Where are we now with data protection law in China?
Until recently, China’s data privacy framework consisted only of a patchwork of fragmented rules found in various laws, measures and sector-specific regulations. And while the sources of law remain many and overlapping in this area, the Cyber Security Law, which came into effect on 1 June 2017, included for the first time a comprehensive set of data protection provisions in the form of national-level legislation. The law is of general application to personal data collected over information networks. Numerous regulations, guidelines and other subsidiary measures remained to be adopted under the umbrella of the law when it came into effect. Drafts of many of these have now been published, and the entire package, including the controversial provisions affecting transfers of certain data, including personal data, out of China are expected to be brought into force from the beginning of 2019.
Meanwhile, a detailed national standard known as the Personal Information Security Specification (the PI Security Specification) entered into effect on 1 May 2018. This non-binding guideline contains detailed requirements on data handling and data protection. No penalties apply for breach. However, given its comprehensive nature, Chinese government agencies are expected to apply the Specification as an important measure of compliance with all of China’s data protection rules, including those contained in the Cyber Security Law.
This briefing summarises the most important personal data privacy provisions now in effect or published in draft.
Data protection obligations under the Cyber Security Law
The Cyber Security Law imposes data privacy obligations on network operators. The term ‘network operator’ includes both owners and administrators of a network as well as network service providers.
A ‘network’ is defined as any system that consists of computers or other information terminals, and related equipment for collecting, storing, transmitting, exchanging and processing information.
Accordingly, the data privacy provisions in the Cyber Security Law will apply to all organisations in China that provide services over the internet or another information network. Internal networks and systems might potentially be caught as well, but this is less clear.
Definition of personal date
The Cyber Security Law defines personal data as information that identifies a natural person either by itself or in combination with other information. The term includes a person’s name, address, telephone number, date of birth, identity card number and biometric identifiers.
Additionally, the draft Measures on Evaluating the Security of Transmitting Personal Information and Important Data Overseas (the Security Assessment Measures) expand the scope of personal data to include information that reveals a person’s activities or behaviours. The listed examples of personal data in the Measures include account numbers and passwords, location information and activity information.
Data collection and processing
Network operators are prohibited from collecting personal data that is not relevant to the services they offer. It is not known how strictly this prohibition will be enforced.
Before collecting personal data from an individual (the Data subject), a network operator is required to explicitly inform the individual of the purposes, means and scope of the collection and use of their data, and obtain their consent for collection. Any processing of personal data must be done in accordance within the scope of those consents. The purpose limitations under the Cyber Security Law are thus entirely consent-based.
It is unclear whether the same standards are intended to apply to employee information. Various references within the data privacy provisions of the law to the provision of ‘services’ and the making of collection statements ‘public’ indicate that the law may not be intended to capture internal systems. However, the definition of a ‘network’ is certainly wide enough to include internal systems, as noted above.
Under the Provisions of the Employment Service and Employment Management (in effect since 2008), there is already a general obligation on employers to keep employees’ personal data confidential and to obtain written consent before disclosing their personal data to third parties.
Storage and security
The Cyber Security Law requires network operators to keep users’ personal data in strict confidence. This includes an obligation to implement technical measures to monitor and record the operational status of their networks and the occurrence of cyber security incidents.
Network operators are also required to back up and encrypt so-called ‘important data’, and to store operations logs for at least six months. The Security Assessment Measures define ‘important data’ as data that is closely related to national security, economic development and societal and public interests. (There is no definition in the Cyber Security Law itself.)
On 25 August 2017, the National Information Security Standardisation Technical Committee (TC260) released the second draft of the non-binding Guidelines for Cross-Border Data Transfer Security Assessment (the Guidelines for Cross-Border Data Transfer). These Guidelines provide detailed guidance in relation to cross-border transfers of data, and are discussed further below. The Guidelines also include a detailed but non-exhaustive appendix listing different types of ‘important data’ (Appendix A).
More generally, the Guidelines clarify that ‘important data’ means data that is closely related to national security, economic development and social and public interests (including original data and derivative data) which if disclosed, lost, abused, destroyed, integrated or analysed without authorisation, would harm national security, diplomatic relations, national economy, social and public interests, law enforcement or key infrastructure, etc.
