Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or fines on 4,046 website platforms, ordered 585 websites to suspend or update relevant functions, took down 200 Apps and took administrative actions on 40 mini-programs. The CAC also conducted joint enforcement actions together with the Ministry of Industry and Information Technology and revoked the licenses or shut down 10,946 websites and closed 107,802 accounts.

The following violations are of particular concern to these enforcement activities:

• Failure to maintain relevant network logs as required by law or to promptly address security risks (such as system vulnerabilities), resulting in illegal and regulatory issues such as system attacks, tampering, and data leaks;
  
• Failure to clearly display privacy notices in Apps, obtain necessary consent to process personal data, or provide convenient methods to opt out or de-register accounts;
  
• Failure to conduct required recordal or filing for AI models or features built into Apps or mini-apps; and
  
• Unreasonably requiring consumers to scan QR codes or perform facial recognition that is not necessary to provide the underlying services.

Around the same time, the National Computer Virus Emergency Response Center, which is an institution responsible for detecting and handling computer virus outbreaks and cyber attacks under the supervision of the Ministry of Public Security, published a list Apps that violated the personal data protection laws in the following areas:

• Failure to provide data subjects with all the required information about the processing (e.g. name and contact details of the controller, categories of personal data processed, purposes of the processing, retention period, etc.) in a prominent place and in clear and understandable language; in particular, failure to provide such information about any third party SDK or plugin is also considered a breach of the law;
  
• Failure to provide data subjects with the required details about any separate controller (e.g. name, contact information, categories of personal data processed, processing purposes, etc.) or to obtain the separate consent of data subjects before sharing their personal data with the separate controller;
• Failure to obtain the separate consent of data subjects before processing their sensitive personal data;
  
• Failure to provide users with the App functions to delete personal data or de-register accounts, or to complete the deletion or deregistration within 15 business days; or setting unreasonable conditions for users to de-register accounts;
  
• Failure to formulate special rules for processing the personal data of minors (under the age of 14) or to obtain parental consent before processing the personal data of minors; and
  
• Failure to take appropriate encryption, de-identification and other security measures, taking into account the nature of the processing and its impact on the rights and interests of data subjects.

The above enforcement focuses are also consistent with the audit points highlighted in the newly released personal data protection audit rules (see our article here). We expect the same enforcement trend to continue into 2025. Companies that process personal data in China or in connection with business in China are advised to review their compliance status with the requirements of Chinese law and take remedial action in a timely manner.

DBN Guideline

When must a personal data breach be notified to the regulator and affected data subjects?

A data controller must notify a personal data breach to both the Commissioner andaffected data subjects if it causes or is likely to cause “significant harm”, which includes a risk for any of the following:

• physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
• misuse of personal data for illegal purposes;
• compromise of sensitive personal data;
• combination of personal data with other personal information that could potentially enable identity fraud; or
• (for the purpose of notification to the Commissioner only) a breach of “significant scale”, i.e. involving more than 1,000 affected data subjects.

What is the timeframe to make data breach notifications?

The timeframe for notifications is as follows:

• Notification to the Commissioner: as soon as practicable and within 72 hours from the occurrence of the breach. If notificationfails to be made to the Commissioner within 72 hours, a written notice detailing the reasons for the delay and providing supporting evidence must be submitted; and
• Notification to affected data subjects: without unnecessary delay and within seven days of notifying the Commissioner.

What are the other key obligations related to personal data breaches?

A data controller should:

• DPA:  contractually obligate its data processor to promptly notify it of a data breach and to provide it with all reasonable and necessary assistance to meet its data breach notification obligations;
• Management and response plans: put in place adequate data breach management and response plans;
• Training: conduct periodic training as well as awareness and simulation exercises to prepare its employees for responding to personal data breaches;
• Breach assessment and containment: act promptly as soon as it becomes aware of any personal data breach to assess, contain, and reduce the potential impact of the data breach, including taking certain containment actions (such as isolating compromised systems) and identifying certain details about the data breach in its investigation; and
• Record-keeping: maintain a register of the personal data breach for at least two years to document the prescribed information about the data breach.

DPO Guideline

Who are required to appoint DPOs?

An organisation, in the role of either a data controller or a data processor, is required to appoint a DPO if its processing of personal data involves:

• personal data of more than 20,000 data subjects;
• sensitive personal data including financial information of more than 10,000 data subjects; or
• activities that require “regular and systematic monitoring” of personal data.

Who can be appointed as DPOs?

DPOs may be appointed from among existing employees or through outsourcing services based on a service contract. They must:

• Expertise: demonstrate a sound level of prescribed skills, qualities and expertise;
• Language: be proficient in both Malay and English languages; and
• Residency: be either resident in Malaysia or easily contactable via any means.

What are the other key obligations related to DPO appointments?

