What We Know so Far about China’s Data Security Administrative Measures
China has joined countries around the world in pushing for stricter data protection legislation in the wake of the implementation of the EU’s General Data Protection Regulation (GDPR). The Cyberspace Administration of China (CAC) released the draft of its Data Security Administrative Measures on 28 May 2019 and invited the public to comment on it. The consultation period of one month ended last week.
At this moment, several standards and pieces of legislation cover data protection in China, among them the Cybersecurity Law of 2017 and the Personal Information Security Specification that provides a national data protection standard, but is not legally binding. The Data Security Administrative Measures, once adopted, would be the first comprehensive law focusing on the protection of personal and important data collected and processed through the use of cyber technologies.
Two additional pieces of legislation also recently released for public consultation in draft form, the Methods for Identification of Illegal Collection and Use of Personal Information in Apps and Measures for Security Assessment on Cross-Border Transfer of Personal Information and Important Data, will complement the Measures.
Who will they apply to?
The Measures will govern all processing activities such as data collection, retention, transfer etc. in all sectors that use cyber-technologies within the territory of the People’s Republic of China. While this sounds like the Measures do not have an extraterritoriality clause like many other new data protection regulations, it is worth keeping in mind that the Cybersecurity Law of 2017 does include a data localization requirement. Initially this only extended to operators of Critical Information Infrastructure (CII), but later guidance and implementation rules extended it to network operators as well.
The term used in Chinese cybersecurity and data protection legislation, network operators, has a broad applicability referring to any owner or manager of any cyber network or network service provider that carries out data processing activities. Any businesses with network infrastructure and operations in China can thus fall under their jurisdiction.
Important Data and Personal Data
The Data Security Administrative Measures apply to two main categories of data: personal information and important data. Personal information is defined as any information, recorded electronically or otherwise that can be used on its own or in combination with other information to identify a natural person, including but not limited to name, date of birth, identification card number, personal biometric information etc. While the draft law mentions sensitive personal information twice, it is not defined as a separate special category of data like in other data protection regulations.
Important data refers to data whose leakage can directly impact national security, economic security, social stability, or public health and security, such as non-public government information, and information on the population, genetic health, geography or mineral resources. In general, important data does not include information, whether personal or otherwise, related to the production, operations and internal management of an enterprise.
Until now Chinese legislation had allowed for both implicit and explicit data subject consent for data processing depending on how sensitive the information was. For example implicit consent was allowed when data subjects shared their names and birthdays, but explicit consent was required for collection of financial or biometric data.
The Data Security Administrative Measures will now make explicit consent mandatory regardless of the sensitivity of the data collected. While the measures do not define explicit consent, companies can refer to the Personal Information Security Specification which does give clear guidelines in this respect.
Cross-border data transfers
Now this is where things get complicated for multinational companies doing business in China. Any network operator that wants to publish, share, trade or transfer important data collected in China internationally will have to seek prior approval from its industrial supervising authority or the provincial CAC if the supervising authority is unclear. The procedure for applying for an approval, how applications will be reviewed or if any thresholds will apply is not specified.
In the case of personal data, things are even murkier. The draft law only specifies that the provisions governing the international transfer of personal information will be subject to relevant regulation, presumably in this case the Measures for Security Assessment on Cross-Border Transfer of Personal Information and Important Data.
Data Breach Notifications
Data Breach notifications are already mandatory under the Cybersecurity Law of 2017, but they are reinforced by the Measures. In case of a data security incident or even just a significantly increased risk of one, network operators must immediately take remediation actions, inform data subjects by phone, text, email or mail and report the issue to the relevant industry regulatory authorities or network information departments as required. Timings are not specified.
It is worth noting that unlike other data protection regulations that specify that only serious breaches must be reported and data subjects announced, the Measures make no distinction in the level of gravity of a breach. All data security incidents or, indeed, the high risk of one, must be reported and data subjects informed.
The consequences of violating the Measures will be dire: network operators will be publically exposed, have their illegal gains confiscated and risk suspension or shutdown of their business, disabling of their website or the revocation of relevant business permits or licenses. If the violation constitutes a criminal offence, the network operator will be pursued for criminal liability in accordance with the law.
The unofficial translation of the Data Security Administrative Measures by international law firm Hogan Lovells was used in the writing of this article.