原文始发于微信公众号（瑞中法协）：A 15-Step Guide to Data Protection in China
Ever since the PRCCybersecurity Law (CSL) came into effect on 1 June 2017, China has acceleratedits data protection and cybersecurity legislation. Enforcement has gradually beennormalised. Meanwhile, the landmark Civil Code – effective as of next year –further strengthens privacy protections from a civil rights perspective. Overall, China is becoming one of the important jurisdictions for data protectionand privacy worldwide.
This articlegives an overview of data protection, privacy and cybersecurity issues that arecommon and of concern to enterprises that do business in China. We hope toassist enterprises – especially multinationals – to navigate the increasinglycomplicated regulatory regime in this field.
1. Understand the Increasingly ComprehensiveLegal Regime
China has no a single, united dataprotection law. Rather, its data protection framework consists of a patchworkof fragmented rules found across various laws, measures and sector-specificregulations, with certain overlaps. The CSL is the first national law toaddress privacy protection and data security. However, quite a few uncertaintiesaround how the law will be applied still remain. Moreover, administrative regulations,ministerial rules and national standards have been introduced by authorities toassist the law’s implementation. More and more national standards have beenintroduced, including the Personal Protection Information SecuritySpecification. Such standards are recommended best practice and not legallybinding. Nevertheless, law enforcement authorities have leant heavily on suchstandards to enforce the CSL. Moreover, as the Personal Information ProtectionLaw and the Data Security Law are being formulated, China’s data protectionlegal regime is expected to become increasingly thorough.
2. Comprehensive RegulatoryAuthorities
Public enforcement in China presents apolycentric landscape since there is no single data protection or cybersecurityagency. Specifically, the four major authoritiesinvolved are the Cyberspace Administration of China (CAC), the Ministry ofIndustry and Information Technology, the Ministry of Public Security and theState Administration for Market Regulations, as well as their localcounterparts. In addition, sectoral authorities like the National HealthCommission take charge of supervising and administering data protection within theirrespective fields.
3. App Operation and PrivacyPolicy
4. Multi-Level Protection 2.0
The Multi-Level Protection Scheme requiresnetworks to carry different degrees of protection according to theirsignificance and the severity of the harm caused where they to be damaged. Since2017 the CSL has mandated that China implement multi-level cybersecurity protections.This has meant unveiled the prelude to “Multi-Level Protection 2.0”. Under thisscheme, three important national standards came into force in 2019. It ismandatory for network operators to submit to regulators for Multi-LevelProtection filing. The relevant enforcement activities against failure tofiling are on the increase and should be paid attention to.
5. CIIO Determination
According to the CSL, critical informationinfrastructure operators (CIIOs) shall be subject to higher cybersecurity requirementsand stricter restrictions on cross-border data transfer, compared with generalnetwork operators. Meanwhile, the CSL provides that critical information infrastructure(CII) shall refer to networks or systems that involve public communication andinformation services, energy, transportation, water resources, finance, publicservices and e-government affairs. They should protect against “damage,dysfunction or data leakage which may severely endanger national security,national economy and the people’s livelihood, or public interests”. However, asthese definitions are quite general, specific rules on CII/CIIO determination arelikely to be clarified further in the future.
6. Data Localization and DataCross-border Transfer
Pursuant to Article 37 of the CSL, CIIOsbear an obligation of data localisation, under important data and personalinformation collected and generated during the CIIOs’ operation in China shallbe stored in China. Where such data has to be transferred abroad for businesspurpose, security assessment shall be conducted pursuant to the relevant rules.Following the CSL, three draft supplementing regulations and guidelines wereissued, which expand the applicable scope of security assessment from CIIOs to generalnetwork operators. But none have yet been finalised. Besides, sectoralrestrictions on data exports shall be noted when dealing with special categoriesof data, such as “human genetic resources”.
7. Data Protection Impact and Business Innovation
Similar to the data protection impactassessment and privacy by design under the EU General Data ProtectionRegulation, China’s national standard Personal Information SecuritySpecification (PISS) introduces mechanisms for “personal information securityimpact assessment” and a “personal information security project”. Suchmechanisms require enterprises to assess the possible impacts on personalinformation in advance. They should integrate privacy into their business innovationsso that potential privacy risks can be identified and solved at an early stage.Notably, such national standards have no legal force, but reference to it ishighly significant in practice.
8. Data Protection Officers and Data Governance
Although the concept of a Data ProtectionOfficer has no identical counterpart in the Chinese law, relevant laws andregulations demand “data security positions”. For example, the CSL requires thedesignation of a “person in charge of network security”. Similarly, theProvisions on Children’s Online Personal Information Protection requires a“person in charge of children’s personal information protection” to bedesignated. Additionally, the latest PISS, effective as of 1 October 2020, clarifiesrequirements and criteria for designating a department and personnelresponsible for personal information protection as well as theirresponsibilities.
