On November 14, 2021, the Cyberspace Administration of China (CAC) released draft Regulations on the Management of Online Data Security (the “Regulations”) for China’s data privacy and security laws, including the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL). Consistent with such laws, the Regulations broadly apply to processing activities of individuals and organizations within China and outside of China. The Regulations contain many similar principles to those set forth in other comprehensive data privacy and security laws, such as the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), however, there are material differences that, if published, would reshape privacy and security compliance for many businesses.
Here are some key takeaways:
Data Breach Reporting
The Regulations provide further guidance on specific notification timelines for data processors, which are “individuals and organizations that independently determine processing purposes and processing methods in data processing activities,” similar to GDPR’s definition of “data controller.” (Article 73(5)). Such notification timelines were absent from the PIPL, CSL, and vague in the DSL (requiring “prompt” notice). The Regulations, however, do not offer any clarity regarding the notification timelines for “entrusted parties” (an entity that processes personal information on behalf of the data processor, similar to GDPR’s definition of “data processor”). For data processors, such timelines are aggressive and much broader in scope, in comparison to breach notification laws in other jurisdictions.
If a security incident causes harm to individuals or organizations, the data processor shall notify the interested party within three working days. (Article 11). While three working days is certainly a very tight timeline, which many EU organizations can attest to given GDPR’s 72-hour notification timeline, the expansiveness of the breach notification requirement is most notable.
- There is no mention of the type of data that was compromised in the security incident, such as personal information (as defined in Article 4 of the PIPL) or important data (as defined in Article 73(3) of the Regulations). The trigger for such notification lies in whether such security incident “causes harm,” irrespective of the type of data.
- The Regulations do not define what “causes harm to individuals or organizations.” (emphasis added). Failure to define what “causes harm” may cause particular confusion in the case of security incidents to organizations. GDPR and many U.S. state breach notification laws contain a “risk of harm” concept, which may serve as a guidepost, but the “risk of harm” concept is limited to individuals, not organizations.
- Extending notification obligations for security incidents that cause harm to organizations, not just individuals, is a material departure from breach notification laws in other jurisdictions and will likely require companies to revise their incident response plans accordingly.
Interestingly, the method of notification is also expansive; data processors may notify the impacted individuals or organizations via telephone, email, as well as more informal communication channels, such as text message or instant messaging. Notification via text message or instant message may present challenges for companies, from a recordkeeping perspective. If a company plans to utilize such informal communication channels, it will be important to implement tools to track such communications, as such records may be necessary in the future (i.e., in the case of future litigation).
Further, in the event of a data security incident related to important data or personal information of more than 100,000 people, data processors must report the basic information of the incident to the municipal CAC and relevant competent departments within eight hours of the occurrence of a security incident, including the data volume, types, possible impact, and remedial measures taken or to be taken. (Article 11). Practically, compliance with such eight hour notification timeline seems nearly impossible, as it typically takes more than eight hours to compile even basic information about the incident, let alone the volume, types, possible impact, and remedial measures.
The Regulations also require data processors to submit an assessment report to the municipal CAC and relevant competent departments within five working days after the incident is handled, addressing the cause of the event, harmful consequences, handling of responsibility, and remediation measures. It is unclear whether such assessment reports will remain confidential or if the government will publicize such reports.
Data Subject Requests
Data processors must respond to data subject requests within 15 working days and provide a “convenient method and channel to support” such data subject requests. (Article 23) The Regulations do not clarify as to what would qualify as a convenient means and channel to support such inquiries and whether multiple options must be provided (such as email, phone, and/or website form).
The concept of “important data” originally appeared in the CSL, which required network operators to implement specific technical measures to protect important data. Three years later, the DSL imposed additional obligations for all companies handling important data, but neither law (nor the PIPL) included a definition of important data. Article 73(3) of the Regulations provide the much needed definition, limiting “important data” to data that might endanger national security or the public interests if altered, destroyed, leaked, or illegally obtained/utilized. The Regulations include helpful, yet broad, examples such as, “[g]overnment affairs that have not been disclosed, work secrets, intelligence data, and law enforcement or judicial data; […] export control data; data related to core technology, design plans, and product techniques and so forth involved in export control items,” amongst other categories.
Data processors that share, sell or entrust the handling of important data to a third party must obtain consent of a competent department at the districted-city level. (Article 33). Details of the approval and consent process remain unclear. Without further clarity, data processors will be put in a difficult and potentially perilous financial position, as it is commonplace for companies to share and entrust data with third parties and any such violation may result in a fine of up to RMB 2,000,000. (Article 62). Hopefully, further drafts of the Regulations will provide clarity regarding the consent process.
Cross Border Data Transfers
There are two important developments related to cross-border transfers:
- Data processors may transfer personal information outside of China to fulfill contractual requirements, without meeting China’s extensive prerequisites, which include passing a safety assessment administered by the CAC, entering into standard contractual clauses (as provided by the CAC), amongst other compliance measures. (Article 35). Such contractual exemption was absent in the CSL, DSL and PIPL and will likely serve as welcome news for companies transferring data outside of China.
- In what is likely to be received as not so welcome news, data processors that transfer personal information and important data outside of China will be required to submit an annual report to the appropriate network information department by January 31st of each year; such report shall include contact information of all data recipients, the type and volume of data, the purpose of such cross border transfer, the location where the data is stored overseas, information on further data transfers, among other details. (Article 40). The Regulations further emphasize the importance of maintaining comprehensive data mapping of all data processing activities, particularly related to the processing of personal information and important data.
Cybersecurity Assessment for Corporate Activities
Perhaps the most controversial provision of the Regulations, Article 13, indicates potential barriers for current or future corporate activities involving businesses in China. Specifically, data processors must undergo a cybersecurity review from relevant national regulators, in the following circumstances:
- An Internet platform operator that processes and controls a large amount of data related to national security, economic development or public interests, that affects or may affect national security, seeking a merger or corporate reorganization;
- A data processor that processes personal information of 1,000,000 or more individuals and looking to undertake an initial public offering (IPO) outside of China. Such organizations will also need to submit an annual data security evaluation to the CAC by January 31 of each year. (Article 32).
- A data processor looking to undertake an IPO on the Hong Kong stock market that impacts or may impact national security; or
- Any “Large Internet Platform Operators” that establish headquarters, operations or development centers outside of China. A “Large Internet Platform Operator” refers to Internet platform operators that have more than 50 million users, handling a large amount of personal information and important data, with strong social mobilization capabilities and a dominant market position. (Article 73(10)).
Effectively, Article 13 appears to serve as a means for the CAC to pre-approve many China businesses planning corporate activities outside of China, which could throttle Chinese companies in the global market. Such approval process comes on the heels of the CAC’s recent cybersecurity probing of multiple Chinese-based companies that issued an IPO in the U.S. this past year.
The Regulations cover a wide range of compliance areas, not all of which are addressed above, however, in summary, while the Regulations are still in draft form (the CAC is soliciting comments through December 13, 2021), all indications point towards the DSL, CSL and PIPL having far-reaching implications, requiring businesses to materially revamp their compliance programs to meet China’s onerous data privacy and security laws.
For guidance related to privacy and security laws of China, please contact our Privacy, Cyber & Data Strategy Team.