By this measure, some personal data may also constitute important data. Notable examples of obvious forms of personal data in Appendix A of the Guidelines include medical records, genetic and biometric information, account information and transaction records, e-commerce account information and transaction records and personal consumption habits.
Conversely, by implication, there is no legal requirement to encrypt personal data collected in China, only where it constitutes ‘important data’. The PI Security Specification does, however, require enhanced security measures to be used, such as encryption, when storing sensitive personal data.
Draft Ministry of Public Security (MPS) Regulations on the Graded Protection of Cyber Security (the MPS Regulation) issued in June 2018 will require businesses to obtain certification from the MPS if the disruption of their network would result in serious harm or worse to individual rights and interests or harm to public interests or national security. The security classification (on a scale of 1 - 5) will be based on criteria such as the function of the network, the nature of the service offered, the types of data being processed and the potential damage of a security incident, in particular the impact on national and economic security interests.
Networks that the MPS has graded 3 or above (a risk of extremely serious harm to individual rights and interests or serious harm to public interests or national security) will be subject to additional security obligations. These include an obligation to take pro-active measures to monitor and detect cyber threats, develop a specific cyber security protection management platform and incident response plan, report incidents to the MPS and to conduct regular cyber security emergency response drills. The MPS will conduct an audit of every network graded 3 or above at least once per year.
The Cyber Security Law imposes a mandatory obligation to promptly inform Data subjects of a data breach or other loss of personal data. A network operator is also required to report the incident to the relevant sector regulator and to take immediate remedial action.
The MPS Regulations require network operators to report cyber incidents to the local branch of the MPS within 24 hours. There is no de minimis threshold, and the draft Regulations do not specify what the substance of the report ought to be.
The PI Security Specification states that an incident notification must explain:
- the nature and impact of the incident
- the measures taken or to be taken in response
- the practical recommendations for data subjects to minimise the impact of the incident on them
- data subjects’ rights and remedies.
The Cyber Security Law requires network operators to allocate persons responsible for network security as part of their internal security management systems. But the law falls short of requiring organisations to appoint a specific data protection officer. The PI Security Specification does however provide that organisations are expected to designate a person or agent to manage personal data.
Under the Security Assessment Measures and the PI Security Specification, if an organisation has more than 200 personnel and its main business involves processing personal data, or if the organisation is expected to handle the personal data of more than 500,000 people over the next 12 months, then it should establish a department with dedicated staff to handle personal data security.
Responsible persons may have direct personal liability for breaches of the core data privacy provisions under the law.
Transfer of data
Under the Cyber Security Law, it is necessary to obtain the informed consent of Data subjects to transfer or disclose any of its personal data to a third party (whether within or outside the country).
Under the Security Assessment Measures, to obtain informed consent to an overseas transfer of personal data, the network operator must first notify the Data subject of:
- the type of personal data being transferred (it is unclear how much detail must be given)
- the purpose and scope of the transfer
- the recipient and the country to which the data will be transferred.
In certain circumstances, consent may be implied by the Data subject’s actions, such as making international telephone calls, sending international emails or instant messages, and conducting international transactions over the internet (the Guidelines for Cross-Border Data Transfer). This is extended to other ‘proactive’ (i.e. voluntary) personal actions that indicate that the Data subject has consented to the data export, but no further examples are given.
The Security Assessment Measures clarify that consent is required to transfer personal data to any organisation overseas, which would include transfers to affiliates or to an overseas storage facility. The Guidelines for Cross-Border Data Transfer are explicit that transfers of data within an internal cross-border network are caught.
Security assessment for cross-border transfers
Additionally, the latest version of the Security Assessment Measures issued by the Cyberspace Administration of China (CAC) in mid-2017 provides that network operators will need to conduct a security assessment on an annual basis before transferring any personal data out of China. The security assessment is an internal self-certification process conducted and documented in a written report by the transferring entity. If the draft is brought into effect in the current form, this requirement will apply from 31 December 2018.