A data controller required to appoint a DPO should:

• Notification: notify the Commissioner of the appointed DPO and their business contact information within 21 days of the DPO appointment;
• Publication: publish the business contact information of its DPO through:

• its website and other official media;
• its personal data protection notices; or
• its security policies and guidelines; and
• Record-keeping: maintain records of the appointed DPO to demonstrate compliance.

A data processor required to appoint a DPO should comply with the publication and record-keeping obligations above in relation to its DPO.

Next Steps The new guidelines represent a significant step in the implementation of the newly introduced data breach notification and DPO appointment requirements. All organisations subject to the PDPA, whether data controllers or processors, should carefully review the guidelines and take steps to ensure compliance by 1 June 2025. This includes updating relevant internal policies (such as data breach response plans and record-keeping and training policies) and contracts with data processors to align with the guidelines. Additionally, organisations should assess whether a DPO appointment is necessary and, if so, be prepared to complete the appointment and notification processes and update their privacy notices, websites and other media to include DPO information.

The Measures outline the requirements and procedures for both self-initiated and regulator-requested compliance audits.

(Interestingly, they also clarify some other PIPL obligations, such as the data volume threshold for appointing a DPO as well as the necessity of separate consent for some processing activities.)

Who must conduct data protection compliance audits, and when?

The Measures require a data controller processing personal data of more than 10 million individuals to conduct a self-initiatedcompliance audit of its personal data processing activities (“Self-Initiated Audits“) at least once every two years. 

Data controllers below this volume threshold should still conduct Self-Initiated Audits on a regular basis as is already prescribed under the PIPL, as a matter of good governance.

In addition, the CAC or other data regulators may instruct any data controller to conduct an audit (“Regulator-Requested Audits“):

1. when personal data processing activities are found to involve significant risks, including serious impact on individuals’ rights and interests or a serious lack of security measures;
   
2. when processing activities may infringe upon the rights and interests of a large number of individuals; or
   
3. following a data security incident involving the leakage, tampering, loss, or damage of personal information of one million or more individuals, or sensitive personal information of 100,000 or more individuals.

The audit report for Regulator-Requested Audits must be submitted to the regulator. The regulator may request data controllers to undertake rectification steps, and a subsequent rectification report must be provided to the regulator within 15 business days of competing the rectification steps.

Data controllers may, if they wish or when requested by the regulator, engage an accredited third party to conduct the audit (but the third party and its affiliates must not conduct more than three such audits in total for the same organisation).  

DPOs of data controllers processing personal data of more than one million individuals are responsible for overseeing the audit activities.

Key elements to be audited

The Measures outline a detailed set of key elements to be audited, which offer valuable insights into the detailed compliance steps expected from controllers for compliance with PIPL obligations, and will help organisations to scope their audits. Unsurprisingly, these elements cover every facet of PIPL compliance, spanning the whole data lifecycle. They include: lawful bases, notice and consent, joint controllership, sharing or disclosing personal data, cross-border data transfers, automated decision-making, image collection/identification equipment, processing publicly available personal data, processing sensitive personal data, retention and deletion, data subject right requests, internal data governance, data incident response, privacy training, Important Platform Providers’ platform rules and CSR reports, etc.

On 3 January 2025, the Cyberspace Administration of China (“CAC“) released for public consultation the draft Measures for Certification of Personal Information Protection for Cross-Border Transfer of Personal Information (“Draft Measures“). This regulation represents the final piece in the CAC’s regulatory framework for the three routes to legitimize cross-border transfers of personal data outside of China (“CBDTs“).

To recap, Chinese law requires data controllers to take one of the following three routes to legitimize CBDTs, unless they qualify for specific exemptions under the Provisions on Promoting and Regulating Cross-Border Data Flows (click here for our summary, “Provisions“) or local rules:

• CAC security assessment;
• Standard Contractual Clauses (“SCCs“) filing; or
• CAC-accredited certification.

If enacted, the Draft Measures will provide significant clarity regarding the certification route, offering data controllers both within and outside of China a viable option for compliance of CBDTs. Below is a practical guide to the key provisions of the Draft Measures, along with our recommendations for data controllers engaged in CBDTs in light of this new regulation.

Who can utilise the certification route?

Data controllers in China: In alignment with the conditions outlined in the Provisions, the Draft Measures reiterate that a data controller in China may pursue the certification route if:

• the data controller is not a critical information infrastructure operator (“CIIO“);
• no important data is transferred outside of China; and
• it has cumulatively transferred non-sensitive personal data of 100,000-1,000,000 individuals or sensitive personal data of less than 10,000 individuals outside of China since the beginning of the year.

It is worth noting that these conditions are the same as those for taking the SCCs filing route, making the certification route an effective alternative to the SCCs filing route for data controllers in China.

Overseas data controllers: The certification route is also available to data controllers outside of China that fall under the extraterritorial jurisdiction of the Personal Information Protection Law (“PIPL“), i.e. those processing personal data of residents in China to provide products or services to them or analyze or evaluate their behavior.

