On November 7, 2016, the Standing Committee of the National People’s Congress of China promulgated the Cyber Security Law of the People’s Republic of China (the “Cyber Security Law”) after three rounds of readings in June 2015, June and October 2016, respectively. The Cyber Security Law will enter into force on June 1, 2017. As early as July 1, 2015, the National Security Law of the People’s Republic of China was promulgated, expressly providing that the state shall “safeguard sovereignty and security of cyberspace in the state,” a theme that is reiterated and emphasized in Article 1 of the Cyber Security Law. The introduction of the concept of “cyber space sovereignty” in the Cyber Security Law echoes the views of President Xi Jinping, who is also the head of the Office of the Central Leading Group for Cyberspace Affairs, and who has stated in February 2014 that “[n]o cyber safety means no national security.” Critically, the Cyber Security Law may have global implications, as the Law applies to both Chinese and international businesses engaging in the construction, operation, maintenance or use of information networks in China.
On Sept. 6, the Hong Kong Monetary Authority (the HKMA) announced two initiatives targeted at raising Hong Kong’s profile as a fintech hub: the setting up of the Fintech Innovation Hub (the Hub) and the Fintech Supervisory Sandbox (the Sandbox).
The Singapore government has renewed its emphasis on cybersecurity due to the increase in incidents affecting the private and public sectors both domestically and around the world. As a result, Singapore set up its Cyber Security Agency (CSA) on April 1, 2015, to oversee strategy, education, outreach and industry development. On April 11, 2016, Dr. Yaacob Ibrahim, Minister for Communications and Information, announced that the government would develop a Cybersecurity Act (Cybersecurity Bill), which is expected to be tabled in Parliament next year.
On July 7, Russian President Vladimir Putin signed a law amending existing anti-terrorism legislation that could affect U.S. telecom and internet service companies operating in Russia. It will require that telecommunications operators and internet service providers (“ISPs”) retain up to 6 months of data, including personal data and communications content, as well as metadata, for periods up to 3 years. Further, if any encryption is used to protect the data, the telecommunication or internet service provider must provide the Russian authorities the decryption technology.
On January 1, 2016, China’s National People’s Congress Standing Committee enacted the new Anti-Terrorism Law (反恐怖主义法) that gives broad powers to the Chinese authorities to access and handle data held by telecommunications operators and internet providers (together, “Technology Companies”). This law provides a legal framework to compel Technology Companies to cooperate and assist the Chinese authorities to combat the threat of “terrorism.”
The second edition of The Privacy, Data Protection and Cybersecurity Law Review appears as the world is converging on more privacy laws that cover more areas of business and are subject to more enforcement. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication, including Alan Charles Raul, William RM Long, Geraldine Scali, Catherine M. Valerio Barrad, Yuet Ming Tham, Jillian Lee, Takahiro Nonaka, Tasha D. Manoranjan, and Vivek K. Mohan. For a closer look at this developing area of law, please visit http://www.sidley.com/the-privacy-data-protection-and-cybersecurity-law-review-11-2015.
Despite having previously stated it would not issue further clarifications, in August 2015, the Russian Ministry of Communications and Mass Media (Minkomsvyaz) issued a further statement regarding the data localization law. The Ministry of Communications is empowered to supervise the data protection authority (Roskomnadzor) and to provide interpretations of laws that fall within their purview (including the data localization law). The Minkomsvyaz statement reiterated that the law does not have retroactive effect – personal data of Russians collected prior to September 1, 2015 may reside in foreign jurisdiction so long as they are not updated or changed, at which point they would be subject to the localization requirement. The clarification further noted that data localization requirement would not apply to entities that are not resident in Russia. This statement is notable for being issued in writing, and providing companies with a statement of standards and expectations that may be cited by companies should issues arise.
See previous coverage in Data Matters July 21, 2015 Post: Impending Russian Data Localization Law
Sidley does not practice law in Russia, so the information here is based on our understandings from public sources and discussions with local counsel. This article should not be construed as advice about Russian law.
On April 24, 2015, China amended its Advertising Law for the first time since its initial promulgation in 1994. The amended Advertising Law (the “Amended Law”) will take effect on September 1, 2015. In the absence of a comprehensive data protection law in China, the Amended Law introduces certain provisions addressing data and privacy issues, in addition to existing data privacy rules which are scattered in various laws and regulations.
On July 1, 2015, China’s top legislature adopted a new National Security Law (中华人民共和国国家安全法), highlighting cyber security and paving the way for a coordinated crisis management system. The law aims to provide a general legislative framework to cover a wide range of areas, ranging from finance, politics, the military and cyber security to culture, ideology and religion.