This requirement is additional to the data localisation measures for operators of ‘critical information infrastructure’ provided for in the Cyber Security Law itself, which are discussed below (and which are already in force).
What is a data transfer?
Under the Guidelines for Cross-Border Data Transfer, a cross-border transfer means any movement of personal data (and other restricted classes of data) outside of China. The Guidelines are explicit that remote access constitutes a data transfer - even if the data is accessible only in an encrypted environment subject to access restrictions. (Visits to web sites from outside China are however carved out.)
What factors should be considered in the security assessment report?
The security assessment must take into account factors such as:
- the necessity of the overseas transfer (for example if it is necessary for the network operator to conduct business in China or to perform contractual obligation
- the amount and sensitivity of personal data
- the security measures taken by the recipient (which should be certified)
- the legal environment in the recipient country (which favours transfers to countries with robust protection for personal data)
- the risk of a data leak
- whether the transfer includes so-called ‘important data’
- the risks to national security, societal and public interests or personal legitimate interests.
The Security Assessment Measures establish a threshold requirement of a “genuine need to transfer data overseas for reasons of operational necessity”. Necessity can be established on a number of grounds, including if it is necessary to perform contractual obligations or necessary for a multi-national organisation to conduct business in China. For instance, the Guidelines for Cross-Border Data Transfer facility recognise that not all foreign businesses will be able to localise data processing capability in China. However, only those types of data that are directly required to fulfil the business purpose may be transferred, and only in the quantity and frequency that is necessary to achieve that purpose.
The Guidelines set out a scoring system to assess the impact of the data transfer that emphasises the inter-relationship between the various factors in the security assessment (Appendix B). While detailed in terms of identifying the various considerations to be taken account of, the scoring system nevertheless leaves a good deal of room for interpretation.
The Guidelines also advocate the use of desensitisation measures to reduce the impact of the data transfer on the interests of the individuals affected. While not specific about what these measures should consist of, the TC260 is presumably referring to techniques such as randomisation, noise addition and generalisation that fall short of full anonymisation or pseudonymisation.
What happens if the personal data to be transferred comprises ‘important data’?
Another criterion for the security assessment is whether the transfer includes any ‘important data’, i.e. data related to national security, economic development and societal and public interests.
The inclusion of ‘important data’ is not a decisive favour against authorising the data export. It is one factor among several, which could potentially therefore be offset by, for example, higher security precautions. (All ‘important data’ must be encrypted at all times in any event.) The main consideration for the security assessment when transferring ‘important data’ is the impact on national security, economic development and societal and public interests. For that reason, only the minimum amount of ‘important data’ can be transferred without which the relevant business function cannot be fulfilled. ‘Important data’ will be expected to be desensitised before transfer, wherever possible.
It is important to note that the Security Assessment Measures provide that a security assessment must be carried out before transferring any ‘important data’ overseas - whether or not the transfer also contains personal data.
What are the requirements for conducting a security assessment?
The security assessment should be carried out by a working group comprising legal, security, technology and management personnel. The report must be kept for a minimum of two years. Transmission logs must also be kept for two years.
In certain circumstances, network operators will be required to submit the security assessment report to the relevant authorities before making the transfer. These include:
- where the organisation transfers the personal data of more than 500,000* individuals in aggregate in any one year
- any individual data transfer exceeding 1,000GB
- other circumstances that could affect national security, economic development and societal and public interests.
(*The Security Assessment Measures remain in draft and, as such, these thresholds are potentially subject to change before the rule is brought into effect.)
The security assessment must be repeated if the purpose, scope, type and amount of data transferred changes significantly, or where a material security incident has occurred.
What if the personal data has been anonymised before transfer?
For personal data, where the data has been fully anonymised (i.e. processed to irreversibly prevent a specific person from being identified and to prevent the personal data from being restored), a security impact assessment will not be required.
