China’s State Council Passes Key Data Security Regulations
China’s cybersecurity regulations are being further strengthened with a new set of measures to beef up the requirements of existing data protection and cybersecurity laws. The new Regulation expands and clarifies requirements for companies to protect data and networks in several areas, including handling of ‘important’ data, cross-border data transfer, personal information protection, and responsibilities of internet platforms.
UPDATE: On August 30, 2024, the State Council officially passed the Network Data Security Management Regulation after almost two and a half years of deliberation. The final text of the regulation has yet to be released but is expected to be published by the end of this year or early next year at the latest.
Given the long drafting period, several amendments are expected based on the experience gained from implementing other data regulations. However, it is worth noting that many provisions of the draft regulation have already been adopted into other regulations, such as the classification of “important data” and rules on cross-border data transfer. This means many provisions in the draft regulation are already treated as de facto in force.
Companies should prepare for the moment the draft regulations take effect, paying particular attention to the provisions on data classification, cross-border data transfer, and personal information protection. It is also advisable to refer to regulations and standards covering these aspects that have been passed in the years since the draft regulation was released, as they will likely already contain the amendments that we will see in the final version of the text. These include the Rules for data classification and grading, the Measures for Data Export Security Assessment, and the Regulations to Promote and Standardize Cross-Border Data Flows, among others.
On November 14, 2021, the Cyberspace Administration of China (CAC) released the Network Data Security Management Regulation (Exposure Draft) (the ‘Regulation’), seeking public opinions until December 13, 2021.
This extensive document is based on the rules stipulated in China’s existing data and cybersecurity framework composed of the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL), and fleshes out legal requirements for companies engaged in the processing of ‘important’ data and personal information of users based in mainland China in particular.
Below we provide a brief overview of the four main chapters of the Regulation, pertaining to cybersecurity responsibilities, protection of personal information, cross-border data transfer, and legal obligations of internet platforms.
Who does the Regulation apply to?
The Regulation is applicable to both domestic and international entities that engage in data processing activities within China’s territory. For entities based outside of China, the Regulation is applicable when it processes the data of individuals and organizations in China with the aim of providing domestic products and services, analyzes and evaluates the behavior of individuals or companies in China, or processes ‘important’ domestic data.
Generally, ‘important’ data is defined as information that could pose a threat to national security, economic stability, and technological advancement, or significantly impact China’s industrial and telecommunication sectors. However, China has not yet provided any specific examples of what constitutes ‘important’ data, leading to some uncertainty over the definition and application.
What does the Regulation require for cybersecurity?
The Regulation outlines new provisions on obligations of data processors to establish and maintain data security protection systems and implement measures such as backup, encryption, and access control to guarantee data security, detailing as provisions on necessary security measures to prevent the loss, damage, theft, or tampering of data and emergency response measures to take in the event such criminal activity or negligence occurs.
Data processors are also required to strengthen the security of data processing systems, data transfer networks, and data storage environments in accordance with the security level of the data they are handling.
This refers to a set of draft measures released on October 30, 2021, which classifies data into three categories, ‘general data’, ‘important data’, and ‘core data’, and specifies different levels of security requirements depending on the type of data being handled
The new Regulation requires that systems that process ‘important’ data must in principle meet the security requirements of ‘level three’ cybersecurity protection or above and critical information infrastructure operators. Systems processing core data must be strictly protected in accordance with the relevant regulations.
The Regulation also requires that data processors inform any persons or organizations implicated in a data breach within three days of the incident occurring and report the incident to the public security authorities if any criminal activity is suspected. In addition, if a security breach implicates the personal information of over 100,000 users, the data processor must inform the local cyberspace authorities and submit an investigation and evaluation report within five days of the incident occurring.
Cybersecurity reviews
The Regulation stipulates multiple scenarios in which companies must undergo security reviews for both domestic and overseas operations.
