Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.
Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.
Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.
Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China's National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.
In Part 1 of this blog series (see here), we discussed recent data protection developments in China’s e-commerce sector. In this post, we discuss recently issued rules aimed at improving data governance in China’s financial sector that could also have data protection implications. These rules can be categorized as falling into two groups: the first group focuses on general data governance requirements applicable to all financial institutions, and the second group regulates specific types of financial services.
These new rules were published by the China Banking and Insurance Regulatory Commission (“CBIRC”) and People’s Bank of China (“PBOC”) during the first quarter of 2021, and include:
- Guidelines for Data Capacity-Building in the Financial Industry (“Guidelines”) (official Chinese version available here);
- Financial Data Security – Data Life Cycle Security Standard (“Standard”) (official Chinese version available here); and
- Draft Credit Reporting Management Measures (“Draft Measures”) (official Chinese version available here).
Both the Guidelines and Standard provide detailed criteria for financial institutions on the proper collection, use and protection of “financial data,” while the Draft Measures introduce data-related requirements for licensed credit reporting agencies. All of these new rules include data security requirements for both personal and non-personal data.…
When China’s legislature, the National People’s Congress (“NPC”), enacted the Cybersecurity Law (“CSL”) in 2017, it set into motion a new era of data governance in China. Three years later, in 2020, the NPC followed up this landmark act with two other legislative milestones in this space: the draft Data Security Law (“DSL”) (see our blogpost here) and draft Personal Information Protection Law (“PIPL”) (see our client alert here). Both the PIPL and DSL will be finalized this year. Taken as a whole, these three laws form an over-arching framework that will govern data protection and cybersecurity in China for years to come.
While the DSL and PIPL have remained in draft form over the past year, the Chinese government has not stood idly by – instead, various Chinese regulators have continued to introduce data- and cyber-related rules in key sectors. Many of these sectoral rules do not appear to be primarily focused on data protection or cybersecurity, yet they may indirectly impact the collection, use and processing of personal information in specific sectors. The rollout of these new rules has not been fully coordinated, and the approaches taken in some cases deviate from the over-arching framework mentioned above. We expect this divergence to remain, even after the finalization of the PIPL and DSL. Consequently, China’s data and cyber regime will likely present a complex web of regulatory rules for organizations to navigate – both now and in the years ahead.
In this blog series, we examine several recently-introduced data and cyber rules in the areas of e-commerce, finance, healthcare, and artificial intelligence – all of which are rapidly expanding sectors in China where the collection and use of massive amounts of personal information have given rise to a variety of regulatory concerns. We will also explain, in the last blogpost of this series, China’s recent push to regulate how mobile applications can collect and process user data.
In our first blogpost of this series, we focus on recent developments in China’s e-commerce sector.…
On the ninth episode of our Inside Privacy Audiocast, we peer through the looking glass at China’s approach to data protection and the latest developments in its emerging data protection and cybersecurity regime. Dan Cooper, Yan Luo and Zhijing Yu discuss the variety of legal instruments in China’s quickly-evolving data protection and cybersecurity regulatory…
On December 2, 2020, China’s Ministry of Commerce (“MOFCOM”), State Cryptography Agency (“SCA”), and the General Administration of Customs (“Customs”) jointly issued three documents (here) related to import and export of commercial encryption items:
- List of Commercial Encryption Subject to Import Licensing Requirement (“Import List”);
- List of Commercial Encryption Subject to Export Control (“Export List”); and
- Procedural Rules on [Applications for] Licenses for the Import and Export of Commercial Encryption (“Procedural Rules”).
The issuance of these lists and procedural rules marks a key step forward implementing both the commercial encryption import and export framework established under the Encryption Law, which took effect on January 1, 2020, and the export control regime under the new Export Control Law, which took effect on December 1, 2020. (Our previous client alert on the Encryption Law can be found here, and our alert on the Export Control Law can be found here.) The consolidation of previously separate regulatory frameworks under the commercial encryption rules and export control rules could also show a future trend of implementing a more unified system to control the import and export of sensitive data and technologies to and from China.…
On July 2, 2020, the Standing Committee of the National People’s Congress of China (“NPC”) released the draft Data Security Law (“Draft Law”) for public comment. The release of the Draft Law marks a step forward in establishing a regulatory framework for the protection of broadly defined “data security” in China, with a particular focus on the governance of “important data,” defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.” Many provisions of the Draft Law remain vague and lack guidance on how they might be implemented in practice.
