Photo of Jared T. Nelson

Enforceable in all EU member states on 25 May 2018, the General Data Privacy Regulation will require action by organisations both inside and outside the European Union to ensure compliance with this far-reaching privacy legal framework. Compliance is even more urgent given that the GDPR provides for large penalties in cases of infringement. As some entities are not yet aware of the extent to which GDPR may be applicable to them, the GDPR expressly applies to organisations established outside the European Union that offer paid or free goods or services to EU data subjects or monitor EU data subjects’ behaviour.

Within this article, we review steps for a risk based, prioritization approach to GDPR compliance and how companies can adjust their policies and practices on a pragmatic basis to help ensure compliance.

Continue reading.

In the final days of 2017, the vice chairman of the Standing Committee of China’s National People’s Congress (NPC) submitted a report to the Standing Committee of the NPC detailing the Network Security Law enforcement inspection project that began earlier in the year. This inspection had focused on five key points under the government’s overall data protection strategy:

  • Legal education
  • Supporting laws and regulations
  • Protection of critical information infrastructures and the application of graded protection for network security
  • Illegal network information
  • Personal information protections

Continue Reading New Chinese Government Report Highlights Recent Data Protection Enforcement and Attitudes

China’s new data protection framework clearly creates a requirement for local storage and conducting a security assessment before personal information or important data is shared with other jurisdictions, but it is currently much less clear what types of entities fall under this requirement.

Localization and Transfer Assessment Requirements Related to CII Operators

Under the People’s Republic of China Network Security Law, also known as the Cybersecurity Law, personal information and important data collected and generated in the operation of critical information infrastructure operators (CII operators) is required to be stored in China and, before providing that information abroad, a security assessment is required to be passed. This new requirement caused a significant amount of concern for entities that fall within the category of CII operators because of the need to potentially restructure their data systems, but there was also a general appearance of acceptance within the business community due to the relatively targeted scope of the definition of CII operators and acknowledgement that critical infrastructures require elevated protections. Continue Reading Transferring Data from China: Who Must First Pass a Pre-Export Security Assessment?

Following the first enforcement actions by local authorities in Shantou and Chongqing for violations of the new Network Security Law that came into effect this year, authorities in China have recently shown a clear initial focus with several new cases targeting provisions of the law that require monitoring of platform content. As of the start of October 2017, enforcement actions by authorities in China have targeted platform content violations in nearly 70 percent of all actions under the new provisions of the data protection rules.


Continue Reading China Data Protection Enforcement Update – A Focus on Platform Content

Today, China’s much anticipated Network Security Law comes into effect after two years of review, revisions over three drafts and a public commenting process. The law is a historical development for China’s legislative coverage of information security and data protections. It also represents one of the strictest approaches in any jurisdiction worldwide, and a continuation of a broader effort at demonstrating the government’s cyber-sovereignty goals through control and regulation of data and the internet.

Overview of the Network Security Law

Commonly referred to as the “Cybersecurity Law,” the new piece of legislation has a broad scope and covers a range of issues related to data privacy, security and cross-border transfers, including:

  • Increasing security measures and strengthening data security through a variety of specific obligations
  • Ensuring consent for collection of personal information through the principles of legality, proper justification and necessity
  • Screening equipment and products for security testing and certification
  • Ensuring real-name registration for users
  • Strengthening requirements to cooperate with government agencies during criminal investigations or to protect national security
  • Requiring personal information to be stored in China under some circumstances
  • Increasing confidentiality measures for user information
  • Setting up a complaint and reporting platform for network security

Continue Reading China’s Network Security Law Comes into Effect: What It Means for Your Company