Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle, the requirements of Chinese law are intended to ensure the security and free flow of data. They apply only to personal data and important data because the transfer of such data outside of China may affect national security and public interests.

The methodology for assessing the necessity of transferring personal data outside China has been further elaborated. The CAC will consider whether there is a necessity for the transfer itself, the types of data subjects involved, and the categories of personal data transferred (each an “assessed factor”). The necessity test is satisfied with respect to an assessed factor if (i) the data to be transferred are directly related to, limited to the minimum necessary for, and retained only for the time required to achieve the purposes of the processing, and (ii) the processing has a minimal impact on the data subjects concerned. Thus, the context of the transfer is very important. The Chinese authorities will formulate sector-specific guidance to assist companies in assessing necessity in different transfer contexts.

Important data can be transferred outside of China if a security assessment shows that the transfer will not endanger national security or public interests. As of March 2025, the central CAC has completed a total of 44 applications for transferring important data outside of China. 7 out of 44 of such applications failed the assessment. The failure rate at the application level is 15.9%. These 44 applications include 509 important data fields, of which 325 important data fields were allowed to be transferred outside China after the assessment. The success rate at the data field level is 63.9%.

As to the scope of important data, the Q&A provides that companies may identify the important data that they process in accordance with a national standard (i.e. GB/T 43697-2024 Technical Data Security Data Classification and Grading Rules Appendix G Guidelines for Identifying Important Data) and report the identification results with the relevant authorities. But the Q&A restates and emphasizes at the same time that, it is not necessary for companies to make assessment applications for transferring important data outside of China, unless they have been notified by the authorities that the data being processed is important data or has been included in any public important data catalogues.

There are certain convenient channels that international organizations may consider to legitimize their intra-group transfers. For example, if several Chinese affiliates are transferring data outside of China in the same or similar patterns, they may choose a representative and make a filing or application on a group basis. If the transfers are more complex, the group affiliates, both inside and outside China, may consider applying for a transfer compliance certificate to cover all intra-group transfers. This certificate will exempt the covered affiliates from the requirement to sign stand-alone bilateral Standard Contractual Clauses (SCCs).

More flexible transfer arrangements will be made available to companies registered in free trade zones (FTZs). At present, the FTZs in Tianjin, Beijing, Hainan, Shanghai, Zhejiang and other places have published negative lists covering cross-border data transfers in 17 sectors, such as automobiles, medicine, retail, civil aviation, reinsurance, deep-sea industry and seed industry. Transfers covered by the negative lists can be exempted from the requirements of signing SCCs, making filings, or obtaining government approvals. More importantly, according to the Q&A, if one FTZ has already published a negative list for the same sector, the other FTZs can directly refer to and implement it. This means that companies registered in different FTZs may be able to benefit from the same policy.

Overall, this Q&A has sent a positive signal. After completing the necessary compliance actions, companies can transfer personal data and important data outside of China to carry out legitimate intra-group management and international business activities. The Chinese authorities are committed to further clarifying the rules and providing flexible arrangements for data transfers. As relevant guidelines and standards continue to be issued, “no clear rules” will no longer be a reasonable excuse. For companies that have not yet taken steps to address cross-border data transfers, we recommend that they plan and begin this work as soon as possible.

In a recent update from the Secretary of State for the Department for Science, Innovation and Technology (found here, Cyber security and resilience policy statement – GOV.UK), the UK Government has started to address some of this anticipation, dropping clues as to how the CS&R Bill will look when compared to its European cousin. So, what have we learnt about the Bill and its alignment with NIS2?

Expanded scope

In addition to the current in-scope sectors (energy, transport, health, drinking water supply and distribution, and digital infrastructure, as well as some digital services such as online marketplaces, search engines and cloud computing), the policy statement confirms the intention to bring Managed Service Providers (“MSPs“) within the remit of cyber security regulation, subjecting them to the same duties as ‘relevant digital service providers’ under the current NIS regulations. MSPs (also regulated by NIS2) are B2B services that provide IT systems, infrastructure and network support.

The Government also demonstrated its commitment to bolster supply chain security for operators of essential services (“OES“) and relevant digital service providers (“RDSPs“) that meet certain thresholds. Secondary legislation is intended to be used as a vehicle for imposing stricter duties on contractual requirements, security checks and continuity plans in an effort to target underlying cyber vulnerabilities in supply chains echoing, if not exceeding the requirements of NIS2 to ensure cybersecurity controls extend to the supply chains of in-scope entities. Additionally, regulators will have the power to identify suppliers of critical services (including SMEs) whose disruption could cause significant impacts on the essential/digital service being supplied. These will be classed as “designated critical suppliers” (“DCS“), bringing them within scope of core security requirements and reporting obligations.

