The Regulations, which took effect on January 1, 2025, reiterate and clarify existing requirements and introduce new ones on privacy and network data security.

By Hui Xu and Bianca H. Lee

On September 30, 2024, the PRC State Council released the finalized Regulations on Network Data Security Management (Regulations), concluding a three-year consultation process since the initial draft in 2021.

The Regulations took effect January 1, 2025, and build upon the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL), which form China’s legal framework for data protection and security. The Regulations integrate common cybersecurity requirements from these laws, applying them to “network data processing activities,” which include all electronic data processed through networks.

The Privacy Commissioner for Personal Data reminds organisations to review and implement appropriate data security measures amidst more data breaches.

By Kieran Donovan, Anthony Liu, and Jacqueline Van

On 13 February 2023, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) published an article titled “Guidance on Data Security – Heightened Importance of Data Security Amid Increased Cyberthreats”. The article discusses the increasing trend of cyberattack incidents, identifies common vulnerabilities based on data incidents the PCPD has investigated, and sets out practical guidance for data security measures.

The guidance outlines steps that organizations should take to enhance data security as hybrid working and learning introduce new risks.

By Kieran Donovan and Malika Sajdik

On August 30, 2022, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued a Guidance Note on Data Security Measures for Information and Communications Technology (the Guidance Note).

The Guidance Note was published in light of the “new normal” of hybrid working and learning, which has heightened personal data security risks from the increased digitization of data and use of information and communications technology (ICT). In 2021, the PCPD received a total of 140 personal data breach notifications from organizations, representing a year-on-year increase of 36%, and in the first seven months of 2022 alone, the PCPD received 68 data breach notifications. Common incidents reported included hacking, unauthorized access to personal data by employees, loss of documents or portable devices, and inadvertent disclosure of personal data via email.

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data.

By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin

On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) issued the draft Data Security Law (DSL) for public comment. Once finalized, the DSL, together with the PRC Network Security Law and the proposed PRC Personal Information Protection Law, will form an increasingly comprehensive legal framework for information and data security.

Brazilian Congress passes a data protection bill that seeks to improve privacy and cybersecurity.

By Amadeu Ribeiro and Thiago Luís Sombra (Mattos Filho, Veiga Filho Marrey Jr e Quiroga Advogados) and Jennifer Archie and Terese Saplys

The Brazilian Congress has been working on a bill relating to the protection of personal data for over eight years. The Senate approved the bill, known as the General Data Protection Act (GDPA), on 10 July 2018, and the bill was sent to the President for execution.  A window of 15 business days (i.e., up to and including 13 August 2018) within which the President may veto the bill now follows. If the President does not actively reject the bill, it automatically becomes law. Thereafter, businesses will have an 18-month grace period (i.e., up to and including 13 February 2020) to adjust to the change in law before it becomes effective on 14 February 2020.

What Is the GDPA?

The GDPA was motivated in part by Brazil’s desire to be admitted to the OECD and to prevent disruption in its commerce with the European Union and other important trading partners. As such, the GDPA seeks to match the level of protection afforded to data subjects by the laws of these trading partners.

By Michael RubinScott Jones, Cooper Rekrut

On September 19, 2017, Judge Donato of the Northern District of California ruled on Defendant D-Link System Inc.’s (D-Link) Motion to Dismiss, which challenged claims by the Federal Trade Commission (FTC) that D-Link’s conduct constituted unfair and deceptive trade practices in violation of Section 5 of the FTC Act.

The FTC’s complaint alleges that D-Link failed to implement adequate data security with respect to router and IP cameras it marketed and sold to the public. According to the FTC’s complaint, D-Link’s router and IP cameras were susceptible to well-known exploits and other vulnerabilities that left consumers at risk of compromise by hackers. The FTC alleged that these practices were both deceptive (contrary to D-Link’s representations about the security of their products) and unfair (caused or were likely to cause substantial injury to consumers).

Speakers: Jennifer Archie, Kevin Boyle, Gail Crawford & David Schindler

The legal and business consequences of recent high-profile data breaches are varied and severe. Today, lawyers and executives for large enterprises must assess and advise on complex multi-jurisdictional notification, investigation, litigation and remedial issues that arise following a major data breach incident. How are general counsel and executives to respond to the broad spectrum of cyber intrusions that threaten a company’s most sensitive information, particularly where data sets

August 2 Webcast to Consider Risks and Responses

A recent high-profile enforcement action by the Federal Trade Commission (FTC) provides meaningful context and occasion for examining data security risks in the hospitality industry.

In late June, the FTC filed suit against global hospitality company Wyndham Worldwide Corp. and three of its subsidiaries for alleged data security failures that led to three data breaches at 45 Wyndham properties in less than two years. The action followed an expansive and expensive civil