Continue Reading China Issued the Draft Data Security Law
On May 11, 2020, the State Cryptography Administration (“SCA”) and the State Administration for Market Regulation jointly issued the Commercial Encryption Product Certification Catalogue (First Batch) (“Product Catalogue”) and the Commercial Encryption Product Certification Measures (“Certification Measures”) (the announcement is available here), taking effect immediately.
Prior to the adoption of the Encryption Law (see our post on the Encryption Law here), manufacturers of commercial encryption products were required to apply to the SCA for the “Commercial Encryption Products Type and Model Certificate.” The Encryption Law removed this approval requirement by establishing a voluntary certification scheme, which encourages manufacturers to voluntarily apply to qualified agencies for the testing and certification of their commercial encryption products. The release of the Product Catalogue and the Certification Measures marks a critical step forward in implementing such a voluntary certification scheme under the Encryption Law.
Continue Reading China Issued the Commercial Encryption Product Certification Catalogue and Certification
On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here). These Measures will take effect on June 1, 2020.
Under Article 35 of China’s Cybersecurity Law (“CSL”), operators of Critical Information Infrastructure (“CII”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security. To implement this requirement, CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors. On May 24, 2019, CAC released a draft version of the Measures (“Draft Measures”) for public comment (see our post on the Draft Measures here), aiming to update the review process established under the Trial Measures. The final version of the Measures replaces the Trial Measures and largely tracks the framework proposed in the Draft Measures.
Highlights of the final version of the Measures appear below.
Continue Reading China Issues New Measures on Cybersecurity Review of Network Products and Services
Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19. But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts. We describe below both privacy implications of disclosing data to government authorities and commercial partners and strategies to manage COVID-19 risk by collecting additional information about employees and visitors, as well as the cybersecurity implications of these outbreak prevention and management efforts.
- Our professionals around the globe have been advising clients on the privacy risks of disclosing health and other personal data to public health authorities and other government agencies. As we blogged about here, regulators at many different levels of the Chinese government have been actively collecting personal data to monitor and mitigate the spread of the virus, and that’s now happening across the globe. Other public health agencies worldwide are requesting information from private companies to assist with containing or mitigating the spread of the virus. For example, they may seek information about a person’s contacts in order to conduct contract tracing of an infected person. Although public health agencies generally have broad information-gathering authorities, these laws typically do not overcome privacy laws that restrict disclosures of personal or other sensitive information. Companies may need to consider how to mitigate these legal risks before responding, particularly where more detailed information is requested. …
Continue Reading Key COVID-19 Issues for Privacy and Cybersecurity Professionals
In December 2019, the People’s Bank of China (“PBOC”) issued the draft Measures for the Protection of Financial Consumers’ Rights and Interests for public comment (“draft Financial Consumer Measures”) (an official Chinese version is available here). Although the draft Financial Consumer Measures focus more broadly on consumer rights in the financial sectors, they imposes upon financial institutions privacy and cybersecurity obligations that—in certain instances—extend beyond the requirements stipulated in China’s Cybersecurity Law (“CSL”).
Following up on the draft Financial Consumer Measures, PBOC issued the Personal Financial Information Protection Technical Specification (“Financial Information Specification”) on February 13, 2020 setting forth additional privacy and cybersecurity requirements applicable to the life cycle of personal financial information collected and processed by regulated financial entities and other entities that process personal financial information (“Financial Industry Entities”). While the Financial Information Specification follows the general personal information protection principles under the Cybersecurity Law (“CSL”) framework, some specific requirements are worth highlighting, as explained below.
Continue Reading China Releases Personal Financial Information Protection Technical Specification