While expansion of the UK’s cybersecurity regime to include MSPs and critical supply chains will bring us one step closer to the reforms sweeping EU nations, it is unclear whether the UK will follow Europe in expanding the scope of cyber regulation to include sectors such as public administration entities, space, manufacturing, food production and postal and courier services (to name but a few).

Regulatory reinforcement

Perhaps amongst the measures most easily associable with the CS&R Bill’s European counterpart will be the updated incident reporting criteria. Incidents that are “capable of having a significant impact on the provision of essential or digital services and that significantly affect the confidentiality, availability, and integrity of a system” will need to be reported. This closely follows the requirements found in Art 23 of NIS2, as does the requirement that entities such as data centres and those providing digital services will be obligated to report incidents directly to customers in certain instances.

Equally alike in their resemblance to NIS2 are the reporting deadlines, with the relevant regulator and National Cyber Security Centre (“NCSC“) to be notified of significant incidents within 24 hours, and further incident reports to be provided within 72 hours. As the policy statement makes clear, “in practice [the Government] intends this procedure to be similar to, and no more onerous, than the… NIS2 directive“.

To provide some steer to regulators in their additional duties, the Government aims to issue a code of practice setting out guidance on minimum regulatory requirements which will put the existing NCSC Cyber Assessment Framework (CAF) profiles on a firmer footing and extend their scope to include OES. Particular focus is also given to the UK Information Commissioner (“ICO“) as a national guardian of cyber security, with a raft of seemingly familiar powers relating to registration and notice requirements, information sharing and enforcement, being introduced to support risk identification and mitigation. This all comes with a boost in financial means, as regulators will be able to set fees regimes and recover costs through various measures in order to contribute to financing their increase in regulatory work.

Measures to keep on your radar

Despite not confirming their inclusion in the CS&R Bill, the Government flagged upcoming measures to keep an eye on. Most notable would be the classification of data centres as an essential service, bringing them within scope of the regulatory framework and aligning with NIS2’s approach. This has been contemplated since their designation as Critical National Infrastructure in September 2024 and would aim to strengthen the level of consistency and protection across the sector.

Other contemplated measures include bolstered powers for the Secretary of State, allowing a Statement of Strategic Priorities to be issued as well as powers of direction relating to entities and regulators. Collectively, these would allow the Government to require certain actions be taken to address significant incidents and threats to national security.

Conclusion

In summary, it is clear that the Government’s planned amendments to the current NIS Regulations will make clear and decisive steps to bridge UK cyber laws and the new European NIS2 regime. However, the CS&R Bill does not appear to be following NIS2 in expanding the reach of its reforms to a raft of new industries. While Managed Service Providers are the biggest industry to whom new UK laws will apply, it is likely that many of the industries new to the NIS2 regime – for example food producers and chemicals manufacturers – will remain beyond the UK’s cyber reforms. Only time will tell whether that remains the case when the fully-formed Bill hits the statute books, the timing of which is still unclear.

From the little we do know however, it is evident that the burden and application of cyber regulation together with accompanying cyber certifications and industry standards will only increase, making it more critical than ever that businesses operating in both the UK and beyond continue to focus on enhancing their cyber controls, underpinned by robust cybersecurity governance and equally robust controls on supply chains. Only then can businesses be ready for the inevitable swathe of new cyber regulation hitting UK shores, as well as the very real cyber threat it is all aimed at combatting.

The controller (defendant) operates an online music streaming service; the plaintiff is a customer of this service. The case was triggered by a data breach in November 2022 at a former processor of the controller, involving customers’ personal information (including email addresses, full names, ages, etc.).

The contract between the controller and the processor ended several years before the data breach at the end of 2019. According to the data processing agreement, the controller could choose between deletion or return of the data after the end of the processing. However, the  controller never exercised this right. A few days before the termination of the agreement, the processor informed the controller by email that the data would be deleted the following day. Almost a year later, in December 2020, the processor sent another email to the controller announcing that the deletion was imminent. Nevertheless, it was not until early 2023 and after the data breach had been reported that the processor confirmed to the controller that (some kind of) deletion had been carried out.

The Higher Regional Court ruled that the defendant was in principle liable to the plaintiff for damages within the meaning of Article 82 of the GDPR, but that the plaintiff had not credibly demonstrated any emotional damage and therefore no compensation payments were awarded.

In its judgment, the court dealt extensively with the issue of a controller’s liability for the omissions of its processor. In particular, the court addressed the monitoring and auditing measures that a controller must exercise over its processor and how these measures must be designed.

In general, the court takes the view that:

• if a company selects an IT service provider that is known in the market as a leading and reliable provider, it can generally place trust in the provider’s expertise and reliability without the need for an on-site inspection, but

• increased  requirements apply if large amounts of data or particularly sensitive data is hosted.

