Anna Gamvros

China proposes to ease cross border data transfer restrictions

By Anna Gamvros and Ruby Kwok (HK) on October 20, 2023 Posted in Data Protection, Data Transfer

On 28 September 2023, the Cybersecurity Administration of China (CAC) released the Draft Provisions on Regulating and Promoting Cross Border Data Flow (规范和促进数据跨境流动规定) (Draft Provisions) for public consultation. The Draft Provisions, if passed, will ease the requirements around cross border data transfer under the Personal Information Protection Law (PIPL). The consultation closed on 15 October … Continue reading

Hong Kong: Revised Breach Handling and Notifications Guidance published by the PCPD

By Anna Gamvros, Edward Yau (HK) and Steven Chong on August 4, 2023 Posted in Cybersecurity

As data breaches and cyber-attacks continue to surge and attackers become more sophisticated, a comprehensive data breach response plan and robust data security measures are becoming increasingly important. In Hong Kong, the Office of the Privacy Commissioner for Personal Data (the PCPD) recently published a revised Guidance on Breach Handling and Data Breach Notifications (the … Continue reading

China finalises its Generative AI Regulation

By Anna Gamvros, Edward Yau (HK) and Steven Chong on July 25, 2023 Posted in General

The Provisional Administrative Measures of Generative Artificial Intelligence Services (Generative AI Measures), were published by the Cyberspace Administration of China (CAC), together with six other authorities, on 13 July 2023 and will take effect from 15 August 2023. The Generative AI Measures, along with the likely enactment of the Artificial Intelligence Law in the 2023 legislative … Continue reading

European Commission and ASEAN releases Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses

By Marcus Evans (UK), Anna Gamvros, Wilson Ang and Jeremy Lua (SG) on June 26, 2023 Posted in Data Protection, Data Transfer, PDPA, Privacy law

Introduction To enable international businesses to comply with cross-border personal data transfers and the relevant laws across the European Union (EU) and South-East Asia, on 24 May 2023 the European Commission and the Association of Southeast Asian Nations (ASEAN) published a Reference Guide to ASEAN Model Contractual Clauses (ASEAN MCCs) and EU Standard Contractual Clauses … Continue reading

Singapore contributes to the development of accessible AI testing and accountability methodology with the launch of the AI Verify Foundation and AI Verify Testing Tool

By Marcus Evans (UK), Anna Gamvros, Peter McBurney and Jeremy Lua (SG) on June 15, 2023 Posted in Data Protection, General

On 7 June 2023, at the ATxAISummit, Singapore launched the AI Verify Foundation, which aims to “harness the collective power and contributions of the global open source community” in order to develop the AI Verify testing tool for the responsible use of AI. In this short post, we discuss this development as well as the … Continue reading

Hong Kong’s data privacy law reform may come in 2023

By Anna Gamvros and Edward Yau (HK) on March 6, 2023 Posted in General

The reform of Hong Kong’s Personal Data (Privacy) Ordinance (Cap.486) (the PDPO) is back on the agenda. In our earlier post in 2020, we reported that the Constitutional and Mainland Affairs Bureau published a discussion paper (the Discussion Paper) seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the … Continue reading

Hong Kong: Data Security Measures Guidance published by the PCPD

By Anna Gamvros and Edward Yau (HK) on March 1, 2023 Posted in Cybersecurity

As data breaches and cyber attacks continue to surge and attackers become more sophisticated, organisations are well aware that the need for robust data security measures is becoming increasingly important. In Hong Kong, the Office of the Privacy Commissioner for Personal Data (the PCPD) recently published a Guidance Note on Data Security Measures for Information … Continue reading

Privacy Act Review report

By Ka-Chi Cheung, Anna Gamvros, Jim Lennon (AU) and Ross Phillipson on February 23, 2023 Posted in Privacy law

The Attorney General’s Department released its Privacy Act Review report on 16 February 2023, that includes the broad suite of reforms you would expect to bring Australia’s privacy laws in to line with both international standards and the reality of our data-based economy. These include enhanced data subject rights and increased accountability requirements for organisations collecting and … Continue reading