The Draft Measures do not specify the volume threshold or other conditions for overseas data controllers to take the certification route. It remains to be clarified whether overseas data controllers with a limited scope of CBDTs (e.g. those not reaching the volume threshold for data controllers in China as outlined above) can be exempted from obtaining certification or following the other legitimizing routes.

From which certification bodies can a data controller obtain the certification?

Certification bodies that have received approval from the State Administration for Market Regulation (“SAMR“) and have completed a filing process with the CAC are qualified to issue the CBDT certification.

What are the evaluation criteria for the certification?

The evaluation for the certification will focus on the following aspects:

• the legality, legitimacy and necessity of the purposes, scope and methods of the CBDT;
• the impact of the personal data protection laws and policies and network and data security environment of the country/region where the overseas data controller/recipient is located on the security of the transferred personal data;
• whether the overseas data controller/recipient’s level of personal data protection meets the requirements under Chinese laws, regulations and mandatory national standards;
• whether the legally binding agreement between the data controller and the overseas data recipient imposes obligations for personal data protection;
• whether the organizational structure, management system, and technical measures of the data controller and the overseas data recipient can adequately and effectively ensure data security and protect individuals’ rights and interests regarding their personal data; and
• other aspects deemed necessary by certification bodies according to relevant standards for personal information protection certification.

Are there special requirements for overseas data controllers pursuing certification?

Yes. An overseas data controller governed by the PIPL seeking certification must submit the application with the assistance of its dedicated institution or designated representative located in China (the presence of which is a requirement under the PIPL).

The Draft Measures also make it clear that overseas data controllers must, like data controllers in China, assume legal responsibilities associated with certification processes, undertake to comply with relevant Chinese data protection laws and regulations, and be subject to the supervision by Chinese regulators and certification bodies.

How are certification processes and results supervised?

The Draft Measures grant supervisory powers to both the SAMR and the CAC. They can conduct random checks on certification processes and results; and evaluate certification bodies. Certified data controllers will also be under continuous supervision by their certification bodies.

If a certified data controller is found to no longer meet the certification requirements (e.g. the actual scope of the CBDT is inconsistent with that specified in the certification), the certification will be suspended or revoked, which action will be made public. 

Are there ancillary rules and standards on the horizon?

Probably yes. The Draft Measures indicate that the CAC will collaborate with relevant regulators to formulate standards, technical regulations, and conformity assessment procedures for CBDT certification and work alongside the SAMR to develop implementation rules and unified certificates and marks for CBDT certification.

Is the certification likely to be recognised in other jurisdictions?

Probably yes. According to the Draft Measures, China will facilitate mutual recognition of personal information protection certification with other countries, regions, and international organizations.

Recommendations

As discussed, the Draft Measures make available a tangible certification route to legitimize CBDTs for data controllers both within and outside of China. Data controllers should carefully evaluate and choose between the three legitimizing routes when engaging in CBDTs, considering their respective pros and cons and suitability for the controllers’ specific patterns of CBDTs. For example, the certification route may be advantageous for complex CBDTs among multiple parties where signing of SCCs is challenging. To make well-informed decisions, data controllers engaged in CBDTs are recommended to closely monitor developments related to the Draft Measures in the months following the conclusion of the public consultation period on 3 February 2025, and remain vigilant for any release of ancillary rules and standards. This is particularly necessary because some important details about the certification route, such as the validity period of the certification and any thresholds for overseas data controllers to take the certification route, remain unclear.

Overseas data controllers processing personal data of residents in China should also be aware of the Draft Measures, as they specifically outline the certification route. This represents a further enhancement of Chinese regulations governing overseas data controllers, following clarifications regarding the procedure for reporting dedicated institutions or designated representatives of overseas data controllers under the Network Data Security Management Regulation that took effect on 1 January 2025 (click here for our summary). Given this trend, overseas data controllers processing personal data of residents in China should consider assessing whether they fall under the extraterritorial jurisdiction of Chinese data protection laws and, if so, evaluating the practical risks of non-compliance with such laws (e.g. the impact of potential service disruptions or access restrictions). If compliance with Chinese data protection laws turns out to be necessary, it is advisable to implement a comprehensive program to navigate how China’s CBDT restrictions and, more broadly, its complex data regulatory framework may apply to the overseas data controller and devise compliance strategies.

It is also important to remember that the legitimizing routes are not the sole requirement for CBDTs under Chinese law. Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including obtaining separate consent from data subjects, conducting personal information impact assessments, and maintaining records of processing activities.

However, plans to amend the PDPO have been put on hold given concerns over the immense economic pressure it may exert on small or nano businesses to comply with the new regulations. The Government could alternatively consider introducing the amendments in a ‘piecemeal approach’ to reduce the impact on local businesses. For now, the Government has no definitive timeline on when the amendments to the PDPO will be introduced and will only provide updates upon developing more concrete proposals. In the meantime, we will continue to monitor for any further details in relation to the Government’s plans to update the PDPO.

