On August 31, 2022, one day before the Measures for Security Assessment of Cross-border Data Transfer (“Measures”) were scheduled to take effect, the Cyberspace Administration of China (“CAC”) released a first edition of its guidance on how organizations should complete the security assessment application (“CAC Guidance”). Covington’s previous posts on the Measures can be found here.

Continue Reading China Releases Guidance on Cross-border Data Transfer Security Assessment Application

On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.

This audiocast episode is repurposed from a

In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”).  With a very tight implementation schedule, the Measures will take effect on September 1, 2022.  The full text of the Measures can be found here (currently available only in Mandarin Chinese).

In this blog, we highlight a few key takeaways from the final Measures.

Continue Reading China Releases Measures for a Security Assessment of Cross-Border Data Transfers To Take Effect in September 2022

After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL.  In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of personal information outside of China, namely: (i) successful completion of a government-led security assessment, (ii) obtaining certification under a government-authorized certification scheme, or (iii) implementing a standard contract with the party(-ies) outside of China receiving the data.  The most recent developments in relation to these mechanisms concern the standard contract and certification.

Continue Reading Cross-Border Data Transfer Developments in China

On Episode 16 of Covington’s Inside Privacy Audiocast, Dan CooperYan Luo and Zhijing Yu discuss the implications of China’s Personal Information Protection Law (PIPL) for companies with data or doing business in China. The law, which entered into force on November 1, is the first comprehensive personal information protection law in China and

On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law, which will take effect Nov. 1, 2021. Serving as China’s first comprehensive law in the personal information protection area and based on China’s Constitution, the PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1).
Continue Reading Analyzing China’s PIPL and How It Compares to the EU’s GDPR

On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies:  Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).

According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.”  This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020.  Per the announcements, these apps are prohibited from registering new user accounts during the review period.

Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here).  It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.

This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information.
Continue Reading China Initiates Cybersecurity Review of Didi ChuXing and Three Other Chinese Mobile Applications

On June 10, 2021, the Standing Committee of China’s National People’s Congress (“NPC”) enacted the Data Security Law (“DSL”), which will take effect on September 1, 2021 (the official Chinese version is available here and Covington’s unofficial English translation is available here). This law creates a framework for the protection of broadly defined “data security” from a national security perspective.
Continue Reading China Enacts Data Security Law

On Episode 14 of Covington’s Inside Privacy Audiocast, Dan Cooper and Yan Luo discuss recent privacy developments in China, in particular as they relate to China’s draft Data Security Law.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

In Part 1 of this blog series (see here), we discussed recent data protection developments in China’s e-commerce sector.  In this post, we discuss recently issued rules aimed at improving data governance in China’s financial sector that could also have data protection implications.  These rules can be categorized as falling into two groups: the first group focuses on general data governance requirements applicable to all financial institutions, and the second group regulates specific types of financial services.

These new rules were published by the China Banking and Insurance Regulatory Commission (“CBIRC”) and People’s Bank of China (“PBOC”) during the first quarter of 2021, and include:

  • Guidelines for Data Capacity-Building in the Financial Industry (“Guidelines”) (official Chinese version available here);
  • Financial Data Security – Data Life Cycle Security Standard (“Standard”) (official Chinese version available here); and
  • Draft Credit Reporting Management Measures (“Draft Measures”) (official Chinese version available here).

Both the Guidelines and Standard provide detailed criteria for financial institutions on the proper collection, use and protection of “financial data,” while the Draft Measures introduce data-related requirements for licensed credit reporting agencies.  All of these new rules include data security requirements for both personal and non-personal data.

Continue Reading Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 2: Data Protection in the Financial Sector