Beyond COVID-19: Crisis response or road to recovery?
Crisis response or road to recovery?
On November 30, 2018 the Cyber Security Protection Bureau, under the auspices of the PRC Ministry of Public Security (the MPS), issued a draft Guideline for Internet Personal Information Security Protection (the Guideline) along with a request for public comments.
Even though, upon reaching final form and taking effect, the Guideline will not be a mandatory regulation, it nonetheless has a key implementing role in relation to the PRC Cyber Security Law (the CSL) and the Administrative Measures for the Multi-Level Protection of Information Security (the Multi-Level Protection Measures) in respect of protecting information systems and personal information in China.
The MPS has long been involved in data security through its multi-level protection system under the Multi-Level Protection Measures, but it has not to date exercised a great deal of power over matters of personal information protection. The draft Guideline therefore represents the MPS’s most recent major foray into this area. The draft Guideline has three major parts
In this update we address the key requirements in relation to these three areas. To achieve some unity across these disparate areas, the draft Guideline draws on (and cites explicitly) Information Security Technology – Baseline for Classified Protection of Information System (GB/T 22239-2008) and Information Security Technology – Personal Information Security Specification (GB/T 35273-2017).
In relation to management mechanisms, the draft Guideline requires a personal information controller to establish
In addition, the draft Guideline lays down certain ground rules in relation to establishing posts in management bodies, the hiring of management personnel, the departure of management personnel, and external personnel access.
In relation to technical measures, the draft Guideline requires that each personal information controller
The draft Guideline’s requirements in relation to specific requirements/processes in handling personal information mainly focus on personal information protection, including personal information collection, storage, use, third party entrusted processing, information sharing and transfer, disclosure and emergency response. Such requirements broadly overlap requirements under the Information Security Technology – Personal Information Security Specification.
Although the draft Guideline will not be a mandatory regulation, we consider that it could be regarded as an example of good practice and practical supplementation guidance under the framework envisaged by the CSL.
There are other PRC authorities who have already looked at aspects of the protection of personal information protection, such as the Cyberspace Administration of China, the PRC Ministry of Industry and Information Technology and the State Administration for Market Regulation. It follows that a personal information controller may face supervision from several different PRC authorities in relation to personal information protection at the same time. It may also be the case that, in the future, different PRC authorities might wish to enact their own overlapping rules and that such rules may not be fully consistent. That could lead to uncertainties and challenges for a personal information controller seeking to fully comply with all the relevant PRC rules.
Given the Guideline is still in draft form, it may subject to further modification before it is finalised. As a legal team specialising on PRC data compliance, we will keep monitoring changes in relation to the draft Guideline and issue a revised update if necessary.
As the global aviation industry looks towards post-pandemic recovery and less turbulent skies, it is the topic of decarbonisation that is increasingly top of everyone’s agenda. There have been a number of eye-catching announcements around the world in recent weeks, from United Airlines announcing its intention to purchase 100 electric aircraft, an increased focus on the use of sustainable aviation fuel (SAF) from several airlines, and Korean Air utilising the green bond markets.
© Norton Rose Fulbright LLP 2021