PrivSec China


Headline Sponsor






CST Tuesday 15th March 2022
All times shown in China Standard Time (CST)

Making Sense of China’s Privacy and Security Laws
08:00 - 08:45 AM (China Standard Time (CST) | 12:00 - 12:45 AM (UK Time)

Businesses hoping to enter the Chinese market must carefully consider their legal position under a range of complicated laws and regulations. And China’s matrix of privacy and security laws is as complex as they come.

From the Cybersecurity Law and its many associated regulations; to the recently passed Data Security Law and Personal Information Protection Law—China’s legal system requires organizations to undergo a barrage of assessments, reviews, and certifications.

PrivSec China will provide an expert overview of China’s privacy and security landscape to help you make sense of your obligations and thrive in the Chinese market.


  • Bobby Piao-Hao Hsu, Public Policy/Compliance/Privacy & Data Protection (CIPP/E; CIPM)
  • Carolyn Bigg, Partner, Global Co-Chair of DLA Piper’s data protection, privacy and security practice, DLA Piper Hong Kong
  • Dr. Donnie Dong, CIPM, Partner, Fujae Partners

Microsoft sponsored session - Privacy Management in Action: Is technology ready to support us?
09:00 - 09:30 AM (China Standard Time (CST) | 01:00 - 01:30 AM (UK Time)

Privacy is top of mind for organizations and consumers today, and concerns about how personal data is handled are steadily increasing. Regulations and laws such as China Personal Information Protection Law (PIPL) impact people and organizations operating in China, setting rules for how organizations store personal data and giving people rights to manage personal data collected by an organization.

In this session, we will take a look how latest technology can help tackle potential challenges in privacy management such as:

- Proactively identify and protect against privacy risks

- Gain visibility into the storage and movement of personal data

- Empower employees to make smart data handling decisions

- Enable users to effectively manage data and take steps to comply with evolving privacy regulations

- Manage subject rights requests at scale


  • Harry Pun, Security Solution Area | Specialist Team Unit (STU), Microsoft

China’s Personal Information Protection Law (PIPL): What Businesses Need to Know
10:00 - 10:45 AM (China Standard Time (CST) | 02:00 - 02:45 AM (UK Time)

Businesses operating in China have a significant new compliance challenge. The Personal Information Protection Law (PIPL) passed in August 2021, and it imposes strict rules on how organizations collect, process, and transfer personal data.

Since then, the Cyberspace Administration of China has issued numerous regulations and guidelines providing further rules and insights into the PIPL. And it’s clear that PIPL compliance sets a very high bar.

PrivSec China will bring together experts on Chinese privacy law to help you understand the PIPL and what it means for your business.


  • Wendy Pang, FIP, CIPP/E, CIPM, Certified Legal Professional of PRC, Data Security and Privacy Protection Expert, A leading multinational financial services corporation
  • Scott A. Warren, Partner, Squire Patton Boggs
  • Robinson Roe, Managing Director, OneTrust, Asia Pacific, Japan
  • Mareike Seeßelberg, Manager, CHINABRAND IP CONSULTING GMBH

OneTrust Sponsored Session - How to Operationalise China’s Privacy and Security Laws
11:00 - 11:30 AM (China Standard Time (CST) | 03:00 - 03:30 AM (UK Time)

China’s new laws build on each other. The Data Security Law, DSL, forms the basis of the Personal Information Protection Law, PIPL. This underlines a trend we are seeing where Privacy, Security and Governance teams are working more closely together.

The PIPL has more detailed Consent requirements. Storing of data needs to be secured in accordance with the Data Security Law utilising the Multiple-Layer Protection Scheme. Processes need to be identified. Data locations determined and managed.

OneTrust operationalise these requirements while dynamically and intelligently organising the information an ongoing basis. This allows organisations to know the what, why and how data is collected and processed in order to comply with these laws.


  • Robinson Roe, Managing Director, OneTrust, Asia Pacific, Japan

International Data Transfers Under Chinese Law
11:30 - 12:15 PM (China Standard Time (CST) | 03:30 - 04:15 AM (UK Time)

China’s new data protection law has perhaps the strictest rules on international data transfers of any in the world.

Businesses must use one of four cross-border transfer mechanisms, ensure that exported data will be processed in accordance with Chinese law, provide notice to the individual whose data is being transferred, and seek the individual’s opt-in consent.

