China’s Draft Cybersecurity Measures Suggest Increased Focus on Data Security
On 28 May 2019, the Cyberspace Administration of China (CAC) released the “Data Security Management Measures (Draft for Comments)” (Draft Measures) (unofficial English translation here), containing detailed rules to expand regulations beyond the Cybersecurity Law 2016, which came into effect on 1 June 2017. The Draft Measures mainly focus on protective measures for personal information and “important data,” which affects national security, economic security, social stability, and public health and safety.
The new measures also adopt a broad EU-style definition of personal information, require user’s explicit consent for data collection and use, registration of collection of important or sensitive data, government approval for certain cross-border data transfers, and breach notification to Chinese regulatory authorities and affected individuals.
Background and Protective Measures
The Draft Measures have raised broad public concern and discussion because they would impose stricter regulatory requirements for data protection on almost all companies in China. Combined with a series of legislation and official guidelines released by regulatory authorities, such as the national standards related to the Cybersecurity Multi-Level Protection Scheme, the Draft Measures suggest that China is accelerating and strengthening its control over cybersecurity and data protection.
Although the Draft Measures are still at the public consultation stage and may be subject to further revisions, companies should carefully revisit and evaluate their data protection practices from both a technical and legal perspective.
For companies with operations in China, this would include taking the following precautions:
Conducting a thorough data inventory to have a holistic and in-depth understanding of the personal information and important data held in or used by China entities;
Identifying and revisiting the new technologies used in collection and process of personal information, especially related to artificial intelligence (AI), from data compliance perspective;
Paying special attention to the intra-group cross-border data transfer of personal information and preparing for readjustment of global data strategies.
Scope of the Draft Measures
The Draft Measures cover data collection, storage, transmission, processing, use and other operations through networks, as well as data security protection and supervision, excluding family or personal use—and thus cover practically all companies with operations in China.
One type of data protected under the Draft Measures is personal information, which is widely defined in China as “information which is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person.” The Draft Measures provide many details on how to compliantly collect, store, transfer or delete personal information.
The Draft Measures also cover “important data,” which is another significant protection object under the Law, defined as “data the leakage of which could directly impact national security, economic security, social stability, public health, and safety.” Under the Draft Measures, the collection, usage and transfer of important data will face registration and localisation requirements.
More Stringent Statutory Requirements
To further clarify companies’ statutory obligations in the protection of personal information and important data, the Draft Measures combine existing regulations, recommendations and other draft proposals in a consistent and logical manner, and cover the entire lifecycle of data with higher protection standards.
Protection of Personal Information
Protection of Important Data
In accordance with the Draft Measures, a new record filing obligation must be fulfilled prior to the collection of important data for business purposes. If companies wish to collect and use important data for business purposes, they should submit a record filing application to local cyberspace authorities that includes the purposes, scale, types and terms of such collection and usage. Under the Cybersecurity Law and other regulations, cross-border transfers of important data only require the Critical Information Infrastructure Operator to conduct security assessments and obtain approval from supervisory authorities before providing important data outside of China. In comparison, the Draft Measures would substantially increase legal obligations and require that all companies conduct assessments and obtain approval from supervisory authorities. The relevant authorities are expected to make further clarifications regarding the record filing and approval procedures after the Draft Measures take effect.
Designation of Data Security Responsible Person
In addition to the “cybersecurity responsible person” required under the Cybersecurity Law, Article 16 of the Draft Measures sets out mandatory conditions to assign a “data security responsible person.” If a company collects important data or personal and sensitive information for the purpose of its operation, it should designate a data security responsible person. A data security responsible person would be responsible for the preparation and implementation of data protection plans, conducting data security risk assessments, reporting the handling status of data security events, and processing complaints and tipoffs from users. The roles and functions of the cybersecurity responsible person and the data security responsible person overlap to a certain extent, although the data security responsible person should assume more responsibilities for protection of personal information and important data. Further clarifications on the respective duties and powers will be necessary for implementation purposes.
Protection of Children’s Personal Information
The Draft Measures also reiterate the protection of children’s personal information. Article 14 stipulates that the collection of personal information of children under 14 years old should be based on consent from their guardians. Coupled with CAC’s draft measures on the collection, storage, use, transfer and disclosure of children’s personal information, which were released on 31 May 2019, the Draft Measures reflect a clear trend of Chinese authorities imposing more restrictive protection requirements on the collection and use of children’s personal information, and attaching heavier punishment for violations of such obligations.
The Draft Measures also contain several brand-new regulations focusing on specific areas, such as web crawlers and content generated by AI.
In practice, it is common for companies to buy or develop their own crawler to collect and use publicly available information from other websites. However, uncontrolled crawling could disrupt the operations of the data provider, or even the entire network once traffic reaches a certain limit. Considering such, Article 16 of the Draft Measures sets out the maximum crawling limit for a company, which should be within one third of the crawled website’s daily average traffic, in order to prevent any potential obstructing effects on website operation. Once a company reaches the limit, the website being crawled has the right to request that the crawler immediately stop. However, the Draft Measures do not provide further details regarding how to define and calculate the daily traffic of a website, or what measures the crawled website can adopt to protect its virtual property.
AI-generated content can often be seen on the internet, particularly for the purposes of business promotion on social media platforms. However, such practice could face compliance challenges, as Article 24 of the Draft Measures stipulates that news, blogs, tweets or comments generated from Big Data or AI should be clearly marked “synthetic”, specifically when being displayed. This will affect many companies’ business models, and they may need to reconsider the costs of providing auto-generated information on public platforms.
Article 29 of the Draft Measures stipulates that when users in China access local Chinese websites, their traffic should not be routed to servers outside of China. The article could be interpreted as a type of localisation requirement, since data transmitted or exchanged within China can sometimes contain important data or personal information that should be localised within the territory of China, and cross-border transfer of such data should also be approved by competent cyberspace authorities.
Nevertheless, further clarifications should be made, especially on whether the telecommunication service providers or the owners of the websites/apps should assume such obligations and responsibilities.
Explicit Obligations to Provide Data to Chinese Authorities
Article 36 of the Draft Measures clearly stipulates that network operators should provide national authorities with data collected to fulfil the purposes of maintaining national security, society management and economic control upon request from these authorities. This provision requires all companies to upgrade and implement effective information governance systems for the purposes of actively cooperating with competent authorities and fulfilling regulatory requirements in China.
The release and publication of the Draft Measures, along with other draft regulations mentioned above, clearly indicate that China is progressing towards establishing a comprehensive legislation structure to control and regulate cyberspace.
Although these drafts are yet to come into force and could be subject to further revisions, companies should consider upgrading their data compliance practices. For example, companies should explore readjusting global data strategies top-down, coordinating responsibilities between different internal departments, and selecting and applying advanced technical solutions in order to prepare for the new trend of Chinese cybersecurity and data compliance.