GT China Newsletter: Fall 2021: Data, Privacy & Cybersecurity
Tuesday, December 7, 2021

State Council Issues Regulations on the Security Protection of Critical Information Infrastructure

国务院公布《关键信息基础设施安全保护条例》

On Aug. 17, 2021, the State Council issued the Regulations on the Security Protection of Critical Information Infrastructure (the Regulations), which took effect Sept. 1, 2021.

The Regulations require the State to implement prioritized protection of Critical Information Infrastructures (CII), adopting measures to monitor, defend, and dispose of cybersecurity risks and threats from within and outside China to protect CII from attacks, intrusions, interferences, and sabotage, and to legally punish illegal and criminal activities that endanger the security of CII. No individual or organization may intrude into, interfere with, sabotage, or endanger the security of any CII. The Regulations also require CII operators (CIIOs) to establish a sound cybersecurity protection system and accountability system; and state that CIIOs are accountable for total security protection of the CII. CIIOs must prioritize secure and credible products and services in their procurement activities; and any network product or service that may affect national security must pass a security review as required by the national cybersecurity regulations.

 Identification and Recognition of CII

Definition of CII. Article 2 of the Regulations defines CII as “the key network facilities and information systems”:

  • in important fields and industries such as 1) Public Telecommunication and Information Services, 2) Energy, 3) Traffic and Transport, 4) Water Conservancy, 5) Finance, 6) Public Service, 7) E-government, and 8) Technology and Industry for National Defense, or

  • which may seriously endanger national security, the national economy, and public livelihood and welfare once they are subject to any destruction, loss of function, or data breach.

Identification of CII. The regulators for the industries and technology fields mentioned above need to establish rules to identify CII in their respective industry jurisdictions. When drafting the identification rules, consideration must be given to the following:

  •  the degree of importance of the network facility or information system to the core business of the industry or technology field;

  • the degree of damage caused by the network facility or information system’s destruction, loss of function, or data breach; and

  •   related impacts on other industries or fields.

The provincial-level (or higher) regulators will then, according to the above identification rules, determine which companies or entities have CIIs. The regulators will notify each CIIO of their decisions and provide a copy of the CII list to the Ministry of Public Security (MPS).

If any CII or CIIO experiences substantial change, and such change may impact its CII status, the CIIO must report to the industry regulator for a possible review.

2.    Obligations of CIIOs

The Regulations require CIIOs to “take technical protection measures and other necessary measures based on the graded protection for cyber security, respond to cyber security incidents, prevent cyber-attacks and illegal and criminal activities, guarantee the safe and stable operation of critical information infrastructure, and maintain the integrity, confidentiality and availability of data” (Article 6) in accordance with relevant PRC laws and regulations. The Regulations also impose eight specific obligations on CIIOs:

  • Each CIIO must establish a sound cybersecurity protection system and responsibility system. The top executive of CIIOs must take responsibility for the security and protection of CII.

  • Each CIIO must set up a “security management department” and conduct background checks while selecting the leadership and key personnel for this department.

  • Each CIIO must provide sufficient financial resources and staff to the security management department.

  • Each CIIO must audit the network security and assess security risks internally or using a cybersecurity service agency at least once a year. The resulting reports might be required by regulators.

  • CIIOs must report major cybersecurity incidents or threats to their regulators; “extremely serious” incidents or threats must be reported to national authorities, including CAC and MPS.

  • CIIOs must give priority to “safe and trustworthy” network products and services in their procurements. If a network product or service to a CII may impact national security, this product or service must pass the national security review process.

  • CIIOs must sign confidential agreements with product or service providers.

  • In the event of a merger, division, or dissolution, CIIOs must report to their regulators and handle the CII according to regulators’ requirements.

 Liabilities for Non-Compliance

Liabilities for CIIOs. Failure to fulfill the obligations mentioned above could subject the CIIO to warning, correction, administrative order, a monetary fine of up to RMB 1 million, or confiscation of illegal revenue depending on the severity of such failure and the behavior of the CIIO.

Liabilities for Individuals. Given the liabilities CIIOs may assume above, the individuals directly responsible for security management or who commit wrongdoings may also be subject to liabilities including:

  •  Fine of up to RMB 100,000; and/or

  •  Administrative detention; and/or

  •   Prohibition from taking any key positions related to network security management; and/or

  • Criminal prosecution for serious violations.