In the opinion of the Higher Regional Court, in the specific case this meant that the data controller was obliged to:

• exercise its rights towards the processor with respect to the deletion of the data (the data processing agreement allowed the controller to choose between deletion and return of the data);
• in case of deletion, obtain a written confirmation (i.e. a meaningful document certifying the deletion) from the processor, as detailed in the data processing agreement(s);

• immediately request the provision of the deletion confirmation, if no such confirmation has been provided within the contractually agreed period; and

• if necessary, carry out an on-site inspection (e.g., if the deletion confirmation remains outstanding).

The court also clarified that mere announcements of the data processor to delete the data (in the future) are not an adequate substitute for the confirmation that the data has already been deleted.

Conclusion and practical recommendation:

Even if the controller in the specific case has escaped being ordered to pay damages, the court has nevertheless affirmed the company’s liability.

Controllers should therefore take this judgment as an opportunity to review the robustness of their monitoring and auditing measures with regard to processors. Necessary measures must not only be introduced but also sustained and documented in such a way that they are sufficient as evidence in front of courts and supervisory authorities.

Executive Order 14117, and the implementing Final Rule , intends to address the threat of foreign powers and state-sponsored threat actors using Americans’ sensitive personal data for malicious purposes. The Final Rule sets out the conditions under which a bulk transfer of sensitive personal data or US government-related data to a country of concern or covered person will be permitted, restricted or prohibited.

The Final Rule underpins the higher levels of scrutiny from the US government over bulk cross-border data transfers which may pose a risk to the US national interests, and the tightening of compliance requirements on US companies to protect sensitive personal data and government data when engaging with these countries, or those connected.

Scope of the Final Rule

The key elements determining the applicability and scope of the Final Rule, when applied to a data transaction by a US entity, are:

• Countries of Concern: As noted above, the Final Rule designates six countries as countries of concern: (1) China (including Hong Kong SAR and Macau SAR), (2) Cuba, (3) Iran, (4) North Korea, (5) Russia, and (6) Venezuela. The transfer of sensitive data to Covered Persons within these jurisdictions could therefore be captured.
• Covered Persons: The Final Rule defines four classes of covered persons as the transacting party that will require additional scrutiny: (1) foreign entities that are 50% or more owned by a country of concern, organized under the laws of a country of concern, or have their principal place of business in a country of concern; (2) foreign entities that are 50% or more owned by a covered person; (3) foreign employees or contractors of countries of concern or entities that are covered persons; and (4) foreign individuals primarily resident in countries of concern.
• Sensitive Personal Data: The Final Rule regulates transactions involving six categories of sensitive personal data: (1) certain covered personal identifiers; (2) precise geolocation data; (3) biometric identifiers; (4) human genomic data and three other types of human ‘omic data (epigenomic, proteomic, or transcriptomic); (5) personal health data; and (6) personal financial data.
• Bulk Sensitive Personal Data: Within these Sensitive Personal Data categories, different thresholds for the volume of data being transferred are applied. These thresholds determine the applicability of the Final Rule to the transaction. The prohibitions and restrictions apply to covered data transactions involving sensitive personal data exceeding certain thresholds over the preceding 12 months before the transaction. For example, compliance requirements for the transfer of precise geolocation data will not be triggered unless location data from over 1,000 US persons or devices is being transferred. Contrastingly, the data transfer of the personal identifiers (such as social security numbers) of over 100,000 US persons will be required before the threshold is met. The definition of ‘bulk’ and how this applies across the categories of personal data is therefore key.

Prohibited or restricted transactions?

Alongside these key elements, the Final Rule determines that the type of transaction under which the data is being transferred will inform whether the transaction is restricted, prohibited or exempt from scrutiny. A transaction falling into the category of restricted will impose the new, additional compliance requirements on US Companies before the transaction can proceed.

The Final Rule prohibits transactions involving (1) data brokerage (i.e., “the sale of data, licensing of access to data, or similar commercial transactions involving the transfer of data”), and (2) covered data transactions involving access to bulk human ‘omic data or human biospecimens from which such data can be derived. The outright prohibition on data brokerage agreements with countries of concern is extended further, with the Final Rule also requiring US persons to contractually ensure that data brokerage transactions with other foreign persons, who are not countries of concern or covered persons, do not enable the transfer of the same data to countries of concern under subsequent arrangements. This additional safeguard on data brokerage where sensitive personal data is involved underlines the requirement for sufficient due diligence with overseas partners.

Vendor, employment, and non-passive investment agreements are captured as restricted transactions. These transactions are permitted if they meet certain security requirements developed by the Cybersecurity and Infrastructure Agency (CISA).

