Onecompliance aims to provide concise updates on key regulatory changes in data security, privacy protection, and emerging trends in fintech regulations across major jurisdictions. Our focus in January 2024, is to summarize the most recent regulatory signals in data and AI areas.
1.China Issues Draft Contingency plan for data security incidents
China’s Ministry of Industry and Information Technology (MIIT) published a
detailed draft plan laying out how local governments and companies should assess and respond to incidents on 15 Dec 2023.
The plan proposes a four-tier, color-coded system depending on the degree of harm inflicted upon national security, a company’s online and information network, or the running of the economy.
According to the plan, incidents that involve losses surpassing 1 billion yuan ($141 million) and affect the personal information of over 100 million
people, or the “sensitive” information of over 10 million people, will be classed as “especially grave”, to which a red warning must be issued.
The plan demands that in response to red and orange warnings, the involved companies and relevant local regulatory authorities must establish a 24- hour work rota to address the incident and MIIT must be notified of the data breach within ten minutes of the incident happening, among other measures.
2. Thailand Unveils Regulations For Cross-Border Personal Data Transfer
On December 25, 2023, Thailand’s Personal Data Protection Committee
(PDPC) issued two notifications under sections 28 and 29 of the Personal
Data Protection Act 2019 (PDPA) that address essential aspects and criteria
for the cross-border transfer of personal data. These notifications are
scheduled to come into effect on March 24, 2024.
3. Singapore’s CSA launches Safe App Standard
The Cyber Security Agency of Singapore released recommendations
for mobile apps called the Safe App Standard. The Safe App Standard
aims to guide developers when enabling proper security controls, and
provide a risk assessment for financial based apps.
The first version of the Standard is targeted at apps that perform high-risk transactions; defined as those that allow transactions with some or full access to users’ financial accounts, which when compromised, can possibly result in significant monetary losses. These transactions include changes to financial functions such as registration of third-party payee details and
increase of fund transfer limit. The Standard focuses on four critical areas commonly targeted by threat actors. These are:
- Authentication
- Authorisation
- Data-Storage (Data-at-rest), and
- Anti-Tampering & Anti-Reversing
4. Malaysia: Seven guidelines to be developed under Personal Data
Protection Act 2010
The Malaysia Department of Personal Data Protection will soon develop seven guidelines on how to manage personal data, Malaymail reports.
The rules, which are to be developed under the Personal Data Protection Act 2010, involve data protection officers, notices of data breaches, portability, cross border data transfers and more. A personal data protection portal will also be created.
5. Hong Kong: Privacy Commissioner’s Office Publishes Two Investigation Reports
Hong Kong’s Office of the Privacy Commissioner for Personal Data published two reports regarding privacy investigations.
One report highlighted an investigation into employee privacy practices of four companies and gave recommendations for companies to safeguard employee’s personal data, including suggested training and appointing a data protection officer.
The PCPD determined in a separate investigation that retailer Carousell allegedly did not perform privacy risk assessments after hackers breached the personal data of 324,232 user accounts in Hong Kong.