ASIA

HONG KONG

Privacy Commissioner Publishes Investigation Report on Intrusion into Broadband Network's Customer Database

On February 21, the Privacy Commissioner published an Investigation Report in connection with a data breach of Hong Kong Broadband Network Limited's ("HKBN") network exposing the data of approximately 380,000 customers and service applicants. The Report found that HKBN failed to adequately review its system migration efforts, update security patches and encryption for the breached database, and implement a reasonable retention period for former customers' personal data.

Privacy Commissioner Releases Study Report on Implementation of Privacy Management Program by Data Users

On March 5, the Privacy Commissioner released the "2018 Study Report on Implementation of Privacy Management Programme by Data Users," which examines the Privacy Management Programmes of 26 organizations from various sectors. The study reviews the organizations' commitment to data privacy protection and recommends actions organizations should take to comply with the Personal Data Privacy Ordinance.

PEOPLE'S REPUBLIC OF CHINA

Committee Proposes Amendments to Personal Information Security Specification

On February 1, the National Information Security Standardization Technical Committee issued draft amendments to GB/T 5273-2017, the "Information Security Technology—Personal Information Security Specification" (source documents in Chinese). The Specification, which went into effect on May 1, 2018, governs the protection of personal information and provides guidance on the interpretation of China's Cybersecurity Law. The amendments introduced additional requirements on data controllers regarding third-party access and user consent to data collection and targeted advertising.

Committee Solicits Opinions on Proposed Social Networking Specification

On February 1, the National Information Security Standardization Technical Committee published a notice soliciting opinions on the draft "Information Security Technology–Specification for the Management of Information Identification on Social Networking Platform" (source document in Chinese). Among other obligations, the Draft Specification seeks to impose a requirement on social network platforms to formulate strategies on the management of user identity and provides guidance on managing processes for the generation, usage, transmission, storage, and destruction of identifying information.

Regulators Publish Joint Announcement on Application Security Certification

On March 15, the State Administration for Market Regulation and the Cyberspace Administration of China jointly published an Announcement on the Implementation of App Security Certification (source document in Chinese). The announcement creates a security certification scheme for mobile applications, which will assist operators of mobile applications in demonstrating their compliance with the personal data collection and use provisions of GB/T 5273-2017 (source document in Chinese). The China Cybersecurity Review Technology and Certification Center is designated as the certification body and is responsible for appointing technical testing agencies to conduct testing and inspection in the certification process.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.