Anna Gamvros

Hong Kong’s data privacy law reform may come in 2023

By Anna Gamvros and Edward Yau (HK) on March 6, 2023 Posted in General

The reform of Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) is back on the agenda. In our earlier post in 2020, we reported that the Constitutional and Mainland Affairs Bureau published a discussion paper (the Discussion Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the … Continue reading

Hong Kong: Data Security Measures Guidance published by the PCPD

By Anna Gamvros and Edward Yau (HK) on March 1, 2023 Posted in Cybersecurity

As data breaches and cyber attacks continue to surge and attackers become more sophisticated, organisations are well aware that the need for robust data security measures is becoming increasingly important. In Hong Kong, the Office of the Privacy Commissioner for Personal Data (the PCPD) recently published a Guidance Note on Data Security Measures for Information … Continue reading

Privacy Act Review report

By Ka-Chi Cheung, Anna Gamvros, Jim Lennon (AU) and Ross Phillipson on February 23, 2023 Posted in Privacy law

The Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and … Continue reading

What you should do now in light of the Privacy Reform bill

By Ross Phillipson and Anna Gamvros on October 26, 2022 Posted in Cybersecurity, Privacy law

Major privacy law reform in Australia gathered pace this week, with newly tabled legislation proposing to significantly increase penalties for privacy breaches, among other reforms. Now is the time to start asking questions In preparation for these reforms, companies that collect and process personal information should be asking the following questions: Do we know what … Continue reading

Draft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released

By Anna Gamvros and Ruby Kwok (HK) on August 4, 2022 Posted in Cybersecurity

The long awaited details with respect to cross border data transfer under the China Personal Information Protection Law (PIPL) have very recently been published by the Chinese authorities. The details are set out in three documents: final Certification Guidelines for Cross Border Data Transfer (网络安全标准实践指南 – 个人信息跨境处理活动安全认证规范 “) (“Certification Guidelines“) released on 24 June 2022; … Continue reading

Are you critical? Amendments to the Security of Critical Infrastructure Act (2018) dramatically expand its scope and impact across Australian industry

By Ross Phillipson, Ming Kalanon and Anna Gamvros on December 6, 2021 Posted in General

Introduction Significant changes to the law with respect to security of critical infrastructure in Australia, including enhanced cybersecurity incident reporting requirements and the inclusion of further asset classes have been passed. On 22 November 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Bill) passed both houses of the federal parliament of Australia and will … Continue reading

Flurry of activity in the Privacy Act review, including tougher penalties and new online privacy framework

By Nick Abrahams (AU), Scott Atkins (AU), Ka-Chi Cheung, Anna Gamvros, Peter Mulligan (AU), Benjamin Kende, Jim Lennon (AU) and Ross Phillipson on November 25, 2021 Posted in Cybersecurity

This article was co-authored with India Bennett. After months of anticipation regarding the ongoing review of the Privacy Act 1988 (Cth), the Federal Government has galvanized the Australian privacy landscape with two significant developments. Firstly, the Government has released a discussion paper about the reform of the Privacy Act. The discussion paper considers stakeholder feedback on the issues paper released in October 2020 … Continue reading

Transfer data outside of China: New security review regulation companies should know

By Anna Gamvros and Lianying Wang (CN) on November 11, 2021 Posted in General

The Cyberspace Administration of China (CAC) released the draft Security Review Measures for Cross-Border Data Transfer (the Draft Security Review Measures) for public comments on 29 October 2021 – shortly before the effective date of the Personal Information Protection Law (PIPL), 1 November 2021. The three pillars of China’s cyber security and data legislation – … Continue reading

A Tale of Two Cities: The Right of Private Action in Data Protection in Singapore and Hong Kong

By Wilson Ang, Anna Gamvros, Jeremy Lua (SG) and Edward Yau (HK) on November 2, 2021 Posted in Dispute resolution and litigation, General, PDPA, Privacy law

The Singapore High Court and the Hong Kong District Court have both considered the right to compensation for injury to feelings in two recent cases involving misuse of personal data but arrived at different conclusions. Singapore: In Bellingham, Alex v. Reed, Michael, Mr. Bellingham obtained the email addresses of his former employers’ customers without their … Continue reading

Hong Kong: Bill to combat doxxing acts passed

By Edward Yau (HK) and Anna Gamvros on October 7, 2021 Posted in Cybercrime, Cybersecurity, Privacy law

The Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) aimed at combatting doxxing in Hong Kong was passed on 29 September 2021. As discussed in our earlier post, the Bill amends the Personal Data (Privacy) Ordinance (PDPO) by: introducing offences to criminalize doxxing acts; empowering the Privacy Commissioner for Personal Data (the Commissioner) to conduct … Continue reading

PIPL: A game changer for companies in China

By Anna Gamvros and Lianying Wang (CN) on August 24, 2021 Posted in Compliance and risk management, Cybersecurity

