DLA Piper Intelligence

Data Protection
Laws of the World

Law

China
China

Currently, there is not a comprehensive data protection law in the People's Republic of China ('PRC'). Instead, rules relating to personal data protection are found across various laws and regulations. Generally speaking, provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law may be used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit.

Nevertheless, 2017 was a ground-breaking year for cybersecurity and data privacy for the PRC. The PRC Cybersecurity Law (promulgated and effective from 1 June 2017) adopted by the Standing Committee of the National People's Congress has become the first national-level law that addresses cybersecurity and data privacy protection.  

Further to the Cybersecurity Law, the following form the backbone of general data protection rules currently in the PRC:

  • The Decision on Strengthening Online Information Protection (Promulgated and effective on 28 December 2012; the ‘Decision’) adopted by the Standing Committee of the National People’s Congress; and
  • National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services (promulgated 05 Nov 2012 and effective on 01 February 2013, GB/Z 28828-2012; the ‘Guideline’) as published by General Administration of Quality Supervision, Inspection and Quarantine of China and Standardization Administration of China,

(collectively referred to as the ‘General Data Protection Law’). The purpose of the Decision is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law. While the Guideline is only a technical guide and thus not legally binding, it is considered important because its scope extends to any “processing of personal information through information systems” (not necessarily connected to the Internet), and because of the fact that it covers in detail key issues such as data exports, sensitive data, data subject access and the right to rectification. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the Guideline can be a good reference. Therefore, compliance with the Guideline is recommended as good practice.

In addition to the General Data Protection Law, provisions contained in other laws and regulations may be applicable depending on the industry or type of information at issue (for example, personal information obtained by financial institutions, e-commerce businesses, certain healthcare providers, or telecom or Internet service/content providers is subject to special regulation). For example (this is not an exhaustive list):

  • The Criminal Law of the People’s Republic of China prohibits sale or illegal provision of, or illegal access (such as theft) to citizens' personal information;
  • Provisions of the Supreme People’s Court on Several Questions relating to the Applicable Law of Civil Disputes Concerning the Use of Informational Network to Harm Personal Rights and Interests (promulgated on 21 August 2014, and effective on 10 October 2014), which are applicable to Internet users and Internet service providers who use information networks to infringe the privacy rights of a third party;
  • The Provisions on Telecommunication and Internet User Personal Information Protection (promulgated on 19 July 2013 and effective on 1 September 2013), which are applicable to telecom and Internet service providers;
  • The Guidelines for the Supervision of Information Technology Outsourcing Risks of Banking Financial Institutions, which would be applicable to banks who are outsourcing information technology services; and
  • The Consumer Rights Protection Law of the People’s Republic of China (promulgated 25 October 2013 and effective on 15 Mar 2014; the ‘Consumer Protection Law’) contains data protection obligations which are applicable to most if not all types of businesses that deals with consumers. The Consumer Protection Law was supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (promulgated in January 2015) ('Consumer Protection Measures'). Further, the draft Implementation Regulations for the Consumer Protection Law of the People's Republic of China (Draft for Review) ('Draft Consumer Protection Regulations') were formulated and published for consultation in 2016 by the State Administration for Industry and Commerce and reiterate and clarify some of the data protection obligations as regards consumers' personal data.

A significant recent development is the Information Security Techniques - Personal Information Security Specification, which was issued on 29 December 2017 and comes into force on 1 May 2018 (the "PI National Standards"). While the formal text of these standards have not been made available to the public, the draft versions indicate that they set out key data protection concepts and principles which until now remain elusive and have not been properly developed or explained in key laws and regulations, including the Cybersecurity Law. The PI National Standards may not necessarily replace the Guideline issued in 2012 in theory, but they are expected to be the new national standards on personal data protection in China. 

Please note that our discussion here only includes the General Data Protection Law and the drafts of the PI National Standards that are available currently (not the final version) as such laws will have the most direct, general and broad application to most if not all types of businesses in the PRC. Applicability of other laws or regulations will invariably depend on the factual context of each case and further independent analysis is recommended, (for example, businesses in the banking, healthcare or securities sectors will be subject to industry-specific data protection regulations; and employee personal data attracts some protections under employment laws).