Cybersecurity review requirements have been extensively covered in previous regulations and legislation, including the PIPL, the CSL, and the DSL. Building upon these requirements, a document titled Measures for Cybersecurity Review was released on July 10 this year, which stipulated that companies with over one million Chinese users seeking to list overseas must undergo a security review.
Following this, on October 29 of this year, another set of draft measures detailing the requirements for security reviews for cross-border data transfer were published. This set of regulations clarified requirements for the security reviews.
One of the major developments in the new Regulation is that cybersecurity reviews have been extended to companies that plan to list on the Hong Kong stock market as well as overseas markets.
Below are the first set of scenarios in which a company must undergo a cybersecurity review stipulated in the Regulation.
In addition to the above, companies supplying cloud computing services to state agencies and critical information infrastructure (CII) operators must also undergo a security review.
What does the Regulation require for personal information protection?
A large portion of the Regulation is dedicated to personal information protection, both reiterating some of the provisions of the PIPL and expanding upon certain requirements to aid the implementation of the rules.
Some of the requirements repeated in the new Regulation are provisions stipulating that processing personal information must only be done for “a clear and reasonable purpose” and follow the core principles of “justification, lawfulness, and necessity”.
It also reiterates the requirement for data processing to be based on the user’s explicit and informed consent, while banning data processors from refusing products or services to individuals who refuse consent to use non-essential personal information, which was a major legislative milestone of the PIPL.
To ensure the protection of personal information, Article 58 of the PIPL requires personal information processors to create their own platform rules if they provide important internet platform services, have many users, or have a complex business structure. However, the PIPL did not specify exactly what the platform rules should entail.
The Regulation clarifies requirements, stating that the rules must be easy to understand and easily accessible to users, and must include (but not exclusively include) the following:
- Statements clarifying the personal information needed to provide the function of the product or service and a list of the purpose and use for the personal information, method of collection and processing, type of personal information collected, the frequency or occasions in which personal information is collected, and where the personal information is stored for each function. It must also state what impact refusing the processing of personal information could have on the individual.
- The storage period of personal information or the method for determining the storage period of personal information, and the processing method after expiration.
- Means and methods for individuals to look up, copy, amend, delete, manage restrictions, and transfer their personal data, deregister accounts, and revoke consent to processing their personal data.
- The names of all third-party codes and plug-ins embedded in the product or service that collect personal information, presented in an easily accessible way, as well as the purpose for the collection, method of collection, type of personal information collected, and frequency or occasion for the collection of each third-party code or plug-in, and its personal information processing rules.
- Information related to providing personal information to a third party, such as the purpose, the method, and the type of personal information provided, and the information related to the data recipient.
- The security risks and protection measures for the personal information.
- Complaints and reporting channels and solutions for personal information security issues, and the contact information of the person in charge of personal information protection.
The Regulation also outlines rules for obtaining consent to process personal information, which are listed below.
Rules for Obtaining Consent to Process Personal Information |
1. Data processors are not permitted to use generalized terms to obtain consent, separate consent must be obtained for each type of service. |
2. Individual consent is required for processing sensitive data, such as information pertaining to biometrics, religion and faith, specific identity, health, financial accounts, and whereabouts. |
3. Data processors must obtain consent from a guardian to process the personal information of minors under the age of 14. |
4. Data processors may not force consent through the guise of improving service quality, improving user experience, researching and developing new products, or other reasons. |
5. Data processors may not obtain consent through misinformation, fraud, or coercion. |
6. Data processors may not induce or force individuals to consent to multiple types of personal information by bundling different types of services or applying for consent for multiple services together. |
7. Data processors may not process personal information for purposes beyond the scope of the individual’s authorization and consent. |
8. Data processors may not frequently ask for consent or interfere with the normal use of the service after an individual expressly refuses consent. |
Data processors are also required to delete or anonymize personal information within 15 days if it no longer needs to process the data to provide services, the storage time limit is up, the service or user account is canceled, or any non-essential personal information is collected without consent.
