Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Mark Parsons

Posts by Mark Parsons
Posted in International/EU Privacy

Hong Kong’s Reform of the Personal Data (Privacy) Ordinance (the “PDPO”): Bridging Troubled Waters

On Monday 20 January, the Constitutional and Mainland Affairs Bureau, jointly with the Privacy Commissioner for Personal Data, presented a paper outlining topics for review of the PDPO to the members of the Legislative Council Panel on Constitutional Affairs.  The CMAB and the PCPD are expected to take panel members’ feedback on the PDPO Review Paper and undertake further in-depth study of the issues with a view to making specific proposals for legislative reform in due course.

Posted in International/EU Privacy

The Cathay Pacific Breach: Is Data Protection and Cyber Security Law in Hong Kong About to Receive an Upgrade?

On 6 June, 2019, the Privacy Commissioner for Personal Data issued an enforcement notice against Cathay Pacific Airways (and its affiliate Hong Kong Dragon Airlines) (together, “Cathay Pacific”) in respect of a data breach concerning unauthorized access to the personal data of some 9.4 million Cathay Pacific customers.

Posted in International/EU Privacy

China’s First Data Protection Measures Lifting Its Veils

On May 28, 2019, the Cyberspace Administration of China released the draft Measures on the Administration of Data Security for public consultation. This Data Security Measures will be a great leap forward in China’s current data protection landscape, which mainly consists of scattered provisions contained in various pieces of legislations and standards, such as the Cyber Security Law, the E-Commerce Law, the Consumer Rights Protection Law as well as the Personal Information Security Specification, the most comprehensive yet non-binding national standard with respect to data protection. The Data Security Measures, once officially promulgated, will be the first binding administrative regulation in China to specifically and systematically set out explicit protection for personal data and important data collected and processed through the use of cyber technologies, following the effectiveness of the Cyber Security Law in 2017.

Posted in International/EU Privacy

Busting the Myth: Compliance with the ‘Gold Standard’ of the GDPR Does Not Buy You a ‘Free Pass’ Under China’s New Personal Information Guidelines

On December 29, 2017, the Standardization Administration of China, jointly with the PRC General Administration of Quality Supervision, Inspection and Quarantine, issued the Information Security Technology – Personal Information Security Specification, which officially came into effect on May 1, 2018. The Specification has, in very practical terms, become an important point of reference in evaluating the complex overlay of data protection compliance requirements found in the Cyber Security Law, the Law on the Protection of Consumer Rights and Interests, the e-Commerce Law and other enactments and measures.

Posted in International/EU Privacy

India’s Draft Personal Data Protection Bill, 2018: Charting the “Fourth Way”

India’s Committee of Experts has submitted a draft Data Protection Bill for review by the Ministry of Electronics and Information Technology. The Bill represents an important milestone for India, which has yet to enact comprehensive, principles-based data protection regulation, lagging a trend set in recent years by Singapore, the Philippines and others in the region playing catch up to Hong Kong and Japan, which have both had such regulation in place for years now.

Posted in International/EU Privacy

China’s Revised Draft Data Localisation Measures

On 19 May 2017, the Cyberspace Administration of China released a revised draft of its Security Assessment for Personal Information and Important Data Transmitted Outside of the People’s Republic of China Measures. The draft emerged just over a week after public comments closed on the first draft of the measures. the Second Draft Export Review Measures do, to an extent, relax some of the more stringent requirements stated in the First Draft Export Review Measures and originally due to become law on 1 June, 2017 when China’s Cyber Security Law takes effect. However, the revised draft measures as set out in the Second Draft Export Review Measures still leave a significant compliance challenge for multi-national businesses operating in China . We explore the Second Draft Export Review Measures below.

Posted in International/EU Privacy

“Cybersecurity Review” Takes Shape in China

On 4 February 2017, the Cyberspace Administration of China issued a draft of the Network Products and Services Security Review Measures for public comment: the Draft Measures remain open for comments until 4 March 2017. The Draft Measures are follow-on legislation to China’s Cyber Security Law adopted on 7 November 2016, which will take effect from 1 June 2017.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

China Passes Controversial Cyber Security Law

China’s Cyber Security Law, which will take effect from 1 June, 2017 was adopted on 7 November. The third draft of the law adopted by the Standing Committee of the National People’s Congress, China’s highest legislative authority, contained few changes from the second draft put forward for comment in July, 2016. The net result is continued controversy coupled with a dose of uncertainty (never a good combination), with multi-national businesses in particular questioning the intent of the law and criticising its vagueness. The final draft contains a number of broadly-framed defined terms that are critical to its interpretation which continue to leave much to be resolved through detailed measures that may or may not follow, as a lack of clarity leaves room for interpretation. All in all, the direction of travel is towards a much more heavily regulated Chinese internet and technology sector, with an open question as to whether China’s cyber space will be integrated with the rest of the world in the coming years or will plough its own virtual furrow.