Last modified 29 Jan 2018
Law
China

Currently, there is not a comprehensive data protection law in the People's Republic of China ('PRC'). Instead, rules relating to personal data protection are found across various laws and regulations. Generally speaking, provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law may be used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit.

Nevertheless, 2017 was a ground-breaking year for cybersecurity and data privacy for the PRC. The PRC Cybersecurity Law (promulgated and effective from 1 June 2017) adopted by the Standing Committee of the National People's Congress has become the first national-level law that addresses cybersecurity and data privacy protection.  

Further to the Cybersecurity Law, the following form the backbone of general data protection rules currently in the PRC:

  • The Decision on Strengthening Online Information Protection (Promulgated and effective on 28 December 2012; the ‘Decision’) adopted by the Standing Committee of the National People’s Congress; and
  • National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services (promulgated 05 Nov 2012 and effective on 01 February 2013, GB/Z 28828-2012; the ‘Guideline’) as published by General Administration of Quality Supervision, Inspection and Quarantine of China and Standardization Administration of China,

(collectively referred to as the ‘General Data Protection Law’). The purpose of the Decision is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law. While the Guideline is only a technical guide and thus not legally binding, it is considered important because its scope extends to any “processing of personal information through information systems” (not necessarily connected to the Internet), and because of the fact that it covers in detail key issues such as data exports, sensitive data, data subject access and the right to rectification. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the Guideline can be a good reference. Therefore, compliance with the Guideline is recommended as good practice.

In addition to the General Data Protection Law, provisions contained in other laws and regulations may be applicable depending on the industry or type of information at issue (for example, personal information obtained by financial institutions, e-commerce businesses, certain healthcare providers, or telecom or Internet service/content providers is subject to special regulation). For example (this is not an exhaustive list):

  • The Criminal Law of the People’s Republic of China prohibits sale or illegal provision of, or illegal access (such as theft) to citizens' personal information;
  • Provisions of the Supreme People’s Court on Several Questions relating to the Applicable Law of Civil Disputes Concerning the Use of Informational Network to Harm Personal Rights and Interests (promulgated on 21 August 2014, and effective on 10 October 2014), which are applicable to Internet users and Internet service providers who use information networks to infringe the privacy rights of a third party;
  • The Provisions on Telecommunication and Internet User Personal Information Protection (promulgated on 19 July 2013 and effective on 1 September 2013), which are applicable to telecom and Internet service providers;
  • The Guidelines for the Supervision of Information Technology Outsourcing Risks of Banking Financial Institutions, which would be applicable to banks who are outsourcing information technology services; and
  • The Consumer Rights Protection Law of the People’s Republic of China (promulgated 25 October 2013 and effective on 15 Mar 2014; the ‘Consumer Protection Law’) contains data protection obligations which are applicable to most if not all types of businesses that deals with consumers. The Consumer Protection Law was supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (promulgated in January 2015) ('Consumer Protection Measures'). Further, the draft Implementation Regulations for the Consumer Protection Law of the People's Republic of China (Draft for Review) ('Draft Consumer Protection Regulations') were formulated and published for consultation in 2016 by the State Administration for Industry and Commerce and reiterate and clarify some of the data protection obligations as regards consumers' personal data.

A significant recent development is the Information Security Techniques - Personal Information Security Specification, which was issued on 29 December 2017 and comes into force on 1 May 2018 (the "PI National Standards"). While the formal text of these standards have not been made available to the public, the draft versions indicate that they set out key data protection concepts and principles which until now remain elusive and have not been properly developed or explained in key laws and regulations, including the Cybersecurity Law. The PI National Standards may not necessarily replace the Guideline issued in 2012 in theory, but they are expected to be the new national standards on personal data protection in China. 

