China’s cybersecurity regulations are getting further strengthened with the release of a new set of measures to beef up the requirements of existing data protection and cybersecurity laws. The new Regulation expands and clarifies requirements for companies to protect data and networks in several areas, including handling of ‘important’ data, cross-border data transfer, personal information protection, and responsibilities of internet platforms.
On November 14, 2021, the Cyberspace Administration of China (CAC) released the Network Data Security Management Regulation (Exposure Draft) (the ‘Regulation’), seeking public opinions until December 13, 2021.
This extensive document is based on the rules stipulated in China’s existing data and cybersecurity framework composed of the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL), and fleshes out legal requirements for companies engaged in the processing of ‘important’ data and personal information of users based in mainland China in particular.
Below we provide a brief overview of the four main chapters of the Regulation, pertaining to cybersecurity responsibilities, protection of personal information, cross-border data transfer, and legal obligations of internet platforms.
The Regulation is applicable to both domestic and international entities that engage in data processing activities within China’s territory. For entities based outside of China, the Regulation is applicable when it processes the data of individuals and organizations in China with the aim of providing domestic products and services, analyzes and evaluates the behavior of individuals or companies in China, or processes ‘important’ domestic data.
Generally, ‘important’ data is defined as information that could pose a threat to national security, economic stability, and technological advancement, or significantly impact China’s industrial and telecommunication sectors. However, China has not yet provided any specific examples of what constitutes ‘important’ data, leading to some uncertainty over the definition and application.
The Regulation outlines new provisions on obligations of data processors to establish and maintain data security protection systems and implement measures such as backup, encryption, and access control to guarantee data security, detailing as provisions on necessary security measures to prevent the loss, damage, theft, or tampering of data and emergency response measures to take in the event such criminal activity or negligence occurs.
Data processors are also required to strengthen the security of data processing systems, data transfer networks, and data storage environments in accordance with the security level of the data they are handling.
This refers to a set of draft measures released on October 30, 2021, which classifies data into three categories, ‘general data’, ‘important data’, and ‘core data’, and specifies different levels of security requirements depending on the type of data being handled
The new Regulation requires that systems that process ‘important’ data must in principle meet the security requirements of ‘level three’ cybersecurity protection or above and critical information infrastructure operators. Systems processing core data must be strictly protected in accordance with the relevant regulations.
The Regulation also requires that data processors inform any persons or organizations implicated in a data breach within three days of the incident occurring and report the incident to the public security authorities if any criminal activity is suspected. In addition, if a security breach implicates the personal information of over 100,000 users, the data processor must inform the local cyberspace authorities and submit an investigation and evaluation report within five days of the incident occurring.
The Regulation stipulates multiple scenarios in which companies must undergo security reviews for both domestic and overseas operations.
Cybersecurity review requirements have been extensively covered in previous regulations and legislation, including the PIPL, the CSL, and the DSL. Building upon these requirements, a document titled Measures for Cybersecurity Review was released on July 10 this year, which stipulated that companies with over one million Chinese users seeking to list overseas must undergo a security review.
Following this, on October 29 of this year, another set of draft measures detailing the requirements for security reviews for cross-border data transfer were published. This set of regulations clarified requirements for the security reviews.
One of the major developments in the new Regulation is that cybersecurity reviews have been extended to companies that plan to list on the Hong Kong stock market as well as overseas markets.
Below are the first set of scenarios in which a company must undergo a cybersecurity review stipulated in the Regulation.
In addition to the above, companies supplying cloud computing services to state agencies and critical information infrastructure (CII) operators must also undergo a security review.
A large portion of the Regulation is dedicated to personal information protection, both reiterating some of the provisions of the PIPL and expanding upon certain requirements to aid the implementation of the rules.
Some of the requirements repeated in the new Regulation are provisions stipulating that processing personal information must only be done for “a clear and reasonable purpose” and follow the core principles of “justification, lawfulness, and necessity”.
It also reiterates the requirement for data processing to be based on the user’s explicit and informed consent, while banning data processors from refusing products or services to individuals who refuse consent to use non-essential personal information, which was a major legislative milestone of the PIPL.
To ensure the protection of personal information, Article 58 of the PIPL requires personal information processors to create their own platform rules if they provide important internet platform services, have many users, or have a complex business structure. However, the PIPL did not specify exactly what the platform rules should entail.
The Regulation clarifies requirements, stating that the rules must be easy to understand and easily accessible to users, and must include (but not exclusively include) the following:
The Regulation also outlines rules for obtaining consent to process personal information, which are listed below.
Data processors are also required to delete or anonymize personal information within 15 days if it no longer needs to process the data to provide services, the storage time limit is up, the service or user account is canceled, or any non-essential personal information is collected without consent.
The Regulation allows individuals to request the deletion or transfer of their personal information and offers some guidance on how data processors should handle such requests.
First, data processors are obliged to provide a convenient means for individuals to submit inquiries about the type and volume of personal information that has been collected and provide means for the individual to copy, amend, and supplement their personal information, or delete or restrict access to their personal information, withdraw authorization and consent, or cancel their account.
Data processors are required to provide feedback to a request to make any changes or deletions to personal information within 15 days.
Data processors are also required to transfer personal information to another data processor upon the request of the individual, provided that personal information was obtained consensually, the legal identity of the individual can be verified, and the request does not violate the wishes of others.
The Regulation also states that data processors may be permitted to “charge a reasonable fee” if it receives a number of requests that are beyond a “reasonable range”, but it does not clarify what a reasonable fee or reasonable range pertains to.
