Photo of Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China's National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here).  These Measures will take effect on June 1, 2020.

Under Article 35 of China’s Cybersecurity Law (“CSL”), operators of Critical Information Infrastructure (“CII”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security.  To implement this requirement, CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors.  On May 24, 2019, CAC released a draft version of the Measures (“Draft Measures”) for public comment (see our post on the Draft Measures here), aiming to update the review process established under the Trial Measures.  The final version of the Measures replaces the Trial Measures and largely tracks the framework proposed in the Draft Measures.

Highlights of the final version of the Measures appear below.
Continue Reading China Issues New Measures on Cybersecurity Review of Network Products and Services

Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19.  But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts.  We describe below both privacy implications of disclosing data to government authorities and commercial partners and strategies to manage COVID-19 risk by collecting additional information about employees and visitors, as well as the cybersecurity implications of these outbreak prevention and management efforts.

  • Our professionals around the globe have been advising clients on the privacy risks of disclosing health and other personal data to public health authorities and other government agencies.  As we blogged about here, regulators at many different levels of the Chinese government have been actively collecting personal data to monitor and mitigate the spread of the virus, and that’s now happening across the globe.  Other public health agencies worldwide are requesting information from private companies to assist with containing or mitigating the spread of the virus.  For example, they may seek information about a person’s contacts in order to conduct contract tracing of an infected person.  Although public health agencies generally have broad information-gathering authorities, these laws typically do not overcome privacy laws that restrict disclosures of personal or other sensitive information.  Companies may need to consider how to mitigate these legal risks before responding, particularly where more detailed information is requested.
    Continue Reading Key COVID-19 Issues for Privacy and Cybersecurity Professionals

In December 2019, the People’s Bank of China (“PBOC”) issued the draft Measures for the Protection of Financial Consumers’ Rights and Interests for public comment (“draft Financial Consumer Measures”) (an official Chinese version is available here).  Although the draft Financial Consumer Measures focus more broadly on consumer rights in the financial sectors, they imposes upon financial institutions privacy and cybersecurity obligations that—in certain instances—extend beyond the requirements stipulated in China’s Cybersecurity Law (“CSL”).

Following up on the draft Financial Consumer Measures, PBOC issued the Personal Financial Information Protection Technical Specification (“Financial Information Specification”) on February 13, 2020 setting forth additional privacy and cybersecurity requirements applicable to the life cycle of personal financial information collected and processed by regulated financial entities and other entities that process personal financial information (“Financial Industry Entities”). While the Financial Information Specification follows the general personal information protection principles under the Cybersecurity Law (“CSL”) framework, some specific requirements are worth highlighting, as explained below.
Continue Reading China Releases Personal Financial Information Protection Technical Specification

In response to the recent coronavirus outbreak (“2019-nCoV”), a wide range of Chinese regulators, including many levels of local governments (down to the neighborhood committee level) and local public security bureaus (“PSBs”), have been actively collecting personal information to monitor and potentially mitigate the spread of the outbreak.  For example, Shenzhen PSB has issued a notice requiring residents or visitors to Shenzhen to scan a QR code to fill in personal information, such as their contact details, addresses, travel information, and health status.  The Shanghai Municipal People’s Government also issued a similar notice requiring residents returning to Shanghai from an out-of-town trip or visitors to report a similar set of personal information.

In practice, numerous additional third party entities, including airports, train stations, employers, and landlords, could engage in collecting extensive personal information from travelers or visitors to a particular location or area, due to their own reporting obligations.  For instance, visitors to office buildings may be obliged to report their health status to the landlord or building management.  Also, employers are required to closely monitor the health status of employees if the employers apply to the local government to re-open their offices or factories.

With the widespread practice of information collection for public health purposes, data breaches and misuse of data become a major concern of the public.  For example, it has been reported that travelers from Wuhan to other cities within China have been victims of data breaches after submitting their personal information to transportation entities and local regulators.  A document entitled “List of Individuals Returning to Ningdu From Wuhan” was leaked to various WeChat groups in January 2020 and contained the personal information, including telephone numbers, national identification numbers, and home addresses, of approximately four to five hundred data subjects.  Similar incidents happened across China and the sources of the leaks remain uncertain.
Continue Reading Cyberspace Administration of China Releases Notice on the Protection of Personal Information in the Fight Against Coronavirus

On November 20, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Publication of Cybersecurity Threat Information (“Draft Measures”) for public comment.  (An official Chinese version is available here).  The comment period ends on December 19, 2019.

The release of the Draft Measures marks an important step forward in implementing Article 26 of China’s Cybersecurity Law (“CSL”), which establishes that the publication of cybersecurity information (such as those related to system vulnerabilities, computer viruses, cyberattacks and/or network intrusions) to “the public” must comply with unspecified “relevant rules.”  Article 26 does not specify what kind of entities or individuals are subject to this requirement; thus, it is unclear whether Article 26 applies to entities that have discovered vulnerabilities on their own networks and/or the activities of third parties that have uncovered cybersecurity threats to others’ networks, such as cybersecurity research firms.