Please note that our discussion here only includes the General Data Protection Law and the drafts of the PI National Standards that are available currently (not the final version) as such laws will have the most direct, general and broad application to most if not all types of businesses in the PRC. Applicability of other laws or regulations will invariably depend on the factual context of each case and further independent analysis is recommended, (for example, businesses in the banking, healthcare or securities sectors will be subject to industry-specific data protection regulations; and employee personal data attracts some protections under employment laws).

Last modified 29 Jan 2018
Definitions

Definition of personal data

There is no single, pervasive definition of personal data in the PRC, but the definitions in the various laws, regulations and guidance that comprise the data protection framework in the PRC are starting to become more aligned.

Personal data (which is referred to as ‘personal information’ in the Decision) means any electronic information which can enable identification of a citizen's individual identity and which relates to personal privacy. This definition was further clarified in the Guideline as any data or information in connection with a specific individual, which can be used, separately or in combination with other data, to identify the individual.

Under the Cybersecurity Law, personal information is defined as including all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity, including, but not limited to, the natural persons' full name, date of birth, identification numbers, personal biometric information, addresses, telephone numbers and so forth.

The definition has been further expanded to include information reflecting an individual's activities under the Interpretations on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information issued by the Supreme People’s Court and the Supreme People’s Procuratorate of China on 9 May 2017.

Definition of sensitive personal data

The draft PI National Standards make a distinction between sensitive personal information and general personal information.  In the draft PI National Standards, sensitive personal information is defined as personal information the leakage, illegal provision or abuse of which may harm personal/property safety and personal reputation or physical/mental health, or result in discrimination towards the data subject.  Examples may include personal identification number, individual biometric information, bank account number, correspondence records and contents, property information, credit information, location tracking, lodging information, health and physiological information and transaction information etc. 

The binding laws or regulations including the Decision, the Consumer Protection Law and the Cybersecurity Law do not make such distinction.

Last modified 29 Jan 2018
Authority

The CAC (Cyberspace Administration of China) is currently considered the data protection authority in the PRC, although there are also sector-specific regulators that may monitor and enforce data protection issues, such as the PBOC or CBRC which regulate banks and financial institutions.

Last modified 29 Jan 2018
Registration

The PRC does not maintain a register of data administrators, personal data processing activities or databases containing personal information.

Last modified 29 Jan 2018
Data Protection Officers

There is no legal requirement in the PRC for organizations to appoint a data protection officer.

The draft PI National Standards however require that an institution or personnel be appointed to be responsible for personal data protection. A data protection specialist / division exclusively handling data protection matters is required if i) the primary business of an organization is related to data processing and there are more than 200 employees; or ii) personal data of more than 500,000 individuals are processed, or personal data of more than 500,000 individuals is expected to be processed within 12 months. 

Last modified 29 Jan 2018
Collection & Processing

Clear consent is required from the data subject before the personal information can be processed.

Under the Decision, the Consumer Protection Law and the Cybersecurity Law, organisations caught by those rules may collect and use personal information if the following conditions are met:

  • abide by the principles of legality, legitimacy and necessity, and may not be excessive;
  • explicitly notify the purposes, means and scope of collection, use and disclosure of personal information;
  • obtain the data subject's clear consent to the personal information collection, use and disclosure;
  • not violate laws, regulations or agreements between the organisation and the data subject when collecting or using the personal information; and
  • make publicly available the organisation's rules or policy regarding collection and use of personal information.

Under the draft PI National Standards, a Data Controller should make a privacy policy which is designed to inform data subjects about the ways in which their personal data is collected, processed and disclosed. It must in particular contain the following information:

