Photo of Yan Luo

Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan's work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s “40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Contact:Read more about Yan LuoEmail

When China’s new Cybersecurity Law takes effect on June 1, 2017, China will become another important jurisdiction to watch in the international data transfer space.

Before the new Cybersecurity  Law officially was promulgated on November 7, 2016, cross-border data transfer of data from China was largely unregulated by the government.  While many Chinese laws and regulations governed the collection, use and storage (including localization) of data, no binding laws or regulations contained generally applicable legal requirements or constraints on the transfer of data across Chinese borders.
Continue Reading Cross-Border Data Transfer: A China Perspective

In our previous post, we discussed seven draft cybersecurity and data protection national standards released by China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), on December 21, 2016.

Information Security Technology – Personal Information Security Specification” (“the Standard”) is the most significant standard being proposed.  Although not legally binding and lacking the force of law, such a national standard, drafted by CAC, is likely to serve as a reference point for CAC and other regulators to judge corporate data protection practices in China.  It may also reflect the direction in which China’s data protection regime is evolving.

In this post, we discuss the background of this draft Standard, its structure, and the general principles it proposes.  In a follow-up post, we will discuss key requirements for data controllers and data processors, as well as rights and protections for data subjects.
Continue Reading China’s New Draft National Standards on Personal Information Protection

China’s top internet regulator, the Cyberspace Administration of China (“CAC”), continues to show interest in setting more stringent rules governing the protection of minors in the context of online activities and data privacy. Immediately prior to the October holiday, CAC released for public comment new draft regulations aimed at protecting minors on the Internet, the Regulations on the Protection of Minors in Cyberspace (“Draft Regulations”), which contain significant provisions addressing minors’ data privacy. Note that the scope of this new regulation is broader than the US’s Children’s Online Privacy Protection Act (“COPPA”), which focuses primarily on children’s privacy issues.
Continue Reading China Issues Draft Regulations on Protecting Minors in Cyberspace

On December 27, 2015, the Standing Committee of the National People’s Congress (NPC), China’s top legislative body, enacted a Counter-Terrorism Law (see the Chinese version here, and an unofficial English translation here), which took effect on January 1, 2016.  The adoption of this law, a year after the first draft was released for public comment, followed closely the adoption of a new National Security Law and a draft Network Security Law.

The Counter-Terrorism Law reinforces the government’s broad powers to investigate and prevent incidents of terrorism and requires citizens and companies to assist and cooperate with the government in such matters.  The law imposes additional and specific obligations on companies in certain sectors, including those providing telecommunications, Internet, and financial services.  Non-compliance or non-cooperation can lead to significant penalties, including fines on companies and criminal charges or detention for responsible individuals. In some respects, the new law provides greater, higher-level legal authority to pre-existing regulations and practice. In others, it imposes new obligations or makes existing obligations more specific (e.g., penalties).

The law’s broadly-worded requirements create some uncertainty as to their implications for companies’ data protection and security policies.
Continue Reading China Enacts New Counter-Terrorism Law

Close on the heels of a sweeping new National Security Law, the Standing Committee of the National People’s Congress released last month for public comment a very significant draft Network Security Law (“Draft Law”), also referred to as the draft Cybersecurity Law.

Since it came into power in 2012, China’s current leadership has attached an unprecedented level of attention to network security, which it sees as a core aspect of national security. Marking the establishment of a new Central Leading Group for Cyberspace Affairs in 2014 that he himself would lead, President Xi Jinping declared that “network security and informatization are key strategic issues related to national security and development,” and that “national security no longer exists without network security.” President Xi went on, in those remarks, to call for the development of a legal infrastructure for the administration of cyberspace, with particular emphasis on the protection of “critical information infrastructure” (see further discussion below). The resolution of the Fourth Plenum of the Central Committee of the Chinese Communist Party in October 2014 echoed this theme.

The focus on network security appears to stem from the explosive development and extensive usage of network and information technologies, made more pressing by Edward Snowden’s disclosures in 2013 regarding activities of the US National Security Agency (NSA). Since the Snowden leaks, it has been repeatedly reported that the Chinese government is working actively to wean government networks and financial systems off of IT products and services from foreign companies. The Draft Law is the government’s latest effort to consolidate existing security-related requirements and grant government agencies more security-related powers. On its face, the Draft Law does not discriminate against foreign products and services. However, designed to “safeguard cyberspace sovereignty and national security,” it could be implemented to become an additional hurdle for foreign companies seeking to access China’s vast market if and when it comes into effect.
Continue Reading China Issues Draft Network Security Law