The Draft Measures are intended to provide further guidance for these entities and individuals based in China that have threat information about other network operators’ network or information systems and outlines how they can publish the threat information in a compliant way.  The Draft Measures are silent as to whether these requirements will apply to entities or individuals that are based outside of China and, if these requirements are applicable for the publication of threat information globally, how entities or individuals outside of China can comply. It is also unclear about the extent to which the Draft Measures would apply to network operators who become aware of cybersecurity threat information related to their own networks.


Continue Reading China Seeks Public Comments on Draft Measures for the Publication of Cybersecurity Threat Information

On October 26, 2019, China enacted a landmark Encryption Law, which will take effect on January 1, 2020.  The Encryption Law significantly reshapes the regulatory landscape for commercial encryption, including foreign-made commercial encryption products, but leaves many questions to be answered in future implementing regulations.  In this blog post, we provide a few highlights of the new Encryption Law as enacted.
Continue Reading China Enacts Encryption Law

On July 5, 2019, China’s Standing Committee of the National People’s Congress (NPC) published a new draft Encryption Law (“the draft Law”) for public comment.  The draft Law, if enacted as drafted, would bring significant new changes to China’s commercial encryption regime.

The State Cryptography Administration (“SCA”) previously issued an initial draft of this law for public comment on April 13, 2017 (“the 2017 Draft”) (see Covington’s alert on the previous version here).  After the release of the 2017 draft, the regulatory regime in China for commercial encryption products was revamped significantly (see Covington’s previous alert here).  The State Council removed certain approval requirements for the production, sale, and use of commercial encryption products in late September 2017, and the SCA issued further notices reducing the burden imposed on manufacturers, distributors and users of commercial encryption products.  The draft Law proposes further changes to this revamped regime, including for example introducing different categories of encryption, and establishing license requirements for certain imports and exports, while carving out items in “general use.”

The comment period ends on September 2, 2019.


Continue Reading China Releases Updated Draft Encryption Law for Public Comment

On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information (“Draft Measures”) for public comment. (The official Chinese version of the Draft Measures is available here, and an unofficial English translation is available here.) The comment period ends on July 13, 2019.

The issuance of the Draft Measures marks another major development in the implementation of China’s Cybersecurity Law (“CSL”) over the past month, aiming to create a cross-border data transfer mechanism that would govern all of the transfers of personal information conducted by network operators (defined as “owners and managers of networks, as well as network service providers”).

CAC has previously released two earlier versions of its draft Measures on Security Assessment of Cross-border Transfer of Personal Information and Important Data back in 2017, which imposed security assessment obligations on network operators when they transfer both personal information and important data outside of China (See Covington’s previous alert here). The latest and long-anticipated Draft Measures only focus on the cross-border transfer of personal information (the cross-border transfer of important data will be subject to a separate approval mechanism introduced by the draft Measures for Data Security Management released by CAC on May 28, 2019) and also set out new requirements that bear resemblance to the Standard Contractual Clauses under the EU’s General Data Protection Regulation (“GDPR”).

We discuss the key requirements of the Draft Measures in a greater detail below.


Continue Reading China Seeks Public Comments on Draft Measures related to the Cross-border Transfer of Personal Information

On May 31, 2019, the Cyberspace Administration of China (“CAC”) released the draft Regulation on the Protection of Children’s Personal Information Online (“Draft Regulation”) for public comment. (An official Chinese version is available here and an unofficial English translation of the Draft Regulation is available here.) The comment period ends on June 30, 2019.

As mentioned in our last blog post (available here), CAC issued the draft Measures for Data Security Management (“Draft Measures”) just last week, which set out the general regulatory framework that will govern the collection and use of personal information by network operators (broadly defined as “owners and managers of networks, as well as network service providers”). The release of this new Draft Regulation demonstrates CAC’s intention to set out more stringent requirements for network operators if they collect, store, use, transfer or disclose the personal information of minors under 14 years old. We discuss the key requirements of the Draft Regulation in a greater detail below.


Continue Reading CAC Releases Draft Regulation on the Protection of Children’s Personal Information Online

On May 28, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for Data Security Management (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here.) The comment period ends on June 28, 2019.

The release of these Draft Measures demonstrates China’s continuing efforts to implement the data protection requirements imposed by China’s Cybersecurity Law (“CSL”). For example, under Article 41 of the CSL, network operators must notify individuals of the purposes, methods and scope of the information collection and use, and obtain their consent before collecting or using individuals’ personal information. Furthermore, under Article 42 and 43 of the CSL, network operators must not disclose, tamper with, or damage citizens’ personal information that they have collected, and they are further obligated to delete unlawfully collected information and amend incorrect information.

To implement the CSL, the CAC and the Standardization Administration of China issued a national standard for personal information protection (“Standard”) on January 2, 2018, which took effect on May 1, 2018 (see our previous blog post about that Standard here). A draft amendment to the Standard (“Draft Amendment”) was released for public comment on February 1, 2019 (see our previous blog post about the Draft Amendment here). The new Draft Measures incorporate some of personal information protection requirements specified in the Standard and the Draft Amendment, and also introduce a number of new requirements for the protection of “important data,” which was initially mentioned in Article 21 and 37 of the CSL, but was not defined.


Continue Reading China Releases Draft Measures for Data Security Management