Data localisation obligations for ‘critical information infrastructure’ operators
Under the Cyber Security Law, all personal data and ‘important data’ held by ‘critical information infrastructure’ operators (CIIOs) must be stored in China. These data localisation provisions have been in effect since 2017. Overseas transfer of personal data or ‘important data’ collected on ‘critical information infrastructure’ requires prior regulatory approval after filing the security assessment report with the designated authority (prepared in accordance with the requirements summarised above).
Data export will only be allowed where the authority agrees that it is genuinely necessary for business reasons to transfer the data.
The Cyber Security Law itself does not contain a definition of ‘critical information infrastructure’. The CAC’s Cyberspace Security Strategy, released on 27 December 2016, defines ‘critical information infrastructure’ as “information infrastructure that affects national security, the national economy and people’s livelihoods, such that, if data is leaked, damaged or loses its functionality, national security and public interests may be seriously harmed”. The most useful scoping document for ‘critical information infrastructure’ is the CAC’s draft Regulations on the Protection of Critical Information Infrastructure published in July 2017. The following sectors and business areas are deemed to constitute ‘critical information infrastructure’, depending on the degree of impact of a cyber breach:
- energy, finance, transportation, water management, sanitation and healthcare, education, social security, environmental protection and public utilities, etc
- information networks, such as telecommunications, radio and television, the Internet as well as businesses providing cloud computing, big data and other large-scale public information network services
- scientific research and production in fields such as national defence, industrial equipment, industrial chemicals, food and drugs
- radio stations, television stations and other news agencies
- other key operations.
The intention is not to include every operator within these sectors as CIIOs. Rather, the Regulations also look at potential impact of a data leak or other cyber attack, such that it is only where the incident “may gravely harm national security, the national economy, the people’s livelihood and the public interest” that the relevant information network is deemed to be critical infrastructure. The open nature of several of the categories also indicates that this list is not intended to be exhaustive.
For example, the draft National Security Check Operation Guide issued by the Cyber Security Coordination Bureau of the CAC, effective 1 June 2016, parses the information systems or industrial control systems that support critical business operations within these sectors. The Guide specifies that the following systems could be ‘critical information infrastructure’ within the relevant sectors:
- Websites with more than a million average daily visitors
- Websites where a cyber incident may, for example (i) affect more than a million people or their personal data, (ii) affect more than 30% of the population in a single municipal administrative district, or (iii) result in disclosure of the sensitive information of a large number of institutions or businesses
- Online platforms with (i) more than 10 million registered users or more than one million active daily users, or (ii) a daily average transaction order amount of more than RMB 10 million
- Online platforms where a cyber incident may, for example (i) directly cause economic losses of more than RMB 10 million, (ii) directly affect more than 10 million people or the personal data of more than a million people, or (iii) result in the disclosure of the sensitive information of a large number of institutions and enterprises
- Data centres comprising more than 1500 standard racks
- Production businesses where a ‘safety’ incident may (i) affect more than 30% of the population in a single municipal administrative district, (ii) disrupt the access of more than 100,000 people to utilities or transportation, (iii) cause the deaths of more than five persons or more than 50 serious injuries, (iv) directly cause economic losses of more than RMB 50 million, (v) directly affect the personal data of more than a million people, or (vi) result in the disclosure of the sensitive information of a large number of institutions and enterprises.
The data localisation requirement applies to all types of data collected on ‘critical information infrastructure’ and not only to personal data. (CIIOs are also required to obtain informed consent for personal data transfers notwithstanding that they have received regulatory approval.)
The designated authorities have yet to be announced, and no detailed procedures have been implemented yet for filing security assessment reports and obtaining regulatory approval. The designated authorities are expected to be the CAC and departments of the State Council (primarily the Ministry of Industry and Information Technology), but may also include sectoral regulators. Regulators are authorised to carry out on site-inspections and also to monitor data exports remotely.
Data localisation requirements in other laws
Data localisation is not a new concept in China. Existing data localisation provisions are contained in sectoral regulations in the banking, insurance and healthcare industries:
- Under a Notice of the People’s Bank of China (the PBoC) effective 21 January 2011, financial personal data relating to Chinese citizens collected within China is required to be stored, processed and analysed within China. Banks in China are not permitted to transfer the personal financial information of Chinese citizens to any other country without the approval of the PBoC except if permitted by separate rules or regulations. The Shanghai branch of the PBoC issued implementing rules (18 May 2011) that clarify that PRC branches of foreign banks may transfer client information to their overseas headquarters, parent bank and subsidiaries for storage, processing and analysis if certain criteria are satisfied.