Personal information deletion, anonymization, and transfer
The Regulation allows individuals to request the deletion or transfer of their personal information and offers some guidance on how data processors should handle such requests.
First, data processors are obliged to provide a convenient means for individuals to submit inquiries about the type and volume of personal information that has been collected and provide means for the individual to copy, amend, and supplement their personal information, or delete or restrict access to their personal information, withdraw authorization and consent, or cancel their account.
Data processors are required to provide feedback to a request to make any changes or deletions to personal information within 15 days.
Data processors are also required to transfer personal information to another data processor upon the request of the individual, provided that personal information was obtained consensually, the legal identity of the individual can be verified, and the request does not violate the wishes of others.
The Regulation also states that data processors may be permitted to “charge a reasonable fee” if it receives a number of requests that are beyond a “reasonable range”, but it does not clarify what a reasonable fee or reasonable range pertains to.
What does the Regulation require for ‘important’ data?
Handling and possessing ‘important’ data come with a lot of added responsibilities. Data processors are required to report the data that they possess to the authority and are subject to stricter security requirements. There are also additional requirements if the companies wish to export the data overseas, which has been stipulated in previous legislation.
Note that the Regulation treats entities that process the personal information of over one million users the same way as entities that process ‘important’ data and are therefore subject to the same rules and requirements described below.
Definition of ‘important’ data
The new Regulation includes the most extensive definition of what is classified as ‘important’ data, expanding upon the definition outlined in previous regulations.
The Regulation defines ‘important’ data as data that “may endanger national security and public interest in the event it is tampered with, destroyed, leaked, illegally obtained or illegally used”.
Below is a list of data that falls under the scope of ‘important’ data.
Definition of ‘Important’ Data |
1. Undisclosed government affairs data, work secrets, intelligence data, and law enforcement and judicial data. |
2. Export-controlled data, core technologies, design plans, production processes and other data related to export-controlled items, and data on scientific and technological achievements that have a direct impact on national security and economic competitiveness in fields such as cryptography, biology, electronic information, and artificial intelligence. |
3. National economic data, important industry business data, statistical data, etc. that require protection or control under national laws, administrative regulations, and departmental rules. |
4. Data on safe production and operation in key industries and fields such as industry, telecommunications, energy, transportation, water conservancy, finance, defense technology, customs, taxation, and data on key system components and equipment supply chains. |
5. Basic national data on demographics and health, natural resources, and the environment, such as genes, geography, minerals, and meteorology that meet the scale or accuracy required by the relevant national departments. |
6. Data on national infrastructure and critical information infrastructure construction and operation and related security data, national defense facilities, military management areas, national defense scientific research and production units, and other sensitive areas, such as geographic location and security conditions. |
7. Other data that may affect the security of the country’s politics, territory, military, economy, culture, society, science and technology, ecosystem, resources, nuclear facilities, overseas interests, biology, aerospace, polar regions, and deep seas. |
Reporting important data
The Regulation requires all districts and government departments to oversee the data processors within their own district or department, as well as related industries and fields, to identify any important core data and organize it into a catalogue, which should be reported to the national cyberspace authorities.
Companies are therefore required to report to the cybersecurity departments if they are in possession of important data and are required to provide a report within 15 days of identifying the data.
Security responsibilities for important data
The regulation requires data processors of important data to assign an experienced member of staff to be in charge of the security of the important data, and to establish a data security agency overseen by this person. The data security agency must be responsible for:
- Researching and making recommendations for decisions related to data security
- Formulating and implementing data security plans and emergency response plans
- Carrying out risk monitoring and dealing with security incidents
- Carrying out data security training, education, risks assessment, emergency drills, and other such preventative measures
- Handling complaints and reports
- Reporting to the cybersecurity departments
Other responsibilities include, but are not limited to:
- Formulating security plans and conducting annual data security training and education for staff. Data security-related technical and managerial personnel must receive at least 20 hours of training per year.
- Prioritize the purchasing of secure and reliable network products and services.