Posted in Cybersecurity & Data Breaches

Cybersecurity Regulation in Asia: The Tightening Lines of Defense

In September, we proudly launched our online client cybersecurity resource portal: Ready, Set, Respond. The portal was designed by our cross-practice team of global practitioners to provide in-house counsel with the tools they need to not only prepare for the inevitable cybersecurity incident, but quickly and easily stay up to date on the evolving state of cybersecurity regulation around the world. Today, we’re taking a closer look at the Asia region with our partner Mark Parsons. Visit Ready, Set, Respond for more information or to take advantage of the tools and data available there.

Posted in International/EU Privacy

Philippines Finalizes Data Privacy Act Implementing Rules

The Philippines’ first comprehensive data protection law, the Data Privacy Act of 2012, took effect on 8 September 2012. The Act mandated the creation of a National Privacy Commission to implement, enforce and monitor compliance with the Act, with one of its duties to promulgate rules and regulations to effectively implement the provisions of the Act. It was not until March 2016 that the NPC was officially formed, and soon after issued draft implementing rules and regulations of the Act. Following a period of public consultation, the implementing rules and regulations were finalised and formally promulgated on 24 August 2016 and will come into effect today, 9 September 2016.

Posted in International/EU Privacy

Hong Kong Privacy Regulator Issues 2015 Report, Outlines 2016 Focus

On 26 January, Hong Kong’s Privacy Commissioner for Personal Data published his annual report on 2015 complaints and enforcement activity under the Personal Data Privacy Ordinance. The report reveals that 871,000 Hong Kong individuals were affected by data breaches in 2015, compared with 47,000 in 2014. The report is noteworthy that the number of reported breaches continues to increase at a rapid pace notwithstanding the fact that Hong Kong’s data breach notification regime is at the moment a voluntary one. The report is also notable for setting out the Commissioner’s statement of priorities for 2016.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

China Proposes New Cybersecurity Rules for Insurance Industry

On 9 October 2015, the China Insurance Regulatory Commission issued draft Supervisory Rules for Adoption of Information Technology by Insurance Institutions for public comment. The Draft Insurance IT Rules have been issued to replace the 2009 Guidance on Administration of Adoption of Information Technology by Insurance Companies and they build on the requirements set forth in the 2011 Guidelines on the Information System Security Management of Insurance Companies.

Posted in International/EU Privacy

Hong Kong Privacy Commissioner for Personal Data Issues Guidance on the Use of Drones

On 29 March, the Hong Kong Privacy Commissioner for Personal Data published a guidance note that supplements previous guidance on the use of closed circuit television systems and for the first time addresses the increasing use of unmanned aircraft systems. The Commissioner’s guidance is the first significant regulatory engagement on the use of UAS by a Hong Kong regulator.

Posted in International/EU Privacy

2015: The Turning Point for Data Privacy Regulation in Asia?

2014 was a very eventful year for data privacy regulation in Asia and there are reasons to believe that 2015 will represent a turning point for the region as established privacy regimes are toughened and new regimes enacted in recent years begin to mature. The past year saw a number of significant regulatory developments, in particular the implementation of new, comprehensive “European-style” privacy laws in Singapore and Malaysia, the amendment of China’s consumer protection law to include data privacy principles and increased financial penalties in South Korea.

Posted in International/EU Privacy

The Compliance Challenges That Can No Longer Be Ignored

Although Asia’s data privacy laws draw from a common set of guiding principles, each law is unique. Moreover, as freshly minted regulators come to grips with these new laws, differences in interpretation and underlying policy are becoming apparent. As a consequence, there is now a ‘patchwork’ of compliance requirements across the region. Depending on the country, sector specific laws, consumer protection laws, employment laws and laws in emerging areas such as cybersecurity, also complicate the compliance picture for Asia, and there is no common framework for any of these laws.

Posted in International/EU Privacy

Privacy Complaints Up 48% in Hong Kong in 2013: Are Businesses Prepared?

The privacy enforcement in Hong Kong under its data protection law, the Personal Data (Privacy) Ordinance, ramped up significantly last year. Hong Kong’s Privacy Commissioner for Personal Data received 1,792 complaints in 2013, a record high. The figures show a 48% increase in complaints filed and more than a doubling of the number of enforcement notices issued by the Commissioner, with 25 enforcement notices issued in 2013 against 11 in 2012. 78% of all complaints were made against the private sector and in particular the financial, telecommunications and property sectors. The Commissioner has confirmed that a key focus for 2014 will be to increase its enforcement efforts.