Finally, data transactions which fall under categories such as (but not limited to) personal communications that do not transfer anything of value, ordinary corporate group transactions between a U.S. person and its foreign subsidiary or affiliate, and financial services involving transactions ordinarily incident to and part of providing financial services, are exempt from any compliance requirements under the Final Rule: illustrating the practical intention of the requirements.

Compliance obligations

CISA requirements detail the types of cybersecurity, data retention, encryption and anonymisation policies, alongside other measures, that can be adopted by US companies in order to bring a restricted transaction into compliance, ensuring the safety of sensitive personal data.

An enhanced due diligence exercise is therefore expected when seeking to transact with covered persons, where the bulk transfer of sensitive personal data is a possibility. Key features of this include the implementation of a data compliance program, including comprehensive policies, procedures and record keeping surrounding data involved in a restricted transaction, as well the completion of third-party audits to monitor compliance with the Final Rule. Finally, reporting is expected when engaging in restricted transactions, demonstrating the depth of US government oversight and interest in these transactions.

FAQs, Compliance Guide and Enforcement Policy

On April 11, 2025, the Department of Justice published answers to Frequently Asked Questions;  a Compliance Guide; and issued a Implementation and Enforcement Policy for the first 90 days of the Final Rule. (i.e. through July 8, 2025). 

• Compliance Guide. The Compliance Guide aims to provide ‘general information’ to assist individuals and entities when complying with the Data Security Program (“DSP”), established by the Department of Justice’s National Security Division to implement the  Final Rule and Executive Order 14117. The Compliance Guide includes guidance on a number of different areas, including, key definitions, steps that organizations should take  to comply with the Final Rule, model contract language and prohibited and restricted data transactions.

• FAQs. The Department of Justice has provided answers to more than 100 FAQs, which aim to provide high level clarifications about Executive Order 14117 and the DSP, including, for example, answers to questions in relation to scope of the DSP;  the effective date of the Final Rule; definitions , exemptions; and enforcement and penalties.

• Implementation and Enforcement Policy for the First 90 Days (“the Policy“): The Policy states that during the first 90 days, enforcement will be limited “to allow U.S. persons (e.g., individuals and companies) additional time to continue implementing the necessary changes to comply with the DSP “. Specifically, the Policy is clear that there will be limited  civil enforcement actions against any person for violations of the DSP that occur from April 8 through July 8, 2025 “so long as the person is engaging in good faith efforts to comply with or come into compliance with the DSP during that time”. The Policy provides examples of ‘good faith efforts’, including: conducting internal reviews of access to sensitive personal data; renegotiating vendor agreements or negotiating contracts with new vendors; transferring products and services to new vendors; implementing CISA security requirements; adjusting employee work locations, roles or responsibilities; and evaluating investments from countries of concern or covered persons. The Policy stated that at “the end of this 90-day period, individuals, and entities should be in full compliance with the DSP.”

Next steps

Whilst certain due diligence, auditing, and reporting obligations will not become effective until October 2025, preparation for effective oversight and compliance with the CISA requirements can begin now. In particular, organisations should assess current compliance measures in place to identify potential compliance gaps and establish controls to address those gaps, in order to be able to demonstrate that they are engaging in “good faith efforts.” DLA Piper can advise on a review of current policies and procedures and preparing effectively for transactions that may fall within the Final Rule.

Central data protection supervision and new role of the Data Protection Conference  

The future government is planning to reform the structure of the data protection supervision authorities in Germany. Responsibilities and competencies for the private sector are to be bundled into the Federal Commissioner for Data Protection and Information Security (“BfDI“). Currently, Germany does not have one central supervisory authority for data protection law but authorities in each of the sixteen German federal states (Länder), that are competent for the public and the private sector in the respective state. In addition, there are different supervisory authorities for private broadcasters as well as for public broadcasters. Currently, the BfDI is only competent for the federal public sector and a limited number of private sectors, such as telecommunications.

This change in structure would lead to considerable relief, particularly for companies or groups of companies with headquarters outside Germany or outside the EEA. If the BfDI becomes the responsible authority for the private sector as a whole, there will no longer be any uncertainty as to which national supervisory authority to work with. This is particularly relevant if a company or group of companies has several branches in Germany. Controllers and processors would only have to cooperate with one national supervisory authority and the contact details of the data protection officer would only have to be communicated to the BfDI. In addition, controllers without a lead supervisory authority will no longer be required to report data security breaches to all of the various German supervisory authorities. Currently, controllers without establishment in the EU have to make notifications to the authorities in those federal states where the affected data subjects live – in the future, instead of notifying up to 16 different authorities, they could only notify to one authority, just like in other EU countries.

In addition, the new structure could provide greater legal certainty for both controllers and processors, as currently, each German supervisory authority may interpret the legal requirements differently and pursue varying priorities, for example with regard to enforcement.