- The China Insurance Regulatory Commission has issued various regulations requiring business and financial data of insurance companies to be stored within China. Insurance companies are also required to have independent data storage systems and remote backup facilities in China.
- The National Health and Family Planning Commission’s Administrative Measures on Management of Population Health Information (5 May 2014) prohibit the export of personal data by health and family planning institutions in China. These institutions are also prohibited from storing medical information on servers outside of China.
In addition, the recently released draft Measures for the Information Technology Management of Securities and Funds Operators (effective 5 May 2017) propose data localisation obligations applicable to securities and funds operators.
Data protection obligations under the PI Security Specification
The PI Security Specification lays down non-binding guidelines and does not impose penalties for breach. It is nevertheless a highly regarded source of rules and a reliable means to demonstrate compliance with all of China’s various data protection rules. It was acknowledged that the Specification was drafted with reference to the European General Data Protection Regulation (GDPR).
While many of the provisions in the PI Security Specification are limited to elaborating on basic principles for processing personal data, such as principles of accountability, clarity, consent, data minimisation and proportionality, etc, this note will highlight some of the more concrete provisions that either extend or clarify enforceable obligations in underlying law and regulation.
The PI Security Specification requires data controllers to conduct an impact assessment at least once a year or in conjunction with any major change in their operating model, information systems or following a data security incident. This requirement is more limited than under the GDPR, where impact assessments are generally required for each large-scale data processing project.
The impact assessment should consider, among other things, whether the organisation’s data processing activities have an adverse impact on the lawful rights and interests of data subjects, including harm to personal security or reputation, or could lead to discriminatory treatment. Other matters to be reviewed include the effectiveness of information security measures, the risk that a concentration of anonymised and de-sensitised personal data might lead to re-identification and the adverse impact of transfers of personal data.
Sensitive personal data
The PI Security Specification distinguishes between general and ‘sensitive’ personal data. Sensitive personal data is defined as personal data that, if disclosed or illegally processed might endanger personal and property security, damage personal reputation, or physical or psychological health, or lead to discriminatory treatment, etc. Sensitive personal data may include personal ID card numbers, biometric data, bank account numbers, personal communications, credit records, geolocation data and health data, as well as the personal data of children under the age of 14 years.
The data subject’s express consent in writing or through other affirmative action is required to collect sensitive personal data (i.e. opt-in). Consent must be fully informed and involve a clear and definitive expression of intent. However, tacit consent is sufficient when collecting personal data that is not sensitive (i.e. non-objection by the individual).
Organisations are not permitted to collect the sensitive personal data of children (under 14 years old) without the express consent of the child’s parents or other legal guardians.
The PI Security Specification also lays down specific requirements for the design of information systems that collect or hold sensitive personal data. Systems should be designed to automatically track the usage of sensitive personal data and provide for encryption.
Data collection and processing
The consent requirements are subject to certain exemptions, including where the collection and use of personal data is necessary for the purposes of performing a contract at the request of a data subject or to discover faults in a product or service. Other exceptions include criminal investigations and law enforcement. Unlike in some systems of law, personal data that the data subject has made public is no longer protected.
New rights of Data Subjects
In addition to the data access and correction rights granted under various laws and regulations, the PI Security Specification introduces for the first time various new rights comparable to the individual rights under GDPR.
Right of erasure
Data subjects have the right to ask the personal data controller to cease all use and to erase personal data if the personal data controller has breached its legal obligations or an agreement with the data subject (comparable to the GDPR’s right to be forgotten). The same right extends to information in the possession of data processors.
Personal data should also be deleted or anonymised when users close down accounts.