9. IT Global Procurement andLocal Adaption
In terms of global IT procurement,special attention should be paid to the network products and services’ server locationsas they may involve cross-border data transfers. Furthermore, if a company is aCIIO, greater requirements must be followed. The CSL requires that any purchaseof network products and services by CIIOs that may impact national securityshall be subject to a security review procedure. The Measures on CybersecurityReview – effective from 1 June 2020 – elaborates the applicable scope,procedure and factors of such cybersecurity reviews.
10. Data Breach and CybersecurityIncidents Response
The CSL requiresnetwork operators to develop an emergency response plan for cybersecurityevents. They must respond promptly to security risks such as system bugs,computer viruses, network attacks and intrusions. In the event of a threatenedcybersecurity breach, the operator concerned shall immediately initiate theemergency plan and take corresponding remedial actions. They shall also report theevent to the relevant competent authority. On this basis, CIIOs shall alsoorganise regular cybersecurity emergency response drills. On top of this, a draftCII regulation provides that, the competent authorities of industries andsectors shall establish their warning and information reporting systems and emergencyresponse plans for CIIs. Therefore CIIOs will be required to pay attention tothe relevant requirements made by the sectoral authorities as well.
11. Sectoral Regulation
The CSL and itssupporting regulations are generally applicable to all walks of life. However,different industries may have different degrees of emphasis according to theirrespective characteristics, especially those handling sensitive information.For example, in health care, pharmaceutical data, medical records and otherhealth care-related data shall be protected according to the relevantdepartment rules. Similarly, finance, education, transportation and otherindustries have their own sectoral regulations on data protection, which shallbe complied to by enterprises in the industries.
12. Criminal Enforcement of Data Protection
Infringing citizens’ personalinformation may incur criminal liabilities. The violating company may be finedand persons directly responsible may be sentenced to up to seven years inprison or given fines and life bans on holding certain critical positions. As such,effective compliance policies should be introduced and implemented to distinguishcorporate behaviors from employees’ individual behaviors. Besides, Chinese criminallaw stipulates “refusing to perform the obligations of information networksecurity management” as a crime under which the failure to perform relevant obligations,such as multi-level protection filing, may lead to fines against the company.Persons directly responsible or in charge may be sentenced to fixed-termimprisonment of not more than three years, detention or public surveillance andfines.
13. Corporate Liabilities andExposure to Senior Management
Under the CSL, a failure to comply withthe relevant data protection and cybersecurity requirements may result in harshadministrative penalties for both companies and directly responsible individuals.Specifically, the violating company may be warned and ordered to makerectifications; have illegal gains confiscated; be subject to suspension ofbusiness, website shutdown and/or business license revocations; and be fined upto RMB 1 million (roughly USD146,200). Furthermore, such penaltieswill be recorded in the company’s credit file and made public. Meanwhile, directlyresponsible persons may be warned, detained, fined up to RMB 100,000 (USD14,620)and prohibited from holding key positions in cybersecurity for up to five years.
14. Big Data and Competition
Data has been recognized as a factor ofproduction at the national level and the idea of data assets is widely accepted.Companies now compete for data assets and the battles over data presentlegal issues concerning ownership and competition law. Although the relevantlaws lag behind, in practice some looming rules have been drawn up to help definethe boundary of what can and cannot be done with data assets. These includerestrictions on using web crawler technology found in civil litigations. It is expectedthat the traditional rules under the existing competition laws and regulationswill be adjusted and updated to apply to the digital realm in the future.
15. Private Enforcement andCollective Redress
Private litigation is always a powerfulweapon for big corporations, not least where data is concerned. In recentyears, due to an increasing awareness of the importance of personal informationprotection,individuals are coming forward to bring cases to the courts.This makes data compliance more pressing than ever before. Notably, publicinterestlitigation (PIL) under the PRC Consumers Interests Protection Law has emergedto seek collective redresses. Although PILs over data protection are still in theirinfancy in terms of its quantity, it is predicted that their numbers willcontinue to grow alongside the development of China’s data protection regime.
Conclusion and Look Forward
The Covid-19 pandemic has accelerated thedigital transformation of most industries. Enterprises may thus face intensivecompliance issues regarding data protection. Therefore, we suggest undergoing acomprehensive examination to identify and avoid any potential risks at an earlystage. With the future promulgation of the Personal Information Protection Lawand the Data Security Law, businesses may face even greater challenges regardingdata compliance. It is the time to take China’s data privacy and cybersecuritylaws more seriously than ever.