However, it remains unclear how this structural reform can be implemented in a legally secure manner. The coexistence of different responsibilities of the federal government and the federal states is an expression of federal structures and thus of the federal state principle safeguarded by the German constitution (the German Basic Law, Grundgesetz).

In addition, the Data Protection Conference (“DSK“), in which all German supervisory authorities are represented, is to be anchored in the Federal Data Protection Act (“BDSG“). In contrast to the current situation, it is to be given the task of creating binding data protection standards. This can ensure that a uniform approach is created, particularly in areas of cooperation between the private and public sectors. At the same time, there is a risk that even non-practical and very dogmatic opinions of this very diverse body in the future will become binding.

Better use of GDPR leeway

The coalition partners also want to make better use of the leeway provided by the GDPR. This means that where the GDPR provides opening clauses for national legislators, new rules shall  be created to relieve the burden on small and medium-sized enterprises as well as for the processing of personal data of and by employees as well as volunteers. Such leeway exists in the GDPR under Art. 23 GDPR, among others. According to Art. 23 (1) GDPR, the extensive transparency obligations under Art. 13, 14 and Art. 15 GDPR could be reduced to an appropriate level for small and medium-sized enterprises. However, no concrete plans have been agreed on yet.

Introduction of the retention of data relating to the civil identity and associated IP addresses

A proposal on data retention (Vorratsdatenspeicherung), which is currently suspended in Germany, has also caused a stir. Specifically, a proportionate three-month retention period for IP addresses and port numbers is to be introduced, in line with European and constitutional requirements, to be able to assign them to the owner of the connection. In this context, the Federal Police is to be authorized to carry out source telecommunication surveillance to combat serious crimes.

As recently as April 30, 2024, the ECJ ruled in Case C-470/21 that data retention is not by itself contrary to European law. However, it remains to be seen whether the future German Federal Government will succeed in finding a regulation that upholds the fundamental rights to respect for family life and the protection of personal data (Art. 7 and Art. 8 of the Charter of Fundamental Rights of the European Union).

Actual effects

The actual effects of the measures set out are not yet foreseeable. On the one hand, the measures set out for the reform of data protection are very vague. Secondly, the coalition agreement itself is not a binding document. The implementation of the intended measures depends largely on the political framework conditions. Several years may pass before the reforms envisaged in a coalition agreement are implemented in law.

Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or fines on 4,046 website platforms, ordered 585 websites to suspend or update relevant functions, took down 200 Apps and took administrative actions on 40 mini-programs. The CAC also conducted joint enforcement actions together with the Ministry of Industry and Information Technology and revoked the licenses or shut down 10,946 websites and closed 107,802 accounts.

The following violations are of particular concern to these enforcement activities:

• Failure to maintain relevant network logs as required by law or to promptly address security risks (such as system vulnerabilities), resulting in illegal and regulatory issues such as system attacks, tampering, and data leaks;
  
• Failure to clearly display privacy notices in Apps, obtain necessary consent to process personal data, or provide convenient methods to opt out or de-register accounts;
  
• Failure to conduct required recordal or filing for AI models or features built into Apps or mini-apps; and
  
• Unreasonably requiring consumers to scan QR codes or perform facial recognition that is not necessary to provide the underlying services.

Around the same time, the National Computer Virus Emergency Response Center, which is an institution responsible for detecting and handling computer virus outbreaks and cyber attacks under the supervision of the Ministry of Public Security, published a list Apps that violated the personal data protection laws in the following areas:

• Failure to provide data subjects with all the required information about the processing (e.g. name and contact details of the controller, categories of personal data processed, purposes of the processing, retention period, etc.) in a prominent place and in clear and understandable language; in particular, failure to provide such information about any third party SDK or plugin is also considered a breach of the law;
  
• Failure to provide data subjects with the required details about any separate controller (e.g. name, contact information, categories of personal data processed, processing purposes, etc.) or to obtain the separate consent of data subjects before sharing their personal data with the separate controller;
• Failure to obtain the separate consent of data subjects before processing their sensitive personal data;
  
• Failure to provide users with the App functions to delete personal data or de-register accounts, or to complete the deletion or deregistration within 15 business days; or setting unreasonable conditions for users to de-register accounts;
  
• Failure to formulate special rules for processing the personal data of minors (under the age of 14) or to obtain parental consent before processing the personal data of minors; and
  
• Failure to take appropriate encryption, de-identification and other security measures, taking into account the nature of the processing and its impact on the rights and interests of data subjects.

The above enforcement focuses are also consistent with the audit points highlighted in the newly released personal data protection audit rules (see our article here). We expect the same enforcement trend to continue into 2025. Companies that process personal data in China or in connection with business in China are advised to review their compliance status with the requirements of Chinese law and take remedial action in a timely manner.