Right of data portability
Data subjects also have the right to have personal data ported to a third party if technically feasible (comparable to the GDPR’s ‘right of data portability’). This right is of more limited scope than under the GDPR, applying only to (i) basic personal data and personal identity information, (ii) health and physiological information, and (iii) education and employment information.
The PI Security Specification sets an expectation of 30 days for a response to an access, correction, erasure or data portability request as standard. In contrast, the time limit under the GDPR can be as long as three months, taking into account the complexity and number of requests.
Automated decision making
An appeal mechanism must be provided in relation to automated decisions that directly impact the rights and interests of a data subject (a variation on the approach taken under the GDPR with the right not to be subject to automated decision making). The examples given in the Specification are automated credit rating decisions and screenings of job applicants.
Data controllers are required to conduct a risk impact assessment before engaging a third party data processor, to ensure that the data processor is able to ensure data security. Data controllers are required to conduct oversight of the processor, including by auditing the processor’s activities.
Processors also have a number of direct obligations under the PI Security Specification, including a requirement to strictly follow the data controller’s instructions, obtain its authorisation before engaging a sub-processor and to delete all personal data at the end of the engagement.
Organisations should formulate a contingency plan for data incidents and organise incident response training and contingency drills at least once a year.
Data protection obligations under other PRC laws and regulations
Telecommunications and internet information service providers
Telecommunications and internet information service providers are subject to additional personal data protection obligations under the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (effective 16 July 2013).
Telecommunications and internet information service providers are required to establish a user complaint mechanism and reply to complaints concerning personal data protection within 15 days. They are also required to inform users about the channels through which they may consult and make corrections to their personal data.
Where telecommunications and internet information service providers transfer personal data to direct user-facing third parties (e.g. for their marketing or technical services), they must supervise the transferee to ensure the protection of the transferred personal data. They must stop collecting users’ data after they have discontinued the service, and provide users with deregistration services.
Administrative Provisions on Information Services of Mobile Internet Application Programs (effective 28 June 2016), App providers must clearly indicate to customers if they are collecting geolocation data, accessing address books on their smartphones, or making use of cameras or activating audio recording or other functions, and obtain the user’s consent. The Provisions also prohibit the activation of functions that are unrelated to the service or the bundling of unrelated applications.
Under the new E-Commerce Law, which will come into effect on 1 January 2019, e-commerce operators are required to delete a user’s personal data if they cancel his or her account unless the terms and conditions of the site allow retention for a longer period.
In addition to the obligations on all network operators under the Cyber Security Law, e-commerce providers must implement specific technical measures to ensure the security and normal operation of an e-commerce network and to respond effectively to cyber incidents. They must also prepare emergency response plans to manage incidents and report the incidents to the competent authority.
The Consumer Protection Law (revised with effect on 25 March 2014) prohibits businesses from sending commercial information to consumers that they have not requested or consented to receiving, or where they have expressly objected to receiving the direct marketing.
The Measures for the Administration of Email Services (effective 30 March 2006) prohibit the sending of any email containing commercial advertisements without (i) the recipient’s clear consent, and (ii) including the word ‘Ad’ or the Chinese word for ‘advertisement’ in the email subject. If a recipient subsequently opts out from receiving commercial advertisements, the sender must stop sending them.>
Penalties under the Cyber Security Law
Penalties for infringements of the core data protection provisions of the Cyber Security Law may include a fine of up to 10 times the amount of unlawful gains or a fine of up to RMB 1,000,000. Persons in charge of data protection compliance within an organisation, and other responsible individuals, may be separately subject to a fine of between RMB 10,000 and 100,000, or between RMB 50,000 and 500,000 for serious cases.
The Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information (effective 1 June 2018) set out certain circumstances in which the unauthorised collection, transfer or receipt of personal data will constitute a criminal offence under the PRC Criminal Law, and the associated penalties.
For example, the establishment of websites or communication groups for obtaining, selling or transferring personal data can be punished upon conviction by a fine of up to five times the illegal proceeds, and imprisonment for up to three years. A person convicted of illegally obtaining personal data concerning communication records, health information or credit or asset information can be punished by a fine of up to five times the illegal proceeds and imprisonment for up to seven years.