On May 28, 2019, Measures on Administration of Data Security (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions in a public consultation. The Measures will constitute a binding regulation when finally issued and implemented, and will apply to both personal data and industrial data (the main focus being important data as described below), and to both websites and apps.
The Measures provide for a number of implementing provisions concerning aspects of data collection, data usage and processing, and data security administration. Given the specific requirements provided in the draft Measures, the Measures are likely to have a major impact on the data compliance performance of network operators once in force.
Based on the principles provided for in the Cybersecurity Law of China (CSL), the Measures prescribe further requirements in relation to, among others
- The content of privacy policies
- Filing requirements for the collection of important data and sensitive personal data
- Exceptions to the mandatory consent requirement
The Measures require that the network operators’ privacy policies should include certain key items, which should include, among other things, the purpose, type, volume, frequency, means and scope of the personal data collection, the server location, and the procedures by which personal data subjects may withdraw their consent and by which they can examine, rectify and delete their personal data.
Such requirements have already been provided under a non-binding industry guideline, entitled Information Security Technology – Personal Information Security Specification (Personal Specification). However, such requirements will become a binding rule after the Measures are in force.
With respect of the filing procedure for the collection of important data and sensitive personal data, the Measures require that
- If the network operators collect important data or sensitive personal data, they shall specify the person responsible for data security and undertake filing procedure with the local cybersecurity authority
- Under such filing procedure, network operators should report, among other things, the collection purpose, scale, means, scope, type and period to the competent authorities
The Measures also provide for a definition of “important data,” which refers to data that, once divulged, may lead to direct consequences in relation to national security, economic security, social stability or public health and security. It is similar to the definition provided for under other PRC rules. For example, although the CSL itself does not provide for a specific definition of “important data,” the term “important data” is defined under a non-binding draft industrial guideline, entitled Information Security Technology – Guidelines for Cross-Border Data Transfer Security Assessment (Guidelines). Under the Guidelines, “important data” means data that does not involve state secrets, but is nonetheless closely related to national security, economic development or the public interest. The Guidelines also contain an Appendix which gives further detailed guidance on an industry-specific basis.
The Measures do not provide for a definition of sensitive personal data, but taking in to account other PRC rules (such as the Personal Specification), a data subject’s name, cell-phone number, email address, and financial information are highly likely to be deemed as sensitive personal data. If that is the case, this would mean that nearly every network operator who collects personal data in China may be subject to the filing procedure under the Measures.
The CSL provides for a principle that network operators should obtain data subjects’ consent before data collection. The Measures, on the other hand, provide for certain exceptions to that principle by providing data subjects’ consent is not required if the personal data
- Is collected from public channels and the collection does not violate the will of data subjects
- Is published by the data subjects voluntarily
- Has been anonymised
- Is necessary to be collected for the performance of certain duties by the competent PRC authorities
- Is necessary to be collected for the maintenance of national security, social security or data subjects’ life safety
Data usage and processing
The most important rule in the provisions of the Measures dealing with data usage and processing is the rule for cross-border data transfers.
The CSL introduced the concept of critical information infrastructure in key industrial sectors of China (CII). It requires that CII operators must go through a security assessment procedure and report it to the relevant competent PRC authorities if they intend to transfer personal data and/or important data abroad.
The Measures seem to extend such requirement to certain non-CII operators by requiring that every network operator should go through a self-assessment procedure and obtain the consent from the relevant industrial supervision department before it publishes, shares, trades or undertakes a cross-border transfer of important data. Because this provision, if implemented as it is now, will apparently extend this reporting obligation to non-CII operators, the requirement may potentially conflict with the data localisation requirements set out in the CSL.
Data security administration
With respect of data security administration, the Measures reiterate the principles under the CSL by requiring that, if there is any data breach, or a risk of a data breach is obviously increasing, then the network operators should notify affected data subjects and the competent PRC authorities.
The Measures also provide punishment measures for non-compliance or rule violation, which include, among other things, confiscation of illegal gains, suspension of business operations, website shut-downs, and revocation of business licences. Where the relevant offence constitutes a crime, both the company and the person in charge of that company may face the criminal punishment.
In addition, the Measures introduce a concept of a “person responsible for data security” and require network operators to appoint such a person if they plan to collect important data or personal sensitive data.
The person responsible for data security is a role very similar to the position of Data Protection Officer (DPO) under the European General Data Protection Regulation (GDPR). Under the GDPR, contrary to popular belief, what is decisive in terms of the legal obligation to appoint a DPO is not the size of the company, but rather, the core processing activities which are defined as those essential to achieving the company’s goal. Under the GDPR, if such core activities consist of processing sensitive personal data on a large scale, or are a form of data processing that is particularly far-reaching in relation to the rights of the data subjects, the company has to appoint a DPO.
The rationale for appointing a person responsible for data security under the Measures is, we believe, similar to that under the GDPR. Under the Measures, the legal duties of a person responsible for data security include
- Formulating and enforcing the data protection plan
- Initiating data security risk assessments and supervising and advocating rectification of vulnerabilities (if any)
- Reporting the progress in relation to data security protection and incident management to the competent PRC authorities, if required
- Accepting and disposing of complaints and / or reports by users
Once implemented, the Measures will no doubt become a major influence on the data compliance activities of network operators. For example, network operators may need to revisit their current privacy policies in order to address all the items required under the Measures. In addition, network operators who collect important data and/or sensitive personal data may need to implement process changes internally in order to comply with the new filing procedure.
Although the Measures constitute important legislative progress in relation to the data privacy regime in China, they still leave some significant areas to be clarified. For example, key issues such as how the filing procedure will be performed and how to resolve the potential conflict between the Measures and the CSL in relation to the requirements for important data localisation still need to be clarified.
Given the Measures are still in draft form, they may be subject to further modification before they are finalised. As a legal team specialising on PRC data compliance, we will keep monitoring changes in relation to the draft Measures and issue any updates if necessary.