  • the identity of the Data Controller, including its registered name, registered address, principal office, a telephone number and/or an e-mail address;
  • the list of personal data collected for each business purpose, processing policies including location of storage, retention period, frequency of collection, etc.;
  • whether the data requested from the internet user is optional or mandatory (usually identified by means of an asterisk on the website) and the consequences of any failure by the internet user to provide such data;
  • the purposes sought by the Data Controller, i.e., what the Data Controller uses the data for (for instance, supplying goods and services, creating a user account, processing payments, managing subscriptions to the newsletters, etc.);
  • the circumstances under which the Data Controller will share, assign personal data to third parties or publicly disclose personal data, the types of personal data involved in the sharing, assignment or disclosure, and the types of third party data recipients, as well as their legal obligations;
  • the basic data security principles to be followed by the Data Controller, the data security capabilities of the Data Controller, as well as the data protection measures to be adopted by the Data Controller;
  • the rights of data subjects and mechanisms for them to realize these rights, e.g. methods to access, rectify, delete their personal data, methods to de-register their accounts, withdraw their consent, and to obtain copies of their personal data, methods to restrict automated decision by the data system etc.;
  • potential risks for providing personal data, as well as possible impacts for not providing the data; and
  • channels and mechanism for making inquiries and lodging complaints by data subjects, as well as external dispute settlement body and contact information.

The information in the "data protection policy" must be true, accurate and complete. The contents of the "data protection policy" must be clear and easy to understand, follow common language habits, use standard numbers and graphics for illustration etc., and ambiguous language should be avoided. An abstract of the "data protection policy" should be provided at the beginning of the policy, stating the key points of the notified information. The "data protection policy" should be published publicly and easily accessible. When changes occur to the information provided in the data protection policy, data subject should be notified of such changes.

Collection from persons under 14 years old is prohibited unless consent is obtained from their legal guardians.

Data subject rights to access, rectify the data, obtain copies or request deletion of the data, to withdraw consent or de-register accounts etc. are granted under the draft PI National Standards.

The rules do not apply to truly (and irreversibly) anonymised data according to the Cybersecurity Law and the Draft Consumer Protection Regulations.

Last modified 29 Jan 2018
Transfer

The Cybersecurity Law prohibits disclosure or transfer of an individual's personal information to others without the individual's consent.  It further includes requirements for personal information of Chinese citizens and "important data" collected by key information infrastructure operators ("KIIOs") to be kept within the borders of the PRC.  If there are business needs for the KIIOs to transfer this data outside of the PRC, security assessments must be conducted.  The definition of KIIOs remains to be clarified.

Data localisation is an increasing trend in the PRC, with various sector specific regulations prohibiting transfer of personal information outside the borders of the PRC.

In principle, it is not allowed to share or assign the personal data. If it is really necessary to do so, adequate attention to risks should be paid. The following requirements for sharing and assigning of personal data should be complied with, if the sharing and assigning personal data is not because of acquisition, merger or restructuring:

  • perform prior assessment on the impact to the security of personal data, and take effective measures to protect the data subjects according to the assessment results;
  • inform the data subjects of the purposes of the sharing and assigning of the personal data and the types of data recipient, and obtain prior express consent from the data subjects;
  • before any personal sensitive data is shared or assigned, e.g. ID number, property information, health data etc., inform the data subjects of the identity and data security capabilities of the data recipient, and obtain prior express consent from the data subjects (in addition to complying with the requirements listed in the above);
  • record accurately and keep the information in relation to the sharing or assigning of the personal data, including the date, scale, purpose and basic information of the data recipient of the sharing or assigning;
  • must not share or assign any personal biometric information; and
  •  assist the data subjects in understanding the storage and use of personal data by the data recipient, including the rights of the data subjects, such as access, correction, deletion and cancellation of accounts.

If you are a third party (Data Processor) who is delegated to process personal data, the following requirements should be complied with:

  • the Data Controller should perform an assessment on the delegation in respect of the influence on the security of personal data, and ensure the Data Processor has adequate data security capabilities and has provided adequate level of protection;
  • the Data Controller should supervise the Data Processor, e.g. by conducting audits over the Data Processor;
  • accurate record of the delegation history should be kept; and
  • the Data Controller should require the Data Processor to comply with certain obligations through a contract.
Last modified 29 Jan 2018
Security

Organizations must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal information.  The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Under the Cybersecurity Law, network operators are required to establish information protection systems.  In particular, network operators must implement technical and other necessary measures to ensure the security of personal information and to prevent the collected data from being accidentally disclosed, tampered with or destroyed.  Remedial measures must be taken immediately if personal information is being or is likely to be disclosed, tampered with or destroyed.  Network operators should also establish systems to handle complaints or reports about personal information security, publish the means for individuals to make such complaints or reports, and promptly handle any such complaints or reports received.

