Privacy & Information Security Law Blog

On August 24, 2023, 12 data protection authorities published a joint statement calling for the protection of personal data from unlawful data scraping. The statement was issued by the authorities of Argentina, Australia, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the UK. The joint statement reminds organizations that personal data that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions, and highlights the risks facing such data, including increased risk of social engineering or phishing attacks, identify fraud, and unwanted direct marketing or spam.

On November 14, 2021, the Cyberspace Administration of China (“CAC”) released for public comment its draft Regulations on Network Data Security Management (the “Draft Regulations”). The Draft Regulations are intended to implement portions of three existing laws – the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) (together, the “Three Laws”) – by providing guidance on certain provisions and establishing specific requirements for implementing certain principles contemplated in the Three Laws. In addition, the Draft Regulations add new requirements related to data processing activities. Once effective, the Draft Regulations will impose even greater compliance obligations on companies than the PIPL.

On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.

On March 5, 2019, the Global Privacy Enforcement Network (“GPEN”), a global network of more than 60 data protection authorities (“DPAs”) around the world, published the results of its 2018 intelligence gathering operation on organizations’ data privacy accountability practices (the “Sweep”). On the same date, some participating DPAs released the results of the Sweep exercise carried out in their respective jurisdiction.

Last week, at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong, data protection authorities from around the world issued non-binding guidance on the processing of personal data collected by connected cars (the “Guidance”). Noting the ubiquity of connected cars and the rapidity of the industry’s evolution, the officials voiced their collective concern about potential risks to consumers’ data privacy and security. The Guidance identifies as its main concern the lack of available information, user choice, data control and valid consent mechanisms for consumers to control the access to and use of their vehicle and driving-related data. Building on existing international guidelines and resolutions, the Guidance urges the automobile industry to follow privacy by design principles “at every stage of the creation and development of new devices or services.”

Last week, the Centre for Information Policy Leadership (“CIPL”) and several privacy team members at Hunton & Williams LLP attended the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong (the “Conference”). The weeklong event hosted by Stephen Kai-yi Wong, Privacy Commissioner for Personal Data, Hong Kong was attended by over 3000 privacy professionals from data protection authorities (“DPAs”), industry and research sectors. CIPL hosted two events at the conference, as well as a joint roundtable with Hunton & Williams and Citibank, throughout the week.

On October 20, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP hosted a side workshop at the International Conference of Data Protection & Privacy Commissioners focused on transparency and risk assessment, entitled “The Role of Risk Assessment and Transparency in Enabling Organizational Accountability in the Digital Economy.” The workshop was led by Bojana Bellamy, CIPL’s President, and featured contributions from many leaders in the field, including the UK ICO, Belgium and Hong Kong’s Privacy Commissioners, and counsel and privacy officers from several multinational companies.

On June 11 and 12, 2015, Asia Pacific Privacy Authority (“APPA”) members, invited observers and guest speakers from the government, private sector, academia and civil society, met in Hong Kong to discuss privacy law and policy issues at the 43rd APPA Forum. At the end of the open session on day two, APPA issued its customary communiqué, setting forth the highlights of the discussions of the open and closed sessions. The Hong Kong Privacy Commissioner, who hosted the APPA meeting, also hosted a conference on big data and privacy on June 10.

On April 14, 2015, the American Chamber of Commerce in China (“AmCham”) published a report, entitled Protecting Data Flows in the US-China Bilateral Investment Treaty (the “Report”). The Report is part of AmCham’s Policy Spotlight Series. While in principle addressed to the U.S. and Chinese teams that are currently negotiating the Bilateral Investment Treaty, the Report has been made public. It thereby provides insight into the emerging issue of data localization for the benefit of a much wider audience.

On December 29, 2014, the Hong Kong Office of the Privacy Commissioner for Personal Data published guidance (the “Guidance Note”) on the protection of personal data in cross-border data transfers. The Guidance Note was released in light of the Privacy Commissioner’s intention to elaborate on the legal restrictions governing cross-border data transfers in Hong Kong, though these have not yet gone into effect.

On July 22-23, 2013, the APEC E-Commerce Business Alliance and the China International Electronic Commerce Center, a subsidiary organization of the Ministry of Commerce of the People’s Republic of China, held a seminar in Beijing entitled Workshop on the Online Data Privacy Protection in APEC Region. In addition to delegates from Mainland China, representatives from numerous other jurisdictions were in attendance, including the United States, the United Kingdom, Malaysia, Vietnam, South Korea, Hong Kong and Taiwan.

On June 27, 2012, the Hong Kong Legislative Council passed a bill to amend the Personal Data (Privacy) Ordinance (the “Ordinance”). The amendment will become effective in phases. Most provisions will become effective on October 21, 2012, and the others will take effect on a day to be announced by publication in the Hong Kong Government Gazette.

Since October 2011, the Hong Kong Office of the Privacy Commissioner for Personal Data has published three “Guidance Notes” to help data users comply with the Personal Data (Privacy) Ordinance (the “Ordinance”). These Notes are not legally binding, nor are they intended to serve as an exhaustive guide to the application of the Ordinance, but they provide good, practical examples and tips that the Commissioner has developed as it has implemented the Ordinance.

On July 13, 2011, Hong Kong’s Personal Data (Privacy) (Amendment) Bill 2011 (the “Bill”), was introduced in the Legislative Council. Although the Bill has not yet been subject to an official vote, there have been several noteworthy developments.

The Hong Kong Privacy Commissioner has issued a document soliciting comments regarding a proposal to require a wide range of data users to submit information about their activities to the Office of the Privacy Commissioner for Personal Data.  The proposal would be carried out pursuant to the Hong Kong Privacy Ordinance, which authorizes the Privacy Commissioner to require certain data users to submit data user returns.  Under the Ordinance, a “data user return” is a form certain data users must submit to the Privacy Commissioner for purposes of maintaining a data user registration database.  A “data user” is defined as “a person who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of [personal] data” (emphasis added).

On July 28, 2009,  the Data Privacy Subgroup meeting at the Asia-Pacific Economic Cooperation (APEC) Forum in Singapore reported a number of privacy-related legislative developments on the horizon.  Among the highlights:

• On July 15, the Malaysian Cabinet approved privacy legislation to be enacted by the Parliament in early 2010 
• Vietnam is set to enact consumer protection legislation including privacy provisions in 2010 
• Hong Kong's Privacy Commissioner will soon begin a review process to evaluate how privacy law has kept up with changing technology
• The Philippines is set to enact ...