Vietnam

Vietnam issued its first draft of a new Personal Data Protection Law (“PDPL”) in September 2024, for public consultation. The PDPL is anticipated to be adopted in May 2025, and it is tentatively scheduled to come into effect on 1 January 2026. The draft PDPL aims to create a more robust framework for data protection in Vietnam by unifying, clarifying, enhancing and supplementing the existing data protection rules set out in Vietnam’s existing Personal Data Protection Decree (“PDPD”). It remains unclear how the PDPD and draft PDPL will work together in practice, although some commentators suggest the PDPL will supersede the PDPD.

In addition to setting out eight personal data protection principles, the draft PDPL focuses on discussing specific compliance requirements for a number of processing activities and industries, including direct marketing, behavioural advertising, big data, AI, cloud computing, employee monitoring and recruitment, financial and credit information, health, insurance and social media. Key highlights proposed in the draft PDPL include (this is not a comprehensive list):

• Extra-territorial effect: the draft PDPL extends the scope under PDPD to cover processing of foreigners’ personal data within Vietnam.
• Consent: like the PDPD, consent remains the key legal basis for data processing, and separate consents are required for specific data processing activities.
• Clarified definitions: the draft PDPL clarifies the distinction between ‘basic personal data’ from ‘sensitive personal data’. New definitions are also introduced, including, amongst others, ‘developers’ and ‘personal data protection organization’. The data protection authority – currently known as A05 – would change its name if the draft PDPL is implemented.
• Updates to DPIA/TIA dossier filings: the now-familiar data processing impact assessment dossiers (“DPIA Dossiers”) for controllers and processors and transfer impact assessment for transferors (“TIA”) would have to be updated upon certain material change to the organisation were the draft PDPL to be implemented.
• Data protection department: companies would be required to have a data protection department overseeing personal data processing (although this could be outsourced to external service providers), as well as an expert (like a DPO) meeting certain eligibility criteria, with an initial short-term (two-year) exemption for new small businesses.
• Certification mechanism: the draft PDPL would introduce a data protection certification scheme, whereby certain organisations could earn trust ratings based on an assessment of their personal data protection practices.
• Breach reporting deadlines: the timescale for notifying authorities of breaches of personal data protection regulations is clarified as being 72 hours.

Malaysia

Significant changes to Malaysia’s Personal Data Protection Act (“PDPA”) were recently passed via the Personal Data Protection (Amendment) Act (subject to royal assent), and are anticipated to come into effect soon. The PDPA is now quite old (first passed in 2010), and so the amendments are largely to update the Malaysia data protection framework, to align it with more modern data protection laws elsewhere in Asia. The key amendments are:

• mandatory breach notification;
• mandatory appointment of DPOs;
• direct obligations on data processors;
• data portability rights for data subjects;
• change of “data user” terminology to the more familiar “data controller”;
• expanding sensitive personal data to include biometric data;
• removing rights of deceased individuals re their personal data;
• increased penalties (now fines of up to MYR1,000,000 and/or imprisonment of up to three years); and
• updating the cross-border data transfer framework, to remove the “whitelist” of approved jurisdictions, and instead allowing transfers to jurisdictions with equivalent standards of protection. 

Besides the amendments to the PDPA, the Commissioner will develop guidelines to supplement the PDPA. The guidelines will cover areas including data breach notification, appointment of data protection officer, data portability, cross border data transfer, data protection impact assessment, privacy by design, and profiling and automated decision making.

Indonesia

Finally, a reminder that Law No.27 of 2022 on Personal Data Protection (“PDP Law”), Indonesia’s first omnibus data protection law, came into full effect, after a two-year grace period, on 17 October 2024. For further information about the compliance obligations introduced by the PDP Law, please see our earlier updates Indonesia: prepare now for the new Personal Data Protection Law | Privacy Matters and INDONESIA: Personal Data Protection Law PDPL Now in Force | Privacy Matters.

Scope

The Regulation governs “network data”, and the compliance obligations primarily apply to “network data handlers”.

• Network data: the Regulation governs electronic data processed and generated via networks (“network data“) and applies to all the processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).
  
• Network data handler: a “network data handler” refers to the party that autonomously determines the purposes and means of processing network data. That is akin to a data controller when it comes to personal information. In practice, this would include communication network operators, online service providers and users.

The Regulation has extra-territorial effect. This means that, if a foreign entity processes personal information of Mainland China residents outside of Mainland China, the requirements of the Regulation and the PIPL will apply if the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour.

As has become common with China data regulations, if a foreign (non-Chinese) entity’s processing of network data outside of Mainland China may harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens or organizations, the Regulation restates Chinese authorities’ power to hold the foreign entity liable in accordance with other applicable laws. It remains unclear how these powers may be enforced in practice against non-Chinese entities without a presence in Mainland China.  