DBN Guideline

When must a personal data breach be notified to the regulator and affected data subjects?

A data controller must notify a personal data breach to both the Commissioner andaffected data subjects if it causes or is likely to cause “significant harm”, which includes a risk for any of the following:

• physical harm, financial loss, a negative effect on credit records, or damage to or loss of property;
• misuse of personal data for illegal purposes;
• compromise of sensitive personal data;
• combination of personal data with other personal information that could potentially enable identity fraud; or
• (for the purpose of notification to the Commissioner only) a breach of “significant scale”, i.e. involving more than 1,000 affected data subjects.

What is the timeframe to make data breach notifications?

The timeframe for notifications is as follows:

• Notification to the Commissioner: as soon as practicable and within 72 hours from the occurrence of the breach. If notificationfails to be made to the Commissioner within 72 hours, a written notice detailing the reasons for the delay and providing supporting evidence must be submitted; and
• Notification to affected data subjects: without unnecessary delay and within seven days of notifying the Commissioner.

What are the other key obligations related to personal data breaches?

A data controller should:

• DPA:  contractually obligate its data processor to promptly notify it of a data breach and to provide it with all reasonable and necessary assistance to meet its data breach notification obligations;
• Management and response plans: put in place adequate data breach management and response plans;
• Training: conduct periodic training as well as awareness and simulation exercises to prepare its employees for responding to personal data breaches;
• Breach assessment and containment: act promptly as soon as it becomes aware of any personal data breach to assess, contain, and reduce the potential impact of the data breach, including taking certain containment actions (such as isolating compromised systems) and identifying certain details about the data breach in its investigation; and
• Record-keeping: maintain a register of the personal data breach for at least two years to document the prescribed information about the data breach.

DPO Guideline

Who are required to appoint DPOs?

An organisation, in the role of either a data controller or a data processor, is required to appoint a DPO if its processing of personal data involves:

• personal data of more than 20,000 data subjects;
• sensitive personal data including financial information of more than 10,000 data subjects; or
• activities that require “regular and systematic monitoring” of personal data.

Who can be appointed as DPOs?

DPOs may be appointed from among existing employees or through outsourcing services based on a service contract. They must:

• Expertise: demonstrate a sound level of prescribed skills, qualities and expertise;
• Language: be proficient in both Malay and English languages; and
• Residency: be either resident in Malaysia or easily contactable via any means.

What are the other key obligations related to DPO appointments?

A data controller required to appoint a DPO should:

• Notification: notify the Commissioner of the appointed DPO and their business contact information within 21 days of the DPO appointment;
• Publication: publish the business contact information of its DPO through:

• its website and other official media;
• its personal data protection notices; or
• its security policies and guidelines; and
• Record-keeping: maintain records of the appointed DPO to demonstrate compliance.

A data processor required to appoint a DPO should comply with the publication and record-keeping obligations above in relation to its DPO.

Next Steps The new guidelines represent a significant step in the implementation of the newly introduced data breach notification and DPO appointment requirements. All organisations subject to the PDPA, whether data controllers or processors, should carefully review the guidelines and take steps to ensure compliance by 1 June 2025. This includes updating relevant internal policies (such as data breach response plans and record-keeping and training policies) and contracts with data processors to align with the guidelines. Additionally, organisations should assess whether a DPO appointment is necessary and, if so, be prepared to complete the appointment and notification processes and update their privacy notices, websites and other media to include DPO information.

By Era Anagnosti, Brent Bernell, Daniel Caprio, Steven Phillips, Andrew Serwin, and John Gevertz

On February 18, 2025, President Donald J. Trump signed an Executive Order (EO), entitled, “Restoring Democracy and Accountability in Government,” which asserts greater authority over all federal agencies, including those established by Congress as independent from direct presidential control. The EO specifically lists the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the National Labor Relations Board (NLRB), and the Federal Reserve Board as relevant agencies.  

The EO could lead to delays, if not cancellations, of pending and proposed regulations at those agencies. At a minimum, it introduces uncertainty as it newly subjects all of their “significant regulatory actions” to White House review. Moreover, the EO reflects an intent (or represents an effort) to fundamentally change the current regulatory environment.

Specifically:

• The EO asserts that Article II of the US Constitution vests all executive power in the President, meaning that all executive branch officials and employees are subject to the President’s supervision and control.
• The EO declares that all agencies must submit draft regulations for White House review – with no carve-out for so-called independent agencies, except for the monetary policy functions of the Federal Reserve.
• The EO further provides that agencies must consult with the White House on their priorities and strategic plans, and that the White House will set their performance standards, with the Office of Management and Budget adjusting the agencies’ funding apportionments to ensure tax dollars are spent in a manner that is consistent with White House priorities.
• The President and the Attorney General (subject to the President’s supervision and control) will interpret all applicable law for the executive branch, meaning that, instead of allowing separate agencies to interpret their own enabling legislation, they must accept the Justice Department’s and White House’s interpretation as binding.

