that the persistent attacks on Australian IP are perhaps a State sponsored campaign by the Chinese government is concerning as it suggests that China are in breach of several international and bilateral agreements.

In 2015, an agreement was made between Chinese President Xi Jinping and former President Obama, that the U.S and China would not steal intellectual property from one another for commercial gain. This was furthered at the November 2015, G20 Summit, where the cyber-theft of IP was accepted as the norm.

Following on from this in September 2017, former Prime Minister Malcolm Turnbull and Chinese Premier Li Kequiang promised that neither country would engage in cyber-theft of intellectual property and commercial secrets.

Reports of cyber-theft declined immediately after these agreements, however in recent months they have ramped up again.

A U.S Trade Representative report released this week confirms that despite any international agreements, China has continued engaging in cyber-espionage and the theft of intellectual property. Further the report states that not only is China likely to be in breach of these agreements, but the attacks have “increased in frequency and sophistication”.

Notably in July of this year, China was linked to the cyber-breach of Australian National University. This attack was particularly disturbing given that ANU is a leading university involved in key areas of Australian technological, scientific, defence and commercial research.  It is fascinating that cyber attacks and theft are a “norm” that is accepted within our overall international relationships.  Physical acts of a similar nature would not be so easily accepted.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.