Meeting these legal requirements will be a huge challenge for any business operating in China from abroad. For example, what happens if an individual refuses consent? Is storing data locally within China the only solution? Or would even data localisation be insufficient for some foreign companies?

International data transfers are a legal minefield. PrivSec China will provide an in-depth analysis of how China’s new rules work and how they compare to existing transfer frameworks in other jurisdictions such as the EU.


  • Carolyn Bigg, Partner, Global Co-Chair of DLA Piper’s data protection, privacy and security practice, DLA Piper Hong Kong
  • Dr Amigo L. Xie, Partner, K&L Gates
  • Adam Au, General Counsel & Data Protection Officer, UMP Healthcare Holdings Limited

Are You a Critical Information Infrastructure Operator?
12:30 - 13:15 PM (China Standard Time (CST) | 04:30 - 05:15 AM (UK Time)

In China, critical information infrastructure operators (CII operators) face an increasingly heavy compliance burden.

Chinese laws such as the Cybersecurity Law, Personal Information Protection Law, and Data Security Law require CII operators to submit to security reviews, report cyber incidents, and implement strict security controls to protect sensitive data.

But if you think these rules don’t apply to you—think again. CII operators include organizations working in a diverse range of fields, including public communications, finance, and science and technology.

PrivSec China’s panel on CII operators will help you understand whether your organization meets the definition—and what you need to do if it does.



LinkedIn and Yahoo Pulled Out of China. Will Your Business Survive China’s Increasingly Tough Digital Regulations?
13:30 - 14:15 PM (China Standard Time (CST) | 05:30 - 06:15 AM (UK Time)

China is ramping up regulations on tech companies. From antirust to data protection, domestic and foreign firms face increasingly strict rules and eye-watering financial penalties.

Shortly after the passing of China’s Personal Information Protection Law in 2021, two high-profile companies (Yahoo and LinkedIn) withdrew from the country, citing an increasingly complex regulatory environment.

So how can you ensure your business avoids the same fate? Is China trying to welcome or deter foreign companies? What sort of regulatory environment can international businesses expect in China over the coming years?

PrivSec China will explore why increasingly tough digital regulation is forcing international businesses to consider the viability of their Chinese operations—and how your business can survive in this new environment.



Exterro Sponsor Session - In-house or Outsourcing? How do you digitize your privacy protection plan?
14:30 - 15:00 PM (China Standard Time (CST) | 06:30 - 07:00 AM (UK Time)

With PIPL implementation and corporate digital transformation, data processors are facing a stressful situation while working towards data compliance. “Who owns your data?” “Do you know where your important data is?”

There are many critical data privacy questions that have reached the souls of General Counsel and Privacy Officers. Many large corporations have realized the significance of digitizing their privacy protection. However, should that be implemented by an in-house team or outsourced to privacy solution providers?

Pros and cons will be discussed during this session. More importantly, a methodology to digitize China data processors’ privacy protection plan will be proposed.



China's Network Data Security Regulations: Clarity at Last or Another Compliance Nightmare?
15:00 - 15:45 PM (China Standard Time (CST) | 07:00 - 07:45 AM (UK Time)

The CAC's draft Network Data Security Regulations provide rules on how to comply with China's data laws. The regulations will provide some much-needed clarity on how to meet requirements under the CSL, DSL, and PIPL. But as they currently weigh in at 75 articles, implementing the rules will be a big challenge.

Getting compliance right is vital to your Chinese operations, but PrivSec China is here to help. This session will provide actionable steps to prepare for the Network Data Security Regulations.


  • Dr Rogier Creemers, University Lecturer in the Law and Governance of China, Leiden University
  • Lianying Wang, Managing Associate, Sidley Austin LLP
  • Susan Munro, Foreign Registered Lawyer, K&L Gates LLP
  • Adam Au, General Counsel & Data Protection Officer, UMP Healthcare Holdings Limited

Doing Business In China: The Geopolitical Dimension
16:00 - 16:45 PM (China Standard Time (CST) | 08:00 - 08:45 AM (UK Time)

When thinkining long-term about your business strategy in the Chinese market, compliance with privacy and security law is hugely important. But there's another vital consideration over which you have far less control: politics.

Doing business in China is can be risky and unpredictable for Western companies, thanks in part to the turbulent political relationship between China and the West. PrivSec China will consider how current political tensions might lead to new rules or sanctions that could impact on your Chinese operations.