The EO follows the firing of the leaders of some of the independent agencies – in apparent contravention of the statutes that bar their dismissal without cause before the expiration of their terms. A number of those dismissals are currently being challenged in various federal courts.

While the EO purports to limit the independence of the agencies even in their areas of expertise, the effect of the Loper Bright decision last year already had resulted in the courts no longer deferring to the agencies’ expertise. In a 6-3 decision in Loper Bright, the Supreme Court overruled the Chevron doctrine, which held that where a statute was ambiguous or had not addressed the precise question at issue, courts would defer to a reasonable interpretation by the agency charged with implementing the statute. Instead, the Supreme Court held the “courts, not agencies, will decide all relevant questions of law arising on review of agency action” and expressly stated that there was to be “no deferential standard for courts to employ in answering those legal questions.”  It remains to be seen whether the courts will accept the EO’s assertion that the White House and the Attorney General are the sole and final arbiters of the meaning of laws passed by Congress.

The patina of independence at the FTC, FCC, and SEC has been blurred over the past two decades by various EOs and executive branch actions.  For example, the Biden Administration’s EO 14036 in 2021, titled “Promoting Competition in the American Economy” served to establish a “whole-of-government effort to promote competition in the American economy” by encouraging stronger enforcement of antitrust law.The Biden EO directed over a dozen federal agencies, including the FTC, to take action on 72 separate initiatives identified by the Biden Administration as beneficial for curbing anti-competitive practices. The order additionally established the White House Competition Council, a fifteen-member committee led by the National Economic Council. Also, in 2015, President Barack Obama called upon the FCC to take up the strongest possible rules to protect net neutrality, the principle that says internet service providers (ISPs) should treat all internet traffic equally. The FCC voted along party lines in favor of strong net neutrality rules to keep the internet open and free.

Still, the 2025 EO marks an unprecedented shift with its explicit assertion of control over executive branch agencies – which may increase the likelihood of legal challenges and the potential for a Congressional response, given that agencies such as the FTC, FCC, and SEC were created as independent agencies by Congress.

In recent years, rulings from the Supreme Court have cabined agency authority-.  Notably, the Court’s ruling in Loper Bright Enterprises v. Raimondo, 603 US 369 (2024), overruled the Chevron deference doctrine, which required courts to defer to an agency’s reasonable interpretation of an ambiguous provision it is charged with implementing.  The Supreme Court held that “courts, not agencies, will decide all relevant questions of law arising on review of agency action” and expressly stated that there was to be “no deferential standard for courts to employ in answering those legal questions.” Loper Bright applies equally to all agencies – including agencies like the SEC, FTC, and FCC that are charged with interpreting particularly technical statutes in policy-laden areas of regulatory law. 

In combination, Loper Bright and the EO, which challenges their independence, usher in a new era of regulation of American businesses at a time when technology and the economy are rapidly growing more complex. In this new era, uncertainty for businesses may increase as the authority to interpret governing law shifts away from the institutions with the highest levels of technical expertise. At the same time, businesses have more opportunities than before to challenge proposed rules and final regulations that are averse to their interests – by bringing their concerns to the attention of the White House and, if promulgated, challenging them in court. 

It remains to be seen how this EO will be implemented and how either the courts or Congress will respond. However, at minimum, absent a court order barring its implementation, it is likely that the EO will delay pending rulemakings, including the FTC’s privacy “surveillance rule” launched during the Biden Administration.

There are many unanswered questions as to the impact of this EO, and DLA Piper is prepared to advise companies as they navigate through this uncharted territory.

The Measures outline the requirements and procedures for both self-initiated and regulator-requested compliance audits.

(Interestingly, they also clarify some other PIPL obligations, such as the data volume threshold for appointing a DPO as well as the necessity of separate consent for some processing activities.)

Who must conduct data protection compliance audits, and when?

The Measures require a data controller processing personal data of more than 10 million individuals to conduct a self-initiatedcompliance audit of its personal data processing activities (“Self-Initiated Audits“) at least once every two years. 

Data controllers below this volume threshold should still conduct Self-Initiated Audits on a regular basis as is already prescribed under the PIPL, as a matter of good governance.

In addition, the CAC or other data regulators may instruct any data controller to conduct an audit (“Regulator-Requested Audits“):

1. when personal data processing activities are found to involve significant risks, including serious impact on individuals’ rights and interests or a serious lack of security measures;
   
2. when processing activities may infringe upon the rights and interests of a large number of individuals; or
   
3. following a data security incident involving the leakage, tampering, loss, or damage of personal information of one million or more individuals, or sensitive personal information of 100,000 or more individuals.