Key Compliance Obligations

The Regulation focuses on four key areas:

• personal information privacy: enhancements and clarifications to the existing China personal information protection framework as it pertains to “network data”;
  
• “large scale” personal information handlers: introduces additional reporting obligations on data controllers of large volumes of personal information;
  
• important data: imposes significant additional governance obligations to the existing “important data” compliance framework, and clarifies how organisations can assess whether or not they handle important data; and
  
• online platform operators: extends existing compliance obligations to manufacturers of smart terminal devices with pre-installed applications, and imposes additional reporting and governance obligations on “large-scale network platforms”. 

Impact on Data Privacy Compliance

Key developments as regards network data handlers processing personal information include:   

• Security defects, threats and risks: the timescale for network data handlers to report data incidents (i.e. security defects, threats or risks involving its products or services) is reduced, so that an incident must be reported within 24 hours of identification if it could harm national security or public interests. However, the Regulation does not specify what defects, threats or risks could harm national security or the public interest or provide any assessment methods.
  
• Data processing agreements (“DPAs”) and record-keeping: the obligation on network data handlers to enter into a DPA with each third party to which it transfers personal information is clarified now to include C2C (controller to controller) transfers as well as C2P (controller to processor) transfers. The DPA and relevant processing records must be kept for at least three years. This obligation is also now clarified to extend to the sharing of important data with third parties, not just personal information.
  
• Data portability: the PIPL gives data subjects the right to data portability (although it is little used in practice by data subjects in China). The Regulation now sets out the conditions that must be met to exercise such right, namely: (i) verifying the true identity of the data subject; (ii) the legal basis for processing the concerned personal information must either be consent or contract necessity; (iii) the transfer is technically feasible; and (iv) the transfer will not harm the legitimate rights and interests of others. Further, it is now clarified that, if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request. Please note that the right to data portability still only covers personal information. Unlike the EU Data Act, the portability of other non-personal business or operation data is not addressed under the Regulation.
  
• Foreign entities keeping and reporting institutions/representatives in China: The Regulation clarifies the procedure for complying with the PIPL requirement for foreign entities processing the personal information of Mainland China residents outside of Mainland China to establish a dedicated institution or designate a representative within Mainland China for personal information protection and to report the name and contact information of such institution/representative, where the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour. According to the Regulation, such information should be reported to the municipal-level data authority, which will then forward it to other relevant regulators at the same level. However, foreign entities still need to watch out for further clarifications regarding other aspects of this requirement such as the reporting timeframe.

Obligations re Important Data

• Defining/identifying important data: the Regulation follows the current approach whereby industry regulators have been tasked to formulate (and some have already formulated) important data catalogues, setting out what will be deemed to be “important data” in their industry sector. However, unfortunately the Regulation seems to indicate that such important data catalogues will not be an exhaustive list of important data, and instead they should be treated more as industry guidelines to help organisations classify whether data constitutes important data, and then report it to the industry regulators as required under existing reporting/monitoring rules. Therefore, unfortunately, the most critical question, i.e. what constitutes important data, is still not clearly answered. We now face the situation of, instead of waiting for important data catalogues to be published, rather unhelpfully network data handlers operating in sensitive industries may need to be prepared to identify and report its own important data based on the guidelines given by the authorities.  
  
• DPA: it is now clear that network data handlers must enter into a DPA with each third party to which it transfers important data, and that each such DPA must be kept for at least three years. This is a unique requirement for Mainland China, and means that organisations will potentially need to extend their template DPAs to cover important data as well as personal information.
  
• Network data security officer appointment: a network data handler that handles important data must appoint a “network data security officer” (who shall be a member of senior management) and establish a “network data security management department”. They shall be responsible for: formulating network data protection policies and procedures; organizing training and drills; monitoring daily data processing activities; and handling claims, investigations and other data protection related matters pertaining to important data. This is in addition to existing obligations to appoint a DPO, DSO and CSO.  
  
• Transfer assessment: an important data handler must conduct a risk assessment before transferring important data to any third party, including in the case of entrusted or joint processing (except where the transfer concerned is mandatorily required by law). The assessment should include, inter alia, the data recipient’s data protection capabilities and overall compliance status; and the effectiveness of the contract with the data recipient to comply with relevant data protection obligations. This appears to be closer to a PIIA for personal information than an EU-style DPIA or TIA, but we await a template assessment form or further guidance from the regulators on this.
  
• Reporting during M&A and corporate reorganisations, etc.: if the security of important data may be affected by an important data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.
  
• Annual assessment report: an important data handler must carry out a risk assessment of its data processing activities once a year, and submit the assessment report to the relevant industry regulator at provincial level or above. Details of what these annual reports must include, and how to submit them, have not yet been published; and it is also unclear how these align with the proposed mandatory data compliance audits recently proposed by the China data protection authorities.

