2021 was a busy year for data protection law in China. On June 10, 2021, the Standing Committee of the National People’s Congress of the People’s Republic of China adopted the Data Security Law (DSL), which went into effect on September 1, 2021. On August 20, 2021, the Standing Committee of the National People’s Congress enacted the Personal Information Protection Law (PIPL), which went into effect just last month, in November 2021. The DSL applies broadly to processing of all data, not just personal information or electronic data and expands on the provisions from China’s Cybersecurity Law, which was enacted in 2016. In contrast, the PIPL applies only to the processing of personal information and has been compared to Europe’s General Data Protection Regulation (GDPR), although that comparison may obscure the contours of China’s law more than it enlightens.

Consistent with the course of Chinese administrative law, the laws’ key terms, analyses, and processes will continue to be fleshed out and perhaps materially enhanced or diminished in a series of regulations, measures, standards, and guidance documents. The latest draft measures on cross-border transfers, which are being closely watched by organizations contemplating cross border data transfers, were published at the end of October, and comments were accepted through November. We expect China to continue finalizing the laws’ terms and measures in 2022.Continue Reading What China’s New Data Laws Could Mean for 2022

In the wake of major cybersecurity incidents, it is becoming increasingly common for shareholders to bring derivative lawsuits alleging that the officers or board members failed to exercise proper governance over cybersecurity. Some companies have paid settlements to resolve such matters, but few derivative actions have ended in judgment on the merits in favor of plaintiffs, largely because plaintiffs are rarely able to show that directors failed to execute their oversight responsibilities. A recent ruling by the Delaware Court of Chancery dismissing a derivative lawsuit against Marriott International, Firemen’s Ret. Sys. of St. Louis v. Sorenson, No. 2019-0965-LWW (Del. Ch. Oct. 5, 2021), reiterates that directors who monitor cybersecurity governance, work to mitigate cyber risks, and seek outside advice on data protection issues will usually not face liability.
Continue Reading Marriott Data Breach Ruling Puts Corporate Boardrooms on Notice