On Thursday, July 21st, the Cyberspace Administration of China fined Didi, China’s largest ride service, CNY8B (@US$1.2B) for violations of its data privacy, data security and cybersecurity laws. The fine reportedly amounts to more than 4% of its total revenue of last year. It also fined the company’s Chairman (Cheng Wei) and President
CPW’s Scott Warren will be providing a keynote discussion on the Challenges in Handling a Multi-Jurisdictional Data Breach from 12:45 to 1:15 pm EST at the virtual Cyber Security ConfEx on Thursday, December 16th. In addition, from 2-4 pm EST, Kristin Bryan will be providing her perspective on data privacy and cybersecurity litigation trends as
Handling digital evidence in Asia has gotten increasingly complicated in Asia over the years. In this podcast with FTI, CPW’s Scott Warren covers this topic from a historical perspective, looking at practical, technical, logistical and legal challenges over the last 20 years. In addition, he covers current developments and provides suggestions on how to handle
As reported in our recent post, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”). The implementation date is set for November 1, 2021, though we await some additional detail via promulgation orders on a number of important provisions, as set forth below, from the regulatory authorities.
Continue Reading New PRC Personal Information Protection Law Passed: A Deeper Dive into the Provisions
After three rounds of revisions, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China officially passed the Personal Information Protection Law (the “PIPL”).
Continue Reading NEW: China’s Personal Information Protection Law
In the midst of revising the Japan Civil Code and the foreign attorney laws, Japan has recently passed amendments to its data privacy law, the Act on the Protection of Personal Information (“APPI”). Some of these changes put Japan’s law closer in line with the EU’s General Data Protection Regulation “GDPR” as to which both have recognized the adequacy of each other’s data privacy regimes. As a result, transfers of personal information from Japan to all third countries will be subject to stricter controls when the amendments become fully enforceable, which is expected to occur in 2022.
Continue Reading New Amendments Passed to Japan’s Data Privacy Law
I was recently helping a client in Tokyo respond to a serious and sophisticated cyber breach where hackers executed a transfer of nearly US$1M out of the client’s Hong Kong bank account. In this instance, the hackers had hacked into the CEO’s cloud-based corporate e-mail account and had determined a way to create a transaction that his intermediary company believed to be genuine. The hackers sat on top of the e-mail to intercept any queries and assure colleagues that this was an authorized transfer. The transaction was made on a Friday, in the hopes that it would not be noticed until the following week. Indeed, our client only realized that the transaction had happened on the following Monday, when he received by mail hard copies of the transfer documents from his intermediaries.
In these types of situations, it is essential to act quickly and to focus on the efforts most likely to bear fruit. But what to do when every second that passes makes it more likely that the funds have been transferred to other accounts in other jurisdictions?
Here are some critical things to consider, with many of these actions needing to occur concurrently:Continue Reading Executive Hacks and What To Do
The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).[1] This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here.
Japan’s data protection authority, the Personal Information Protection Commission (PPC), has also adopted its equivalent decision on Japanese personal data flows to the EU. This mutual recognition allows the safe free flow of personal data between the two territories, creating the world’s largest arena of secure data flows.Continue Reading European Commission Adopts Adequacy Decision on Japan
To any good lawyer, the answer is ‘both’ are important. However, most in-house counsel know the answer is which receives the limited available budget. Compliance budgets usually follow the greatest risks for the company. Therefore, in Europe, where the EU’s General Data Protection Regulation is the scariest new compliance issue, it stands to reason that data privacy will take a larger portion of the budget than cybersecurity. However, in the US, where the penalties for poor cybersecurity can be huge (from governmental penalties, to class action and shareholder derivative lawsuits), I believe it is generally the opposite.
Continue Reading Data Privacy or Cybersecurity: Which is More Important?
What’s New?
On 5 September 2018, the EU Commission commenced proceedings to adopt an Adequacy Decision in relation to Japan’s protection of personal data by issuing a draft ‘Commission Implementing Decision’. This is an important step towards the culmination of discussions between the EU and Japan that were initiated in January 2017, with the aim of permitting the free flow of personal data between the parties. These discussions were part of the broader free trade negotiations between Japan and the EU, which concluded with a successful agreement on 17 July 2018.
Continue Reading Procedure Launched for Japan and the European Union to Become the World’s Largest Area of Safe Data Transfers