Obligations on “Large Scale” Personal Information Handlers

The Regulation requires a network data handler who processes personal information of more than 10 million data subjects to comply with the “network security officer appointment” and “reporting during M&A and corporate reorganisations etc.” obligations (discussed above) in the same way as an important data handler. However, the Regulation does not address whether the personal information of more than 10 million data subjects per se constitutes important data.

Obligations on Online Platform Operators

The Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

• platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
  
• app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Next Steps

The Regulation adds to, rather than replaces, the existing – complex and ever-evolving – China data protection framework, and requires organisations handling China data to update their China data compliance obligations to prepare for these additional compliance obligations before the start of 2025.

Further, as indicated by the Regulation, data incident reporting, DPAs, record-keeping and compliance assessments/reporting will likely become the new compliance focus of the China data authorities in 2025.

Online platform operators’ responsibilities of monitoring in-platform data processing activities will still be an enforcement focus. Meanwhile, smart device manufacturers – who will now be regulated as online platform operators – will face a new set of complex obligations, and so are recommended to familiarize themselves with the requirements and upgrade their compliance programmes before the end of the year.

The final Guide largely aligns with the June draft, incorporating only a few changes in wording. However, it introduces several business-friendly clarifications to the list of common examples of sensitive personal information therein (“Examples List“) that help limit the scope of sensitive personal information, including:

• Location Access Methods: The issued Guide differentiates between location access methods used by mobile applications. It specifies that approximate location data derived from IP addresses is not classified as sensitive personal information, whereas precise mobile positioning data is considered sensitive.

• Whereabouts/Tracking Information: The “whereabouts/tracking information” category of sensitive personal information has been clarified to encompass only data that indicates a “continuous track” of movements over a period of time, rather than including any data pertaining to locations of a person as in the June draft. Along the same line of reasoning, flight and high-speed train travel records have been removed from examples of this category.

• Medical Device Data: According to the final Guide, not all data produced by medical devices during healthcare services will be classified as sensitive personal information; only examination and testing data during healthcare services risks falling under such classification.

Notably, the final Guide, in line with existing laws and standards, includes a new explanatory note highlighting the primacy of the “risk of harm” test over the Examples List. The note stipulates that data covered by the Examples List may not qualify as sensitive personal information if there is substantial evidence and justification showing that it fails to pass the “risk of harm” test as outlined in the Guide. This gives organisations greater scope to self-assess whether or not data qualifies as sensitive personal information based on risk of harm rather than just a prescriptive list.

The extent to which the Guide will be relied on by the regulator or courts remains to be seen. However, organizations are encouraged to refer to the Guide alongside existing laws and standards when identifying the sensitive personal information. In particular, as noted above and in our previous article, it is crucial for organizations to focus on the “risk of harm” test when identifying Mainland China sensitive personal information.

In July 2024, a draft recommended national standard Personal Information Protection Compliance Audit Requirements (“Draft Standard“) was issued for public consultation, which sets out comprehensive audit requirements and procedures. To be specific:

• The Draft Standard includes in its Schedule C a list of 37 groups of specific processing operations that must be checked in an audit, as well as the relevant PIPL requirements. The requirements cover the full life cycle of personal data processing, and concern areas such as lawful bases of processing, necessity and data minimization principles, disclosure of necessary processing details to data subjects, sharing of personal data with third parties, automated decision making, public disclosure of personal data, CCTV, sensitive personal data and minor data protection, cross-border data transfers, data subjects’ rights, internal data protection policies and procedures, technical and organizational measures, DPO, personal data protection impact assessments, data incidents, etc.

• The Draft Standard also outlines the general procedures of an audit, and sample lists the documents and materials which must be reviewed during an audit.

• In addition, the Draft Standard emphasizes the importance of internal governance. It requires a data controller to establish a compliance audit management system and formulate audit rules and procedures. The data controller’s Board of Directors, DPO and/or Legal Representative must take ultimate responsibility for the establishment of audit system and implementation of audits within the organization. The data controller must also allocate sufficient finance and suitable human resources to audit related work. Personnel being appointed to handle audits related works must have suitable knowledge and experience, and ideally hold qualification certificates.

• The Draft Standard does not prescribe when or how often a data controller must conduct an audit. In the Measures for the Management of Compliance Audits on the Protection of Personal Information (Draft for Comments) (“Draft Measures“), which was issued in September 2023 for public consultation, it is stated that a data controller which processes more than one million individuals’ personal data must conduct Self-supervision Audits at least once a year. Other data controllers must conduct Self-supervision Audits at least once every two years.

• The Draft Measures require data controllers to submit the audit reports of Regulator Requested Audits, take necessary remediation actions, and then submit the post-remediation reports.

As of the date of this article, neither the Draft Standard nor the Draft Measures have been finalized. But there are rumours indicating that both will be finalized before the end of 2024. An increasingly common understanding in the market is that personal data compliance audits will become the next regulatory focus of the data regulator.

Regardless of the status of these drafts, a data controller has an obligation under the PIPL to conduct Self-supervision Audits periodically. It is, thus, recommended to take note of the requirements under the Draft Standard, consider establishing an internal audit management framework and complete at least one Self-supervsion Audit within a reasonable time.

