China’s Personal Information Protection Law creates challenges for compliance

China’s Personal Information Protection Law (“PIPL”) was passed on 20 August 2021. PIPL presents certain challenges for compliance, which is required when it comes into force on 1 November 2021. Overview Lack of clarity over what constitutes consent Lack of clarity over “contract necessity” as a complete exception to consent Safeguards for transferring personal information … Read more

China’s new laws complicate data transfers

This year is a pivotal year for data laws in China, with two very significant pieces of new legislation coming into force – the Data Security Law (“DSL“), governing important/core data, and the Personal Information Protection Law (“PIPL“), governing personal information, on 1 September 2021 and 1 November 2021 respectively. The key issue is how … Read more

ICO issues draft International Data Transfer Agreement and guidance on undertaking risk assessments for consultation on ensuring compliance for data transfers from the UK

The UK has taken its first big data protection step in a post-Brexit world with the Information Commissioner’s Office (“ICO“) publishing its own version of an international data transfer agreement and accompanying methodology for conducting international risk assessments on 11 August 2021. The ICO has published the following documents, which all inter-relate with one another: … Read more

China Cybersecurity and Data Protection: Monthly Update – July 2021 Issue

Key highlights – our comments on the cybersecurity probe into DiDi and the draft of the revised Measures on Cybersecurity Review In early July, the Cyberspace Administration of China (CAC) announced that it had initiated cybersecurity review on three companies, namely DiDi, Boss Zhipin and Full Truck Alliance, and during the review the three companies … Read more

European Commission publishes final Article 28 clauses

Simultaneous with the European Commission publishing its final standard contractual clauses for the international transfer of personal data (see our blog post here for further information) (the “New SCCs“), they have now published a final set of standalone Article 28 clauses for use between controllers and processors in the EU, also termed ‘standard contractual clauses’ … Read more

ICO PUBLISHES CALL FOR VIEWS ON ANONYMISATION GUIDANCE

Background On 28 May 2021, the Information Commissioner’s Office (“ICO“) published a call for views on the first draft chapter of its anonymisation, pseudonymisation and privacy enhancing technologies draft guidance). This first chapter is part of a series of chapters of guidance that the ICO will be publishing on anonymisation and pseudonymisation and their role … Read more

European Commission publishes final Standard Contractual Clauses

Seven months after the European Commission published its draft new Standard Contractual Clauses for data transfers between EU and non-EU countries (the “Draft SCCs“) for consultation (see our blog post here (the “Draft SCCs Blog“)), they have now published a finalised set of Standard Contractual Clauses (“Final SCCs“) with little fanfare (available here). It should … Read more

China Cybersecurity and Data Protection: Monthly Update – May 2021 Issue

This e-bulletin summarises the latest developments in cybersecurity and data protection in China with a focus on the regulatory, enforcement, industry and international developments in this area. Our highlights In late April, we saw the second reading of the proposed Personal Information Protection Law (PIPL) and Data Security Law (DSL) by the Standing Committee of … Read more