The Cyberspace Administration of China (CAC) published a draft Administrative Regulations on the Cyberspace Data Security (the Draft) on November 14, 2021. Despite its title, the Draft broadly covers issues further to data security. It is so far the most comprehensive implementing rules under the country’s overall structure of data governance – the Personal Information Protection Law (PIPL, effective November 1, 2021), the Data Security Law (DSL, effective September 1, 2021) and the Cyber Security Law (CSL, effective June 1, 2017).
While there may be changes after receiving comments, the Draft well demonstrates CAC’s thoughts and approaches for the enforcement of the above laws. In general, CAC tends to mingle its authorities over the above three laws and creates an enforcement regime widely covering national data security, consumer protection, anti-unfair competition and privacy protection. Deadline for submitting comments to the Draft falls on December 13, 2021.
New obligations to processors of personal information
The Draft provided a few detailed requirements or prohibitions that are unmentioned in PIPL. For examples, data processors* shall –
· disclose the overall situation and number of consumer complaints on the basis of privacy protection annually, and explain how they are dealt with or settled;
· not refuse serving a person when he/she refuses to provide personal information that is unnecessary for the service to be provided;
· disclose and illustrate all third-party data collection plugins that are imbedded in the data processor’s system;
· bear the burden of proof when there is a dispute on validity of a consumer’s consent;
· refrain from repeatedly asking a data subject to give their consents;
· within 15 work days, either delete or anonymize personal data after the purpose of a data processing is realized;
· within 15 work days, respond and settle a data subject’s request of copying, deletion, correction or supplementation of his/her personal information; and
· not forcing data subjects to provide their bio-metric data by means of setting bio-metric data to be the only way of authentication
* Note: Under PIPL and the Draft, the term “data processor” refers to data users who collect and process data for their own purposes, rather than vendors who are mandated by data users to process data. Click here to read our observations on this confusing terminology.
Data Breach
PIPL provided that data processors shall inform government and affected individuals of data breach incidents. However, it did not specify the timing of notice and the exact government agency to be reported. The Draft clarified these issues:
· Where a data breach may “endanger individuals or organizations”, the data processor shall, within 3 work days, inform the affected stakeholders of the fact of breach, the possible damages and the remedial measures.
· If the breached data amounts to “important data” (a term defined under DSL, elaborated below) or involves more than 100 thousand individual’s personal information, the data processor shall (1) report the incident to municipal data authority (CAC’s subordinate) within 8 hours of the breach, and (2) submit an assessment report to the authority within 5 work days after the incident is solved.
“Cyberspace Security Review”
CSL and DSL provided that the government shall establish a data security review mechanism for critical information infrastructures (CII) or national security-related datasets, but they did not offer details. Relying on these general provisions, the Draft invented an administrative procedure of “cyberspace security review” (to be performed by CAC or its municipal subordinates), which, under the Draft, will be applicable not only to operators of CIIs but also to certain personal information processors:
· where a data processor is an Internet platform who controls a large amount of personal information and plans to conduct corporate restructure;
· where a data processor controls over 1 million persons’ personal information and plans to publicly offer stocks (i.e., IPO) overseas;
· where a data processor plans to go IPO in Hong Kong and such IPO “may affect national security”; and
· other circumstances that are considered affecting national security by CAC.
Cross-border Data Transfer
The Draft burdened companies who transfer data outside of China with heavier duties.
· Companies with cross-border data transfers shall file a data export security report to the municipal CAC annually.
· Where the personal information may be further transferred from the overseas recipient to another party, the original data sender shall reach an agreement with data subjects on conditions of such retransfer in advance.
· The records of government approvals shall be kept in file for no less than three years
· When CAC or relevant authority investigate the categories and scope of cross-border data, the data professor shall enable the authorities reading the original datasets.
· The Draft repeated the PIPL’s prohibition over unapproved provision of data to foreign judicial or law enforcement agencies, and provided a high punishment scheme over such activities.
FuJae has a separate newsletter regarding another recent draft regulations on government assessment and approval of cross-border data transfer. Click here to read.
Processing the “Important Data”
DSL introduced a term “important data” in data security governance. Processors of the “important data” are required to conduct “periodical security assessment” and report the result of such assessment to “relevant authorities”. However, the scope of “important data”, the frequency of assessment and the identity of the “relevant authorities” were unclear. The Draft tried to define the “important data” and detailed the processors’ duties.
· The “important data” includes: (1) unpublished government data, (2) data subject to export control restrictions, (3) certain statistical data being classified by applicable laws, (4) certain safety production data and supply chain data in key industries, (5) datasets concerning natural resources, population and environment, such as genetic, geological, mining, and meteorological data, provided that they reach a large scale or a high precision, (6) security and location data for operations of critical information infrastructure, defense and military facilities and related research institutions, and (7) other data that could impact the national, economic, ecological and China’s “overseas” securities.
· Processors of “important data” are obligated to (1(appointing data protection officers (and reporting their names with authority), (2) reporting the fact and measures of processing the important data, (3) conducting annual data security assessment, (3) reporting data breach, and (4) seeking governmental approvals before sharing/entrusting another entity to process the important data.
· A processor controlling more than 1 million persons’ personal information shall be deemed a processor of “important data” – this essentially broadened the scope of “important data”, a term under DSL, to the enforcement of PIPL.
· The Draft specified CAC’s municipal subordinates to be the default “relevant authorities”.
Regulating Internet Platforms
The Draft spent a whole chapter on administration of internet platforms. The rules under the chapter combined mechanisms that are traditionally in the laws of anti-monopoly, anti-unfair competition, consumer protection and protection of personal information.
· Internet platform operators are required to set up transparent and fair mechanisms for their platform rules, privacy policies and algorithms.
· For internet platforms with daily active users over 100 million, the formulation of and significant changes to the platform rules and privacy policies need to be evaluated by licensed 3rd parties and approved by provincial CAC and telecom regulators.
· Internet platforms having over 50 million users are required to conduct annual third-party audit to their promises to consumers, privacy protection and data mining practice.
· App stores shall establish and publish their rules of reviewing APPs and take measures to restrict illegal APPs.
· Internet platform operators are prohibited to use their user data in a list of activities with the natures of unfair-competition, consumer discrimination and monopoly.
The Draft contains 75 sections under 9 chapters. We summarized key provisions that may directly impact operations of multinational companies (headquartered either in China or overseas). While certain changes may be made after CAC receives comments from industries and other government agencies, the Draft exhibits how CAC would enforce PIPL, DSL and CSL – the regulator will consider multiple factors, including national security, fair competition, personal information protection and consumer protection. They took this approach in regulation drafting, and would likely to do the same in enforcement actions. MNCs shall re-organize their management of datasets in China to respond this trend.
Author: Donnie Dong. Admitted to practice in China and New York State, the author is a Certified Information Privacy Manager (CIPM) by the International Association of Privacy Professionals (IAPP).
Please contact Donnie Dong, donnie.dong@fujae.com, if you have any questions.