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add … Continue reading

China passes the Personal Information Protection Law

By Anna Gamvros and Lianying Wang (CN) on August 20, 2021 Posted in Compliance and risk management, Cybersecurity

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet. In addition, China published the Provisions on the Administration of Security of Automobile Data (For … Continue reading

“Am I a CII operator?” – New regulation in China provides more clarity

By Anna Gamvros and Lianying Wang (CN) on August 18, 2021 Posted in Cybersecurity, Data Transfer, Regulatory response

China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same … Continue reading

China’s evolving data laws: PIPL likely to be passed soon

By Anna Gamvros and Lianying Wang (CN) on August 5, 2021 Posted in Cybersecurity, General

China’s much anticipated Personal Information Protection Law (PIPL) is very likely to pass this month after the conclusion of the 30th meeting of the Standing Committee of the National People’s Congress, which is to be held in Beijing on 17-20 August. This follows the enactment earlier this year of the Data Security Law (DSL), which … Continue reading

Hong Kong: Bill to amend the Personal Data (Privacy) Ordinance to combat doxxing acts was gazetted today

By Anna Gamvros, Ruby Kwok (HK) and Edward Yau (HK) on July 15, 2021 Posted in General

The Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) was gazetted today, 16 July 2021. The Bill aims to combat doxxing acts through (i) criminalisation of doxxing acts; (ii) empowering the Privacy Commissioner for Personal Data to conduct criminal investigation and institute prosecution for doxxing cases; and (iii) conferring on the Commissioner statutory powers to … Continue reading

Proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts

By Anna Gamvros, Ruby Kwok (HK) and Edward Yau (HK) on June 3, 2021 Posted in Regulatory response

The Hong Kong Government is proposing amendments to the Personal Data (Privacy) Ordinance (the “PDPO”) to combat doxxing acts. On 17 May 2021, the Constitutional and Mainland Affairs Bureau (the “CMAB”) published a discussion paper on the proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts (LC Paper No. CB(4)974/20-21(03)) (the “Paper”). … Continue reading

Hong Kong introduces a contact tracing app

By Anna Gamvros and Edward Yau (HK) on November 15, 2020 Posted in Cybersecurity, Enforcement, Regulatory response

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed. On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning … Continue reading

Contact tracing apps: A new world for data privacy

By Anna Gamvros and Steven Hadwin (UK) on May 13, 2020 Posted in General

May 12, 2020 Norton Rose Fulbright today launched its survey analysing regulatory and policy issues applicable to COVID-19 contact tracing and related tracking technology across 18 jurisdictions. The global survey explores key issues across Australia, Canada, China, France, Germany, Hong Kong, Italy, Indonesia, Russia, Poland, Singapore, South Africa, Thailand, The Netherlands, Turkey, UAE, UK and … Continue reading

How contact tracing apps in Asia are being used to fight COVID-19 – is the reward worth the risk?

By Anna Gamvros and Libby Ryan (HK) on April 24, 2020 Posted in General

The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to unprecedented levels. To aid the safe lifting of current public health restrictions, new technologies are being developed and rolled out to automate labour intensive tasks critical to containing the spread of the virus, such as contact tracing. Contact tracing applications … Continue reading

Thailand Personal Data Protection Law

By Tassanai Kiratisountorn, Pimchanok Eianleng, Anna Gamvros and Ruby Kwok (HK) on February 28, 2020 Posted in Regulatory response

Background The Personal Data Protection Act B.E. 2562 (2019) (PDPA) was published on 27 May 2019 in Thailand’s Government Gazette and became effective the following day. However, most of the operational provisions, including provisions relating to the rights of a data subject, the obligations of a data controller and the penalties for non-compliance, will become … Continue reading

Changes to Hong Kong’s data protection law discussed by government panel

By Anna Gamvros and Libby Ryan (HK) on January 21, 2020 Posted in Compliance and risk management, Regulatory response

The discussion paper on the proposed changes to Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) was debated by the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) on 20 January. The proposals set out in LC Paper. No. CB(2) 512/19-20(03) (the Paper) are summarised in our earlier post.… Continue reading

Discussion paper published on Hong Kong’s data protection law

By Anna Gamvros on January 16, 2020 Posted in Regulatory response

Written by Partner Anna Gamvros and Associate Libby Ryan, both based in the Hong Kong office. Earlier this week, the Constitutional and Mainland Affairs Bureau (the CMAB) released its discussion paper (LC Paper. No. CB(2) 512/19-20(03) (the Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal … Continue reading

Overview of Thailand Draft Personal Data Protection Act

By Natpakal Rerknithi (TH), Anna Gamvros and Ruby Kwok (HK) on August 6, 2018 Posted in Regulatory response

Data protection laws in Asia continue to be introduced and updated. One of the most recent developments in South East Asia is in Thailand. On 22 May 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). This Draft Act is currently under consideration by the … Continue reading