On November 14, 2021, the Cyberspace Administration of China
(CAC) released draft Regulations on the Management of
Online Data Security (the “Regulations”) for
China’s data privacy and security laws, including the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law
(PIPL). Consistent with such laws, the Regulations broadly
apply to processing activities of individuals and organizations
within China and outside of China. The Regulations contain many
similar principles to those set forth in other comprehensive data
privacy and security laws, such as the EU’s General Data
Protection Regulation (GDPR) and California Consumer Privacy Act
(CCPA), however, there are material differences that, if published,
would reshape privacy and security compliance for many
businesses.
Here are some key takeaways:
Data Breach Reporting
The Regulations provide further guidance on specific
notification timelines for data processors, which are
“individuals and organizations that independently determine
processing purposes and processing methods in data processing
activities,” similar to GDPR’s definition of “data
controller.” (Article 73(5)). Such notification
timelines were absent from the PIPL, CSL, and vague in the DSL
(requiring “prompt” notice). The Regulations, however, do
not offer any clarity regarding the notification timelines for
“entrusted parties” (an entity that processes personal
information on behalf of the data processor, similar to GDPR’s
definition of “data processor”). For data processors,
such timelines are aggressive and much broader in scope, in
comparison to breach notification laws in other jurisdictions.
If a security incident causes harm to individuals or
organizations, the data processor shall notify the interested party
within three working days. (Article 11). While three working
days is certainly a very tight timeline, which many EU
organizations can attest to given GDPR’s 72-hour notification
timeline, the expansiveness of the breach notification requirement
is most notable.
- There is no mention of the type of data that was compromised in
the security incident, such as personal information (as defined in
Article 4 of the PIPL) or important data (as defined in Article
73(3) of the Regulations). The trigger for such notification lies
in whether such security incident “causes harm,”
irrespective of the type of data. - The Regulations do not define what “causes harm
to individuals or organizations.” (emphasis added).
Failure to define what “causes harm” may cause particular
confusion in the case of security incidents to organizations. GDPR
and many U.S. state breach notification laws contain a “risk
of harm” concept, which may serve as a guidepost, but the
“risk of harm” concept is limited to individuals, not
organizations. - Extending notification obligations for security incidents that
cause harm to organizations, not just individuals, is a
material departure from breach notification laws in other
jurisdictions and will likely require companies to revise their
incident response plans accordingly.
Interestingly, the method of notification is also
expansive; data processors may notify the impacted individuals or
organizations via telephone, email, as well as more informal
communication channels, such as text message or instant messaging.
Notification via text message or instant message may present
challenges for companies, from a recordkeeping perspective. If a
company plans to utilize such informal communication channels, it
will be important to implement tools to track such communications,
as such records may be necessary in the future (i.e., in the case
of future litigation).
Further, in the event of a data security incident related to
important data or personal information of more than 100,000 people,
data processors must report the basic information of the incident
to the municipal CAC and relevant competent departments within
eight hours of the occurrence of a security incident,
including the data volume, types, possible impact, and remedial
measures taken or to be taken. (Article 11). Practically,
compliance with such eight hour notification timeline seems nearly
impossible, as it typically takes more than eight hours to compile
even basic information about the incident, let alone the volume,
types, possible impact, and remedial measures.
The Regulations also require data processors to submit an
assessment report to the municipal CAC and relevant competent
departments within five working days after the incident is handled,
addressing the cause of the event, harmful consequences, handling
of responsibility, and remediation measures. It is unclear whether
such assessment reports will remain confidential or if the
government will publicize such reports.
Data Subject Requests
Data processors must respond to data subject requests within 15
working days and provide a “convenient method and channel to
support” such data subject requests. (Article 23) The
Regulations do not clarify as to what would qualify as a convenient
means and channel to support such inquiries and whether multiple
options must be provided (such as email, phone, and/or website
form).
Important Data
The concept of “important data” originally appeared in
the CSL, which required network operators to implement specific
technical measures to protect important data. Three years later,
the DSL imposed additional obligations for all companies handling
important data, but neither law (nor the PIPL) included a
definition of important data. Article 73(3) of the Regulations
provide the much needed definition, limiting “important
data” to data that might endanger national security or the
public interests if altered, destroyed, leaked, or illegally
obtained/utilized. The Regulations include helpful, yet
broad, examples such as, “[g]overnment affairs that have not
been disclosed, work secrets, intelligence data, and law
enforcement or judicial data; [.] export control data; data related
to core technology, design plans, and product techniques and so
forth involved in export control items,” amongst other
categories.
Data processors that share, sell or entrust the handling of
important data to a third party must obtain consent of a competent
department at the districted-city level. (Article 33). Details of
the approval and consent process remain unclear. Without further
clarity, data processors will be put in a difficult and potentially
perilous financial position, as it is commonplace for companies to
share and entrust data with third parties and any such violation
may result in a fine of up to RMB 2,000,000. (Article 62).
Hopefully, further drafts of the Regulations will provide clarity
regarding the consent process.
Cross Border Data Transfers
There are two important developments related to cross-border
transfers:
- Data processors may transfer personal information outside of
China to fulfill contractual requirements, without meeting
China’s extensive prerequisites, which include passing a safety
assessment administered by the CAC, entering into standard
contractual clauses (as provided by the CAC), amongst other
compliance measures. (Article 35). Such contractual exemption was
absent in the CSL, DSL and PIPL and will likely serve as welcome
news for companies transferring data outside of China. - In what is likely to be received as not so welcome news, data
processors that transfer personal information and important data
outside of China will be required to submit an annual report to the
appropriate network information department by January 31st of each
year; such report shall include contact information of all data
recipients, the type and volume of data, the purpose of such cross
border transfer, the location where the data is stored overseas,
information on further data transfers, among other details.
(Article 40). The Regulations further emphasize the importance of
maintaining comprehensive data mapping of all data processing
activities, particularly related to the processing of personal
information and important data.
Cybersecurity Assessment for Corporate
Activities
Perhaps the most controversial provision of the Regulations,
Article 13, indicates potential barriers for current or future
corporate activities involving businesses in China. Specifically,
data processors must undergo a cybersecurity review from relevant
national regulators, in the following circumstances:
- An Internet platform operator that processes and controls a
large amount of data related to national security, economic
development or public interests, that affects or may affect
national security, seeking a merger or corporate
reorganization; - A data processor that processes personal information of
1,000,000 or more individuals and looking to undertake an initial
public offering (IPO) outside of China. Such organizations will
also need to submit an annual data security evaluation to the CAC
by January 31 of each year. (Article 32). - A data processor looking to undertake an IPO on the Hong Kong
stock market that impacts or may impact national security; or - Any “Large Internet Platform Operators” that
establish headquarters, operations or development centers outside
of China. A “Large Internet Platform Operator” refers to
Internet platform operators that have more than 50 million users,
handling a large amount of personal information and important data,
with strong social mobilization capabilities and a dominant market
position. (Article 73(10)).
Effectively, Article 13 appears to serve as a means for the CAC
to pre-approve many China businesses planning corporate activities
outside of China, which could throttle Chinese companies in the
global market. Such approval process comes on the heels of the
CAC’s recent cybersecurity probing of multiple Chinese-based
companies that issued an IPO in the U.S. this past year.
The Regulations cover a wide range of compliance areas, not all
of which are addressed above, however, in summary, while the
Regulations are still in draft form (the CAC is soliciting comments
through December 13, 2021), all indications point towards the DSL,
CSL and PIPL having far-reaching implications, requiring businesses
to materially revamp their compliance programs to meet China’s
onerous data privacy and security laws.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