1. What is the primary goal of the proposed legislation?

The proposed legislation, as set out in the paper submitted by the Hong Kong Government to the Legislative Council Panel on Security on 25 June 2024, aims to enhance the security of Hong Kong’s CIs that are necessary to maintain  “normal functioning” of Hong Kong society and people’s lives, by minimising the chance of disruption to, or compromise of, essential services by cyberattacks.

2. Who and what will be captured by the proposed legislation?

The proposed legislation would regulate only CI operators (“CIOs”) in respect of their critical computer systems (“CCSs”). Similar to the helpful approach in Mainland China, both CIOs and CCSs will be expressly designated by a new Commissioner’s Office to be set up (or, as explained in Question 6 below, the Designated Authorities for certain groups of organisations). This will ultimately remove uncertainty around whether or not a given organisation is a CIIO, and which of their systems will fall within the CCS framework. However, until such designations are made by the relevant authorities, it does leave significant uncertainty for organisations that may not obviously fall within the definition, especially technology companies.

Designation of CIOs

Under the proposed legislation, an organisation would be designated as a CIO if it were deemed responsible for operating an infrastructure that the Commissioner’s Office determines to be a CI, taking into account the organization’s level of control over the infrastructure. It is proposed that CIs cover the following two categories:

• infrastructures for delivering essential services in Hong Kong, i.e. infrastructures of the following eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting (“Essential Service Sectors”); and
• other infrastructures for maintaining important societal and economic activities, e.g., major sports and performance venues, research and development parks, etc.

When deciding whether an infrastructure within the scope of the two categories above constitutes a CI, the Commissioner’s Office would take into account:

• the implications on essential services and important societal and economic activities in Hong Kong in case of damage, loss of functionality, or data leakage in the infrastructure concerned;
• the level of dependence on information technology of the infrastructure concerned; and
• the importance of the data controlled by the infrastructure concerned. 

The Government also emphasized that CIOs will mostly be large organisations, and the legislation will not affect small and medium enterprises and the general public. 

The list of the designated CIOs will not be made public to prevent the CIs from becoming targets of cyberattack.

Designation of CCSs

The proposed legislation would only require CIOs to take responsibility for securing the expressly designated CCSs. Systems operated by CIOs but not designated as CCSs would not be regulated by the proposed legislation.

The Commissioner’s Office would only designate as CCSs the computer systems which:

• are relevant to the provision of essential service or the core functions of computer systems; or
• will seriously impact the normal functioning of the CIs if interrupted or damaged.

Importantly, computer systems physically located outside of Hong Kong may also be designated as CCSs.

3. Would organisations have opportunities to object to CIO or CCS designations?

Yes. Under the proposed legislation, before making CIO or CCS designations, the Commissioner’s Office will communicate with organisations that are likely to be designated, with a view to reaching a consensus on the designations. This is helpful, but adds to the recommendation that those potentially caught as a CIO should start planning now to be ready to put forward a clear, reasoned view on whether or not they – and/or all of their systems – should be designated.

After a CIO or CCS designation is made, any operator who disagrees with such designation can appeal before a board comprising computer and information security professionals and legal professionals, etc.

4. What are the obligations of CIOs?

Statutory obligations proposed to be imposed on CIOs under the proposed legislation are classified into three categories:

• Organisational:
  
  • provide and maintain address and office in Hong Kong (and report any subsequent changes);
  • report any changes in the ownership and operatorship of their CIs to the Commissioner’s Office;
  • set up a computer system security management unit, supervised by a dedicated supervisor of the CIO;
    

• Preventive:
  
  • inform the Commissioner’s Office of material changes to their CCSs, including those changes to design, configuration, security, operation, etc.;
  • formulate and implement a computer system security management plan and submit the plan to the Commissioner’s Office;
  • conduct a computer system security risk assessment at least once every year and submit the report;
  • conduct a computer system security audit at least once every two years and submit the report;
  • adopt measures to ensure that their CCSs still comply with the relevant statutory obligations even when third party services providers are employed;
    

• Incident reporting and response:
  
  • participate in a computer system security drill organised by the Commissioner’s Office at least once every two years;
  • formulate an emergency response plan and submit the plan; and
  • notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCSs within (a) 2 hours after becoming aware of serious incidents and (b) 24 hours after becoming aware of other incidents.
    

5. What would be the offences and penalties under the proposed legislation?

The offences under the proposed legislation include CIOs’ non-compliance with:

• statutory obligations;
• written directions issued by the Commissioner’s Office;
• investigative requests of the Commissioner’s Office; and
• requests of the Commissioner’s Office for relevant information relating to a CI.

The penalties for these offences would consist exclusively of fines. The level of fines would be determined by court trials, with maximum fines ranging from HK$500,000 to HK$5 million. For certain offences, persistent non-compliance would result in additional daily fines of HK$50,000 or HK$100,000 per day.