What you should do now in light of the Privacy Reform bill

By Ross Phillipson and Anna Gamvros on October 26, 2022 Posted in Cybersecurity, Privacy law

Major privacy law reform in Australia gathered pace this week, with newly tabled legislation proposing to significantly increase penalties for privacy breaches, among other reforms. Now is the time to start asking questions In preparation for these reforms, companies that collect and process personal information should be asking the following questions: Do we know what … Continue reading

Draft standard contractual clauses provisions, final security assessment measures and final certification guidelines for cross border data transfer released

By Anna Gamvros and Ruby Kwok (HK) on August 4, 2022 Posted in Cybersecurity

The long awaited details with respect to cross border data transfer under the China Personal Information Protection Law (PIPL) have very recently been published by the Chinese authorities. The details are set out in three documents: final Certification Guidelines for Cross Border Data Transfer (网络安全标准实践指南 – 个人信息跨境处理活动安全认证规范 “) (“Certification Guidelines“) released on 24 June 2022; … Continue reading

Are you critical? Amendments to the Security of Critical Infrastructure Act (2018) dramatically expand its scope and impact across Australian industry

By Ross Phillipson, Ming Kalanon and Anna Gamvros on December 6, 2021 Posted in General

Introduction Significant changes to the law with respect to security of critical infrastructure in Australia, including enhanced cybersecurity incident reporting requirements and the inclusion of further asset classes have been passed. On 22 November 2021, the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (Bill) passed both houses of the federal parliament of Australia and will … Continue reading

Flurry of activity in the Privacy Act review, including tougher penalties and new online privacy framework

By Nick Abrahams (AU), Scott Atkins (AU), Ka-Chi Cheung, Anna Gamvros, Peter Mulligan (AU), Benjamin Kende, Jim Lennon (AU) and Ross Phillipson on November 25, 2021 Posted in Cybersecurity

This article was co-authored with India Bennett. After months of anticipation regarding the ongoing review of the Privacy Act 1988 (Cth), the Federal Government has galvanized the Australian privacy landscape with two significant developments. Firstly, the Government has released a discussion paper about the reform of the Privacy Act. The discussion paper considers stakeholder feedback on the issues paper released in October 2020 … Continue reading

Transfer data outside of China: New security review regulation companies should know

By Anna Gamvros and Lianying Wang (CN) on November 11, 2021 Posted in General

The Cyberspace Administration of China (CAC) released the draft Security Review Measures for Cross-Border Data Transfer (the Draft Security Review Measures) for public comments on 29 October 2021 – shortly before the effective date of the Personal Information Protection Law (PIPL), 1 November 2021. The three pillars of China’s cyber security and data legislation – … Continue reading

A Tale of Two Cities: The Right of Private Action in Data Protection in Singapore and Hong Kong

By Wilson Ang, Anna Gamvros, Jeremy Lua (SG) and Edward Yau (HK) on November 2, 2021 Posted in Dispute resolution and litigation, General, PDPA, Privacy law

The Singapore High Court and the Hong Kong District Court have both considered the right to compensation for injury to feelings in two recent cases involving misuse of personal data but arrived at different conclusions. Singapore: In Bellingham, Alex v. Reed, Michael, Mr. Bellingham obtained the email addresses of his former employers’ customers without their … Continue reading

Hong Kong: Bill to combat doxxing acts passed

By Edward Yau (HK) and Anna Gamvros on October 7, 2021 Posted in Cybercrime, Cybersecurity, Privacy law

The Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) aimed at combatting doxxing in Hong Kong was passed on 29 September 2021. As discussed in our earlier post, the Bill amends the Personal Data (Privacy) Ordinance (PDPO) by: introducing offences to criminalize doxxing acts; empowering the Privacy Commissioner for Personal Data (the Commissioner) to conduct … Continue reading

PIPL: A game changer for companies in China

By Anna Gamvros and Lianying Wang (CN) on August 24, 2021 Posted in Compliance and risk management, Cybersecurity

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. This is China’s first omnibus data protection law, and will take effect from 1 November 2021 allowing companies just over two months to prepare themselves. The PIPL is a game changer for any company with data or business in China. It will add … Continue reading

