Photo of Carolyn Bigg

Carolyn Bigg

Subscribe to Carolyn Bigg's Posts

On 3 February 2026, the Ministry of Industry and Information Technology (MIIT), the sectoral regulator of the automotive sector, and the Cyberspace Administration of China (CAC), the designated data regulator, together with six other government authorities, published the Guidance for the Secure Cross-Border Transfer of Automotive Data (2026 Edition). This new guidance focuses on the

Continue Reading China: New guidance on data transfer and identification of important data in the automotive sector

All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any

Continue Reading CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026

Since the enactment of Singapore’s Cybersecurity Act 2018 (Cybersecurity Act), Singapore’s digital economy has grown rapidly, and cyber threats have evolved at a remarkable pace. To address this shifting landscape, the Cybersecurity  (Amendment)  Act 2024 (Amendment Act) was passed last year, introducing significant amendments to the Cybersecurity Act to broaden regulatory

Continue Reading Singapore: Key Amendments to the Cybersecurity Act Now in Force

On 28 October 2025, China passed amendments to the Cybersecurity Law, marking the first update since its enactment in 2016. These amendments reflect China’s heightened focus on cybersecurity and AI governance and are scheduled to take effect on 1 January 2026.

Key Updates

The amendments primarily focus on the law’s enforcement provisions. Key updates include:

Continue Reading CHINA: Amendments to Cybersecurity Law Effective 1 January 2026

The Cyberspace Administration of China (“CAC“) has recently published the Administrative Measures for Network Security Incident Reporting (“Measures“), which provide further guidance on when and how to report network security incidents under existing laws such as the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. The Measures

Continue Reading CHINA: new stricter and 4-hour data breach reporting requirements for certain incidents

It’s well-known that China’s data protection laws define sensitive personal information very differently to other jurisdictions. Instead of a closed list of data types, sensitive personal information in China has traditionally been defined by reference to a broad “risk of harm” test. A new national standard, which will come into force on 1 November 2025

Continue Reading CHINA: definition and handling of Sensitive Personal Information helpfully clarified

While appointing and registering a DPO has been mandatory in China for many years, a portal has now finally been established for organisations to register those DPOs with the China data protection authority. This resolves long-standing uncertainty over how DPOs must be registered, and over relevant qualifications and location of the DPO. The deadline for

Continue Reading CHINA: DPOs must be registered before 29 August 2025

Recently, the Cyberspace Administration of China (CAC), which is the primary data regulator in China, published a newsletter about the government authorities’ enforcement of Apps and websites that violated personal data protection and cybersecurity laws during the year 2024.

Based on the official statistics, during 2024, the CAC interviewed 11,159 website platforms, imposed warnings or

Continue Reading CHINA: Recent Enforcement Trends

Following Malaysia’s introduction of data breach notification and data protection officer (“DPO”) appointment requirements in last year’s significant amendments to the Personal Data Protection Act (“PDPA”) (click here for our summary), the Personal Data Protection Commissioner of Malaysia (“Commissioner”) recently released guidelines that flesh out such requirements, titled the

Continue Reading Malaysia: Guidelines Issued on Data Breach Notification and Data Protection Officer Appointment

Chinese data regulators are intensifying their focus on the data protection compliance audit obligations under the Personal Information Protection Law (“PIPL“), with the release of the Administrative Measures for Personal Information Protection Compliance Audits (“Measures“), effective 1 May 2025.

The Measures outline the requirements and procedures for both self-initiated and regulator-requested

Continue Reading CHINA: Mandatory Data Protection Compliance Audits from 1 May 2025