It is noteworthy that a CIO will still be held liable for the non-compliance with its statutory obligations if the non-compliance is caused by a third-party service provider. As such, service providers should also start planning now as to whether or not their customer base may be designated CIOs and, if so, what consequences this may have on contractual service obligations, incident notification obligations, security standards/specifications, SLAs, powers of investigation/inspection (including by regulators) and liability/indemnity provisions (including financial caps and exclusions). We anticipate CIOs will expect higher standards from their service providers in advance of the new regulations being introduced.

6. Which authorities would enforce the proposed legislation, and what would their powers be?

Commissioner’s Office

A Commissioner’s Office is proposed to be set up under the Security Bureau to implement the proposed legislation, headed by a Commissioner appointed by the Chief Executive. Its powers would include:

• designating CIOs and CCSs;
• establishing Code of Practice for CIOs;
• monitoring computer system security threats against CCSs;
• assisting CIOs in responding to computer system security incidents;
• investigating and following up on non-compliance of CIOs;
• issuing written instructions to CIOs to plug potential security loopholes; and
• coordinating with various government departments in formulating policies and guidelines and handling incidents.

Among these powers, the most significant might be the investigative powers granted to the Commissioner’s Office. Specifically, in respect of investigations on security incidents, the Commissioner’s Office would have, among others, the powers to:

• question and request information from CIOs;
• direct CIOs to take remedial actions; and
• check the CCSs owned or controlled by CIOs with their consent or with a magistrate’s warrant.

In respect of investigations on offences, it would have the powers to:

• question and request information from any person who is believed to have relevant information in his or her custody; and
• enter premises and take possession of any relevant documents with a magistrate’s warrant.

From a service provider perspective, these powers will likely extend – either directly or more likely via contractual flow down – from CIOs to their service providers. As such, again service providers may need to revisit their customer contracts in this regard.

Designated Authorities

Existing regulators of certain Essential Service Sectors which already have a comprehensive regulatory framework, such as a licensing regime in the financial services and telecoms sectors, may be designated as designated authorities (“Designated Authorities”) under the proposed legislation. The Designated Authorities would be responsible for designating CIOs (and CCSs) among the groups of organisations under their supervision and for monitoring such CIOs’ compliance with the organisational and preventive obligations. It is currently proposed to designate the Monetary Authority and the Communications Authority as the Designated Authorities for the banking and financial services sector and the communications and broadcasting sector respectively. The Commissioner’s Office, on the other hand, would remain responsible for overseeing the incident reporting and response obligations of, and retain the power to issue written directions to, such CIOs. It is hoped that the interaction between the Designated Authorities and the Commissioner’s Officer will be clearly defined when it comes to practicalities before the new framework is finalised.

7. How does the proposed legislation compare to critical infrastructure cybersecurity laws in other jurisdictions?

In formulating the proposed legislation, the government made reference to the legislation of other jurisdictions on critical infrastructure protection, including the United Kingdom, Australia, the United States, the European Union, Singapore, Mainland China and Macao SAR. For instance, the designation-based framework envisaged by the legislation mirrors Australia’s regulatory approach to systems of national significance under the Security of Critical Infrastructure Act 2018. Moreover, many obligations of the CIOs, such as those in respect of security risk assessments, audits and drills, have corresponding counterparts in the cybersecurity legislation of jurisdictions like Mainland China and Singapore. The investigative powers of the regulator to request information, access documents and enter premises can also be found in foreign legislation, including the UK’s Network and Information Systems Regulations 2018 and Singapore’s Cybersecurity Act 2018.

There are, however, technical nuances between similar mechanisms under the proposed legislation and existing laws in other jurisdictions. For instance, the proposed legislation requires organisations to report non-serious security incidents within 24 hours of becoming aware of them, providing greater flexibility compared to Singapore’s requirement of reporting all security incidents affecting critical information infrastructure within two hours of awareness.  

8. What are the next steps for the proposed legislation?

The proposed legislation is expected to be tabled in the Legislative Council by the end of 2024. Once passed, the Commissioner’s Office will be established within a year, and the law will come into effect around six months thereafter. This, therefore, gives a critical planning period until mid-2026 for organisations which may be designated CIOs and their services providers.

9. What must organisations do in light of the proposed legislation?

It is hopes that the uncertainty around some critical issues, including the scope of the Essential Service Sectors (particularly the information technology sector), the specific criteria to distinguish CIs among the Essential Service Sectors, and the threshold for “serious” security incidents, will be resolved as the proposed legislation passes through the public consultation and the usual legislative process. 

Organisations should closely monitor the development of the proposed legislation, develop an internal position on their designation (or their customers’ designation, in the case of service providers, as a CIIO and systems as CCS, and prepare to advocate/lobby for their position once the designation communications commence, and monitor and update their cybersecurity measures and procedures and contracts.