China passes the Personal Information Protection Law

By Anna Gamvros and Lianying Wang (CN) on August 20, 2021 Posted in Compliance and risk management, Cybersecurity

China passed its Personal Information Protection Law (PIPL) on 20 August 2021. The new law will take effect from 1 November 2021 allowing companies just over 2 months to prepare themselves. The full text has not been made public yet. In addition, China published the Provisions on the Administration of Security of Automobile Data (For … Continue reading

“Am I a CII operator?” – New regulation in China provides more clarity

By Anna Gamvros and Lianying Wang (CN) on August 18, 2021 Posted in Cybersecurity, Data Transfer, Regulatory response

China’s Cyber Security Law (CSL), enacted in 2016, requires operators of critical information infrastructure (CII) to follow a number of enhanced security obligations, including storing within China all personal information and important data collected or generated during their operations in China. Given the more onerous obligation on CII operators, we are constantly asked the same … Continue reading

China’s evolving data laws: PIPL likely to be passed soon

By Anna Gamvros and Lianying Wang (CN) on August 5, 2021 Posted in Cybersecurity, General

China’s much anticipated Personal Information Protection Law (PIPL) is very likely to pass this month after the conclusion of the 30th meeting of the Standing Committee of the National People’s Congress, which is to be held in Beijing on 17-20 August. This follows the enactment earlier this year of the Data Security Law (DSL), which … Continue reading

Hong Kong: Bill to amend the Personal Data (Privacy) Ordinance to combat doxxing acts was gazetted today

By Anna Gamvros, Ruby Kwok (HK) and Edward Yau (HK) on July 15, 2021 Posted in General

The Personal Data (Privacy) (Amendment) Bill 2021 (the Bill) was gazetted today, 16 July 2021. The Bill aims to combat doxxing acts through (i) criminalisation of doxxing acts; (ii) empowering the Privacy Commissioner for Personal Data to conduct criminal investigation and institute prosecution for doxxing cases; and (iii) conferring on the Commissioner statutory powers to … Continue reading

Proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts

By Anna Gamvros, Ruby Kwok (HK) and Edward Yau (HK) on June 3, 2021 Posted in Regulatory response

The Hong Kong Government is proposing amendments to the Personal Data (Privacy) Ordinance (the “PDPO”) to combat doxxing acts. On 17 May 2021, the Constitutional and Mainland Affairs Bureau (the “CMAB”) published a discussion paper on the proposed amendments to the Personal Data (Privacy) Ordinance to combat doxxing acts (LC Paper No. CB(4)974/20-21(03)) (the “Paper”). … Continue reading

Hong Kong introduces a contact tracing app

By Anna Gamvros and Edward Yau (HK) on November 15, 2020 Posted in Cybersecurity, Enforcement, Regulatory response

As countries around the globe continue to battle the COVID-19 pandemic, contact tracing apps continue to evolve and be developed. On November 16, 2020, the Hong Kong government is launching a voluntary contact tracing app. The app, known as LeaveHomeSafe, will enable users to record the date and time they visited participating venues by scanning … Continue reading

Contact tracing apps: A new world for data privacy

By Anna Gamvros and Steven Hadwin (UK) on May 13, 2020 Posted in General

May 12, 2020 Norton Rose Fulbright today launched its survey analysing regulatory and policy issues applicable to COVID-19 contact tracing and related tracking technology across 18 jurisdictions. The global survey explores key issues across Australia, Canada, China, France, Germany, Hong Kong, Italy, Indonesia, Russia, Poland, Singapore, South Africa, Thailand, The Netherlands, Turkey, UAE, UK and … Continue reading

How contact tracing apps in Asia are being used to fight COVID-19 – is the reward worth the risk?

By Anna Gamvros and Libby Ryan (HK) on April 24, 2020 Posted in General

The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to unprecedented levels. To aid the safe lifting of current public health restrictions, new technologies are being developed and rolled out to automate labour intensive tasks critical to containing the spread of the virus, such as contact tracing. Contact tracing applications … Continue reading