What does the Regulation require for cross-border data transfer?
The Regulation expands upon previous regulations on data exit security reviews for cross-border data transfer, clarifying the specific requirements for the transfer of data overseas.
Companies that need to transfer data overseas for their business needs must meet one of a set of requirements. These include passing an exit security assessment, obtaining a personal information protection certification for both the company transferring the data and the overseas recipient, or entering a contract with the overseas recipient.
Companies that provide data collected and generated within China to a foreign country are required to pass a data exit security assessment by the CAC if:
- The data being it exports contains ‘important’ data.
- It is a critical information infrastructure (CII) operator or company processing the personal information of more than one million people.
- Meets any other criteria for a security assessment stipulated by the CAC.
In addition, companies that process ‘important’ data that wish to list overseas must either perform a security assessment themselves or entrust a data security service agency to do it. The security assessment from the previous year must be submitted to the district cybersecurity department before January 31 of each year.
What does the Regulation require of internet platforms?
The Regulation includes an extensive set of provisions on the behavior of internet platform operators, mostly targeting the use of data to engage in anti-competitive behavior or infringing on consumer rights.
The Regulation includes requirements for platforms to establish their own platform rules, privacy policies, and a disclosure system for their algorithms. Platform operators must inform users when they establish or propose amendments to platform rules and privacy policies and give them at least three days to submit feedback on them.
Platform operators with more than 100 million daily active users must undergo a review by a third-party agency approved by the CAC if they establish or make amendments to any platform rules or privacy policy that could significantly impact the users.
The Regulation also prohibits platform operators from using data or platform rules from engaging in behavior that may harm users or competition. These include behavior such as price discrimination and low-cost pricing and restricting small and medium-sized enterprises on the platform from fairly obtaining industry and market data generated by the platform.
The rights of users are strengthened under the Regulation. For example, platforms must obtain consent from users to collect personal information and allow them to refuse targeted recommendations and push notifications.
Meanwhile, platforms that use new technologies such as artificial intelligence, virtual reality, and synthesis technology for data processing must undergo a security assessment.
Legal liability
The Regulation details an extensive set of fines and punishments for infractions of the various provisions. Fines vary for infractions of the different articles and can be as high as RMB 50 million (US$7.8 million) or 5 percent of the company’s turnover from the previous year for the most serious infractions of the regulations pertaining to the protection of personal information. Any income that was illegally obtained will also be confiscated.
In some circumstances, companies may also be ordered to suspend business and rectify the issue or have their business license revoked. The person legally responsible for the infraction may also be liable for fines of up to RMB 100,000 (US$15,697).
Impact on companies
Many of the requirements for processing personal information, cross-border data transfer, and handling important data, have previously been stipulated in other legislation. Therefore, the Regulation for the most part does not expand the rules that already exist, rather it provides more clarity and details for compliance and implementation of existing laws.
The Regulation is therefore helpful in providing more guidance for companies navigating the data and cybersecurity landscape and may help them better understand which regulations will be applicable to their operations.
A clearer definition of ‘important’ data, for instance, can be beneficial for companies in evaluating what type of data they are handling and how to comply with the relevant laws and regulations. However, as there is still some ambiguity in the definition, companies will likely have to work with local cybersecurity authorities to assess the security level of their data.
At the same time, some new requirements will place a higher burden of compliance on some companies. The clarification on rules for obtaining consent and providing individuals with more agency over their own personal data will likely require companies to redesign aspects of their services to comply. Likewise, platform operators will likely have to strengthen their platform rules and privacy policies to comply with the new requirements, and many will also have to undergo more security reviews due to the stipulations on platforms with a certain number of users.
Companies that may be affected by these regulations are advised to maintain communication with the local cybersecurity departments and seek help from third-party agencies when necessary.
About Us
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
- Previous Article Exploring China’s Leading AI Hubs: A Regional Analysis
- Next Article China Monthly Tax Brief: August 2024