Handling and possessing ‘important’ data come with a lot of added responsibilities. Data processors are required to report the data that they possess to the authority and are subject to stricter security requirements. There are also additional requirements if the companies wish to export the data overseas, which has been stipulated in previous legislation.
Note that the Regulation treats entities that process the personal information of over one million users the same way as entities that process ‘important’ data and are therefore subject to the same rules and requirements described below.
The new Regulation includes the most extensive definition of what is classified as ‘important’ data, expanding upon the definition outlined in previous regulations.
The Regulation defines ‘important’ data as data that “may endanger national security and public interest in the event it is tampered with, destroyed, leaked, illegally obtained or illegally used”.
Below is a list of data that falls under the scope of ‘important’ data.
The Regulation requires all districts and government departments to oversee the data processors within their own district or department, as well as related industries and fields, to identify any important core data and organize it into a catalogue, which should be reported to the national cyberspace authorities.
Companies are therefore required to report to the cybersecurity departments if they are in possession of important data and are required to provide a report within 15 days of identifying the data.
The regulation requires data processors of important data to assign an experienced member of staff to be in charge of the security of the important data, and to establish a data security agency overseen by this person. The data security agency must be responsible for:
Other responsibilities include, but are not limited to:
The Regulation expands upon previous regulations on data exit security reviews for cross-border data transfer, clarifying the specific requirements for the transfer of data overseas.
Companies that need to transfer data overseas for their business needs must meet one of a set of requirements. These include passing an exit security assessment, obtaining a personal information protection certification for both the company transferring the data and the overseas recipient, or entering a contract with the overseas recipient.
Companies that provide data collected and generated within China to a foreign country are required to pass a data exit security assessment by the CAC if:
In addition, companies that process ‘important’ data that wish to list overseas must either perform a security assessment themselves or entrust a data security service agency to do it. The security assessment from the previous year must be submitted to the district cybersecurity department before January 31 of each year.
The Regulation includes an extensive set of provisions on the behavior of internet platform operators, mostly targeting the use of data to engage in anti-competitive behavior or infringing on consumer rights.
The Regulation includes requirements for platforms to establish their own platform rules, privacy policies, and a disclosure system for their algorithms. Platform operators must inform users when they establish or propose amendments to platform rules and privacy policies and give them at least three days to submit feedback on them.
The Regulation also prohibits platform operators from using data or platform rules from engaging in behavior that may harm users or competition. These include behavior such as price discrimination and low-cost pricing and restricting small and medium-sized enterprises on the platform from fairly obtaining industry and market data generated by the platform.
The rights of users are strengthened under the Regulation. For example, platforms must obtain consent from users to collect personal information and allow them to refuse targeted recommendations and push notifications.
Meanwhile, platforms that use new technologies such as artificial intelligence, virtual reality, and synthesis technology for data processing must undergo a security assessment.
The Regulation details an extensive set of fines and punishments for infractions of the various provisions. Fines vary for infractions of the different articles and can be as high as RMB 50 million (US$7.8 million) or 5 percent of the company’s turnover from the previous year for the most serious infractions of the regulations pertaining to the protection of personal information. Any income that was illegally obtained will also be confiscated.
In some circumstances, companies may also be ordered to suspend business and rectify the issue or have their business license revoked. The person legally responsible for the infraction may also be liable for fines of up to RMB 100,000 (US$15,697).
Many of the requirements for processing personal information, cross-border data transfer, and handling important data, have previously been stipulated in other legislation. Therefore, the Regulation for the most part does not expand the rules that already exist, rather it provides more clarity and details for compliance and implementation of existing laws.
The Regulation is therefore helpful in providing more guidance for companies navigating the data and cybersecurity landscape and may help them better understand which regulations will be applicable to their operations.
A clearer definition of ‘important’ data, for instance, can be beneficial for companies in evaluating what type of data they are handling and how to comply with the relevant laws and regulations. However, as there is still some ambiguity in the definition, companies will likely have to work with local cybersecurity authorities to assess the security level of their data.
At the same time, some new requirements will place a higher burden of compliance on some companies. The clarification on rules for obtaining consent and providing individuals with more agency over their own personal data will likely require companies to redesign aspects of their services to comply. Likewise, platform operators will likely have to strengthen their platform rules and privacy policies to comply with the new requirements, and many will also have to undergo more security reviews due to the stipulations on platforms with a certain number of users.
Companies that may be affected by these regulations are advised to maintain communication with the local cybersecurity departments and seek help from third-party agencies when necessary.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at email@example.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.
Previous Article « How to Prepare for an Effective Annual Audit in China?
Next Article China 2021 Recap: Overview of a Pivotal Year »
Dezan Shira & Associates´ brochure offers a comprehensive overview of the services provided by the firm. With...
A firm understanding of China’s laws and regulations related to human resources and payroll management is ab...
Doing Business in China 2022 is designed to introduce the fundamentals of investing in China. Compiled by the ...
With the scope and penalties of China’s social credit system being further clarified in 2021, legal and regu...
As a legitimate tool for reasonable tax planning and cost saving, tax incentives play an important role. Compa...
Over the last few months, China has been quickly expanding the pilot program on electronic special value-added...
Dezan Shira & Associates helps
businesses establish, maintain,
and grow their operations.
Stay Ahead of the curve in Emerging Asia. Our subscription service offers regular regulatory updates,
including the most recent legal, tax and accounting changes that affect your business.