The audit report for Regulator-Requested Audits must be submitted to the regulator. The regulator may request data controllers to undertake rectification steps, and a subsequent rectification report must be provided to the regulator within 15 business days of competing the rectification steps.

Data controllers may, if they wish or when requested by the regulator, engage an accredited third party to conduct the audit (but the third party and its affiliates must not conduct more than three such audits in total for the same organisation).  

DPOs of data controllers processing personal data of more than one million individuals are responsible for overseeing the audit activities.

Key elements to be audited

The Measures outline a detailed set of key elements to be audited, which offer valuable insights into the detailed compliance steps expected from controllers for compliance with PIPL obligations, and will help organisations to scope their audits. Unsurprisingly, these elements cover every facet of PIPL compliance, spanning the whole data lifecycle. They include: lawful bases, notice and consent, joint controllership, sharing or disclosing personal data, cross-border data transfers, automated decision-making, image collection/identification equipment, processing publicly available personal data, processing sensitive personal data, retention and deletion, data subject right requests, internal data governance, data incident response, privacy training, Important Platform Providers’ platform rules and CSR reports, etc.

Data Breach Risk Assessment

Under the PDPA, data controllers are required to notify the office of PDPC of a data breach incident without delay and within 72 hours of becoming aware of the breach, unless the breach has no risk on individuals’ rights and freedoms.

The PDPC clarified that data controllers should assess the risk to individuals’ rights and freedoms by considering the factors outlined in Section 12 of the Notification of the Personal Data Protection Committee on Criteria and Procedures for Personal Data Breach Notification B.E. 2565 (2022) (“Notification“).

These factors include:

1. The nature and category of the personal data breach.
2. The type and volume of affected personal data, and the status of the affected data subjects (e.g., minors, disabled persons, vulnerable individuals).
3. The severity of the impact and potential damage to the affected data subjects, including the effectiveness of the preventive or remedial measures.
4. The broad-ranging effects on the data controller’s business or public due to the breach.
5. The nature of the relevant data storage system and associated security measures, including organizational, technical, and physical measures.
6. The legal status of the data controller.

If data controllers determine that the breach poses no risk to individuals’ rights and freedoms by considering these factors, they are not obligated to notify the PDPC. However, the PDPC advised that data controllers retain all information, documents, and records related to the risk assessment as evidence in case of future complaints, regulatory inquiries, or inspections.

Starting the 72-Hour Period

The PDPC advised that the 72-hour notification period begins when the data controller reasonably believes a breach has occurred or is likely to occur, based on a preliminary assessment and verification as specified in Section 5 of the Notification.

According to Section 5 of the Notification, upon data controllers being informed of a data breach incident, data controllers must first verify the credibility of the information, promptly investigate the relevant facts, and review the security measures in place (for both themselves and their data processors), including investigate the data controllers’ and their processors’ personnels, to determine whether there are reasonable grounds to believe a breach has occurred.

The PDPC further clarified that the precise commencement of this 72-hour period must be evaluated individually for each case. In certain situations, breaches may be immediately evident, such as when personal data is mistakenly sent to an incorrect email recipient. Conversely, other cases may necessitate additional time to verify the breach, such as when investigating a reported data leak resulting from a cyberattack. Data controllers should exercise its judgment to ascertain when there are sufficient grounds to suspect a breach has occurred.

Phased Notification and Late Notification of Data Breaches

The PDPC explained that in cases where a personal data breach poses a risk to the rights and freedoms of individuals, data controllers may consider notifying the PDPC in phases. Initially, data controllers should report the breach as soon as possible, providing preliminary information. Additional details can be submitted later once further investigation has been conducted and more information is available.

If a data controller is unable to notify the PDPC within the 72-hour timeframe, they must do so as soon as possible, but no later than 15 days from becoming aware of the breach. The data controller must provide a valid explanation and relevant details to the PDPC, demonstrating that the delay was due to unavoidable circumstances.

This approach provide flexibility and allows data controllers to manage the breaches effectively while ensuring compliance with the legal requirements.

Conclusion

The clarifications provided by the PDPC on data breach notification requirements are essential for organizations striving to comply with the PDPA. Data controllers can now make informed decisions about whether to report a data breach using the outlined criteria for assessing the risk to individuals’ rights and freedoms. The emphasis on timely notification given by the PDPC further allows data controllers to manage data breaches effectively. Additionally, the guidance on phased notifications and allowances for delayed reporting provides flexibility for data controllers in dealing with breaches, ensuring they can meet legal requirements. By adhering to these clarifications, business operations can protect individuals’ rights and freedoms while maintaining compliance with the PDPA.