On November 14, 2021, the Cyberspace Administration of China (CAC) published a draft Online Data Security Management Regulation (the “Regulations”) for Chinese data privacy and security laws, including Cybersecurity Act (CSL), Data Security Act (DSL), and Personal Information Protection Act (LPIP). In accordance with these laws, the Regulations broadly apply to the processing activities of individuals and organizations in and outside of China. The Regulations contain many principles similar to those set out in other comprehensive data privacy and security laws, such as the EU’s General Data Protection Regulations (GDPR) and the California Consumer Privacy Act (CCPA). ). However, there are some important differences that, if released, would reshape privacy and security compliance for many businesses.
Here are some key points to remember:
Reporting a data breach
The Regulation provides additional guidance on specific notification deadlines for data processors, which are âindividuals and organizations that independently determine the purposes and methods of processing in data processing activitiesâ, similar to the definition of GDPR of “controller”. (Article 73, paragraph 5). Such notification deadlines were absent in the PIPL, CSL and vague in the LIS (requiring âpromptâ notice). The Regulations, however, offer no clarity regarding notification deadlines for “relying parties” (an entity that processes personal information on behalf of the processor, similar to the GDPR definition of “processor”) . For data processors, these deadlines are aggressive and far broader in scope, compared to breach notification laws in other jurisdictions.
If a security incident causes harm to people or organizations, the subcontractor will notify the interested party within three working days. (Article 11). While three working days is certainly a very tight deadline, which many organizations in the EU can attest to given the GDPR’s 72 hour notification deadline, the extent of the breach notification requirement is most notable.
- There is no mention of the type of data that was compromised in the security incident, such as personal information (as defined in Article 4 of the PIPL) or important data (as defined in Article 4 of the PIPL). Article 73 (3) of the Regulation). The trigger for such a notification is whether such a security incident “causes damage” regardless of the type of data.
- The Regulations do not define what âhurts to individuals or organizations. (emphasis added). Failure to define what “causes damage” can lead to particular confusion in security incidents for organizations. The GDPR and many US breach notification laws contain a concept of ârisk of harmâ, which can serve as a guide, but the concept of ârisk of harmâ is limited to individuals and not organizations.
- The extension of notification obligations for security incidents which harm organizations, not just individuals, is a significant departure from breach notification laws in other jurisdictions and will likely require companies to revise their incident response plans accordingly.
Interestingly, the method notification is also expansive; data processors can notify affected individuals or organizations by phone, email, as well as more informal communication channels, such as text messages or instant messaging. SMS or instant messaging notification can present challenges for businesses from a record-keeping perspective. If a business plans to use such informal communication channels, it will be important to implement tools to track these communications, as such records may be required in the future (i.e. in the event of future litigation).
In addition, in the event of a data security incident involving important data or personal information of more than 100,000 people, subcontractors must report the basic information of the incident to the municipal CAC and the relevant departments. concerned. within eight hours of the event of a security incident, including the volume of data, types, possible impact and corrective actions taken or to be taken. (Article 11). In practice, meeting such an eight-hour notification deadline seems almost impossible, as it usually takes more than eight hours to compile even basic incident information, let alone volume, types, amount. possible impact and corrective measures.
The Regulation also requires that subcontractors submit an assessment report to the municipal CAC and the relevant competent services within five working days of the incident being handled, addressing the cause of the event, the damaging consequences, the treatment responsibility and corrective actions. It is not clear whether these assessment reports will be kept confidential or whether the government will publish these reports.
Requests from the data subject
Data processors should respond to data subject requests within 15 business days and provide a “convenient method and channel to support” those data subject requests. (Article 23) The Rules do not specify what could be considered a convenient way and channel to respond to such requests and whether several options should be provided (such as email, telephone and / or form website).
The concept of “important data” originally appeared in the CSL, which required network operators to implement specific technical measures to protect important data. Three years later, the DSL imposed additional obligations on all companies processing important data, but neither the law (nor the PIPL) included a definition of important data. Section 73 (3) of the Regulations provides the indispensable definition, limiting âimportant dataâ to data that could endanger national security or public interests if modified, destroyed, disclosed or illegally obtained / used. The Regulations include useful, but general examples, such as â[g]government business that has not been disclosed, trade secrets, intelligence data, and police or judicial data; [â¦] export control data; data relating to basic technology, design plans and product techniques, etc., involved in the elements of export control â, among other categories.
Data processors who share, sell or outsource the processing of important data to a third party must obtain the consent of a relevant department at the district city level. (Article 33). The details of the approval and consent process remain unclear. Without further clarity, data processors will be placed in a difficult and potentially perilous financial situation as it is common for businesses to share and entrust data to third parties and any such breach can result in a fine of up to ‘to 2,000,000 RMB. (Article 62). Hopefully other drafts of the Regulations will shed some light on the consent process.
Cross-border data transfers
There are two important developments related to cross-border transfers:
- Data processors may transfer personal information outside of China to meet contractual requirements, without meeting China’s extensive prerequisites, which include passing a CAC-administered security assessment, entering into clauses standard contractual agreements (as provided for by the CAC), among other compliance measures. (Article 35). Such a contractual exemption was absent from CSL, DSL and PIPL and will likely be good news for companies transferring data outside of China.
- In what is likely to be received as bad news, data processors who transfer personal information and important data outside of China will be required to submit an annual report to the appropriate network information service by January 31. of each year; this report must include the contact details of all recipients of the data, the type and volume of data, the purpose of this cross-border transfer, the place where the data is stored abroad, information on subsequent data transfers, between other details. (Article 40). The Regulation further emphasizes the importance of maintaining a complete data mapping of all data processing activities, in particular with regard to the processing of personal information and important data.
Cyber ââsecurity assessment for business activities
Perhaps the most controversial provision of the Regulations, Article 13, indicates potential obstacles to current or future activities of companies involving companies in China. Specifically, contractors must undergo a cybersecurity review from relevant national regulators, under the following circumstances:
- An Internet platform operator that processes and controls a large amount of data related to national security, economic development or public interests, which affects or may affect national security, seeking a merger or corporate reorganization;
- A data processor that processes the personal information of 1,000,000 or more people and seeks to undertake an Initial Public Offering (IPO) outside of China. These organizations will also be required to submit an annual data security assessment to the CCC by January 31 of each year. (Article 32).
- A subcontractor seeking to undertake an IPO on the Hong Kong Stock Market which has or may have an impact on national security; Where
- All of the “major Internet platform operators” that establish head offices, operations or development centers outside of China. A “large Internet platform operator” refers to Internet platform operators who have more than 50 million users, process a large amount of personal information and important data, with strong social mobilization capabilities and a dominant position in the market. (Article 73 (10)).
In fact, Article 13 appears to serve as a way for the CAC to pre-approve many Chinese companies planning business activities outside of China, which could suffocate Chinese companies in the global market. This approval process follows the recent CAC cybersecurity investigation of several China-based companies that published an IPO in the United States last year.
The Regulations cover a wide range of areas of compliance, not all of which are covered above, however, in summary, while the Regulations are still in draft form (CAC invites comments until December 13, 2021), all indications point to LIS, CSL and PIPL with far-reaching implications, forcing companies to dramatically revamp their compliance programs to comply with China’s onerous privacy and data security laws.[View source.]