China has implemented a tiered system for cybersecurity protection. Information systems are classified into 5 tiers and the security standard goes higher from tier 1 to tier 5. The regulators leave the protection of tier 1 and tier 2 information systems to their respective organizations and they would only intervene in the case of tier 3, 4 and 5 information systems where national security is a concern.  Organizations should conduct a self-evaluation and determine the tier it belongs to, based on relevant laws, regulations and guidelines, inter alia, the Information Security Technology - Classification Guide for Classified Protection of Information System. If an organization considers its information system a tier 3 system, it will need to conduct an assessment with a third party assessment agency to verify whether it meets the standards for tier 3 information system, obtain a test report, and conduct a filing with the Public Security Bureau (based on the test report issued by the agency). If it is deemed as a tier 2 information system, an organization is required to make the filing with PSB without having to conduct a security assessment or obtain a report. A tier 2 information system owner is recommended (but not required) to conduct a security assessment with a third party agency every two years. 

Last modified 29 Jan 2018
Breach Notification

The current laws and regulations including (inter alia) the Cybersecurity Law only provide the following general requirements for reporting and notification of personal data breach, without specific or clear guidance on the timeline for reporting and without identifying which government agencies are in charge (clarifications are pending in this regard):

  • network operators should adopt technical and other necessary measures to ensure the security of personal data they collected. Where personal data is leaked, lost or distorted (or if there is a potentialfor such incidents), network operators must promptly take relevant measures to prevent the aggravation of the damages and promptly notify relevant data subjects and report to relevant government agencies in accordance with relevant provisions.

On the other hand, the draft PI National Standards provide detailed guidance on reporting and notification of personal data breaches or security incidents:

Contingency Response and Reporting of Security Incidents: 

  • A contingency plan for security incidents of personal data should be formulated;
  • Organize trainings of contingency response and contingency drills regularly (at least once a year), in order to let relevant internal staff understand their responsibilities, strategies and procedures for contingency response;
  • When a data breach/ security incident occurs, the following actions should be taken in terms of the contingency response plan:
    • record the content of the incident, including but not limited to: the person who discovers the incident, the date, place, personal data and number of people involved in the incident, the name of the system in which the incident occurs, impact on other interconnected systems, whether the law enforcement department or other relevant department have been contacted;
    • assess the possible impact of the incident, and take necessary measures to control the situation and eliminate potential dangers;
    • if applicable, report to relevant government agency in accordance with the "National Network Security Incident Contingency Response Plan", the content of report shall include but not limited to: general information such as the type, number, content and nature of the data subjects involved, potential impact of the incident, measures taken or to be taken, contact details of relevant persons involved with handling the incident; and
    • update the contingency response plan in a timely manner pursuant to the changes of relevant laws and regulations as well as the situation of the incident.

Notification of Security Incidents:

  • Notify data subjects of relevant information of the incident by mail, letter, telephone, push notification or other means in a timely manner. If it is hard to notify each data subject, organizations shall take reasonable and effective measures to publish warning message relevant to the public;
  • The content of the notification shall include but not limited to:
    • the content and impact of the security incident;
    • the measures taken or to be taken;
    • suggestions for data subjects regarding how to take initiative to prevent and reduce the risk of security incidents;
    • remedies specifically provided for data subjects; and
    • contact persons and organizations responsible for personal data protection.

 

Last modified 29 Jan 2018
Enforcement

Possible enforcement of, and sanctions for, a data protection breach in the PRC will depend on the specific data protection laws and regulations breached.  The PRC currently lacks a centralised enforcement mechanism for data protection and there is no single data protection authority or any other state agency established to monitor the protection of personal data. CAC which was relatively newly established to regulate cyberspace issues is expected to be the key data protection authority for enforcement actions, although other industry-specific regulators should also be relevant.

Sanctions in relation to data protection breaches are scattered across various different laws and regulations, and the measures described below may not be comprehensive in all situations, as additional laws or regulations may be applicable depending on the industry or type of information at hand.

Typically, it would be a graded approach - warning and requirement to comply, then possibly fines up to approximately RMB500,000. Affected individuals may also potentially claim for indemnification under the Tort Liability Law. In severe cases, breaches may lead to higher fines being imposed or the revocation of licence. Responsible personnel could be prohibited from engaging in relevant business and their conduct could be recorded in their social credit files. Depending on the severity of the illegal conduct, the responsible person could also be subject to detention or up to seven years of imprisonment, plus a concurrent fine to the organisation if applicable.

The data protection provisions provided by the Criminal Law have been the most widely used provisions to enforce privacy protection in the PRC. Essentially, only the illegal sale or purchase of personal data are subject to enforcement under the Criminal Law.

However, the enforcement environment is evolving rapidly as individuals are increasingly aware of their data protection rights and as data protection obligations expand as laws develop and are added in China. For example, the Cybersecurity Law suggests the possibility of ordering corrections, issuing warnings, confiscation of illegal gains and fines of up to 10 times of illegal gains (or fines of up to RMB1,000,000 where there is no illegal gain) upon discovery of violation in handling personal information. The responsible persons may also be fined between RMB 10,000 to 100,000.

Last modified 29 Jan 2018
Electronic Marketing

Direct marketing by electronic means is only possible if the targeted consumers have explicitly consented to receiving such messages either at the time their electronic address/mobile phone number was collected or at a later time.

Each electronic message muststate the identity of the entity sending the message: name, contact information and offer a simple means of opposing the sending of further marketing messages. Every email of direct marketing must be marked as "广告" (advertisement in Chinese) or "AD" at the beginning of the subject.

The current Chinese law is not clear or specific on the rules of marketing over telephone. Telemarketing (over the phone) or below-the-line marketing (by post) should be allowed in the event that prior consent of the targets is secured expressly (i.e. data subjects have opted-in).

There are specific rules applicable to direct marketing by text messages, i.e., the opt-in should include the following additional information compared to the requirements for other electronic means such as email: (i) frequency of sending the text messages (e.g. once every month, or once every one to three months etc.); and (ii) duration of time for which the recipient will be receiving the text messages, e.g. [x] years.

 

Last modified 29 Jan 2018
Online Privacy

The Decision indicates that network service providers and other companies should ensure the privacy of personal electronic information. They are not allowed to disclose, falsify, damage, as well as sell or unlawfully provide personal electronic information to anyone else. The Consumer Protection Law and the Cybersecurity Law offer similar protection to consumer/user personal information as well.

The Decision also indicates that network service providers should strengthen management of information provided by users. Also, network service providers should stop the transmission of unlawful information and take necessary measures to remove them and save relevant records, then report to supervisory authorities.

Once citizens find network information that discloses their identity or breaches their legal rights, or are harassed by commercial electronic information, they have the right to require that the network service provider delete related information or take measures to prevent such behaviours.

Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided by the Cybersecurity Law, which generally prescribes data protection and data security obligations by network operators.

Under the Decision, network service providers must require users to provide genuine identification ('real name') information when signing agreements to grant them access to the Internet, fixed-line telephone or mobile phone services or to permit users to make information public.

In relation to online privacy for mobile apps the "Provisions on Administration of Information Services of Mobile Internet Application Programs" require app providers to adopt real-name registrations and verity users' identities based on mobile phone numbers or other information. Providers are prohibited from collecting users' location data, reading their contacts, starting the recording function or camera or any other irrelevant functions without clear notification and users' consent.  Furthermore, app publishers are required to undertake information content review and management mechanisms including to punish anyone releasing illicit information through warnings, limitation of functions, cessation of updates, or shutting down accounts.

There are currently no specific requirements regarding cookies within existing laws or regulations in the PRC.

Last modified 29 Jan 2018
Contacts
Scott Thiel
Scott Thiel
Partner & Co-Chair of Asia-Pac Data Protection and Privacy Group
T +852 2103 0519
Last modified 29 Jan 2018