Five Authorities Issue Several Provisions on Automotive Data Security Management (for Trial Implementation)

五部门公布《汽车数据安全管理若干规定(试行)》

Five authorities including the CAC released Several Provisions on Automotive Data Security Management (for Trial Implementation) (the Provisions), effective as of Oct. 1, 2021.

The Provisions require automotive data processors to adopt such principles as “in-vehicle processing,” “no collection by default,” “application of precision range,” and “desensitized processing,” and to avoid disorderly collection and illegal use when carrying out data processing activities. The Provisions make clear that, to process any sensitive personal information, the automotive data processors must obtain consent from the individuals and must conform to the specific requirements on limited purposes, reporting collection status, and terminating collection, or they must meet other requirements specified by laws, administrative regulations, and mandatory national standards. The Provisions stress that if business matters require important data to be shared internationally, automotive data processers must conduct an outbound data transfer security assessment and will be prohibited from providing data overseas in breach of the conclusions from the assessment. Relevant matters must be included in an annual report.

Scope of “Automotive Data”

Automotive Data refers to 1) Personal Information Data and 2) Important Data involved in the processes of design, manufacturing, sale, use, operation, or maintenance of vehicles.

Personal Information Data. “Personal Information” under the Provisions refers to any type of information related to an identified or identifiable vehicle owner, driver, or passenger, or any person outside the vehicle (e.g., facial information, license plate information) that is electronically or otherwise recorded. After anonymization, this information will no longer be deemed “personal.”

Sensitive Personal Information. The Provisions also emphasize the concept of “Sensitive Personal Information,” which is more thoroughly protected than Personal Information and requires data processors to take additional security measures.

Generally, “Sensitive Personal Information” refers to “any personal information that, once leaked or illegally used, may lead to discrimination against or grave harm to personal or property safety of a vehicle owner, driver, or passenger, or any person outside the vehicle.” Article 3 of the Provisions gives several examples of “Sensitive Personal Information,” such as 1) vehicle trajectory, 2) audio, video, and image of a certain person, and 3) biometric features (including fingerprints, voiceprints, human faces, heart rhythms, etc.) of a certain person.

Important Data. “Important Data” generally refers to data related to national security, public interests, and other major interests of people and entities in the PRC. Under the Provisions, “Important Data” includes:

  • Geographical information, flow of people or vehicles, and other data related to any important sensitive area such as a military administrative zone, national defense science and technology development entity, or party or government agency at or above the county level; and

  • Traffic volume, logistics, and other data that reflects economic operation; and

  • Operating data of a vehicle charging network; and

  • Video or image data collected outside of a vehicle including human facial information, license plate information, etc.; and

  • Personal information involving more than 100,000 personal information subjects; and

  • Other data deemed “important” by relevant national authorities (including the CAC, the National Development and Reform Commission, etc.).

Who needs to comply with the Provisions?

According to Article 3 of the Provisions, any so called “Automotive Data Processor,” including 1) automobile manufacturers, 2) parts and software suppliers, 3) dealers and distributors, 4) automotive repair and maintenance enterprises, and 5) vehicle-for-hire companies, must comply with the Provisions in the process of “handling Automotive Data.” Thus, the scope of “Automotive Data processor” includes nearly the entire automotive industry.

The Provisions regulate the “full life cycle” of Automotive Data. Specifically, the phrase “handling Automotive Data” mentioned above refers not only to “processing” the data but also to “collecting, storing, using, transmitting, providing, and disclosing” such data.

Principles for handling Automotive Data

The Provisions encourage Automotive Data Processors to adhere to the following principles while conducting Automotive Data processing activities:

  •  “In-vehicle processing”: Unless necessary to provide data to a recipient outside the vehicle, the Automotive Data processing activities should be finished inside the vehicle;

  • “Non-collection by default”: Unless otherwise set by the drivers, “Not collecting the data” must be the default setting of the vehicles;

  • “Appropriate Accuracy and Coverage”: The coverage and resolution of cameras, radars, etc. must be set based on the accuracy required by their functions or services; and

  •  “Desensitization and Anonymization”: Data processors should anonymize and de-identify the collected information as much as possible.

Requirements in processing Personal Information and Sensitive Personal Information

The Provisions impose two main obligations on data processors for processing Personal Information Data. First, Automotive Data Processors should notify users in a conspicuous manner of the types of data to be processed, the purpose of data collection, methods for stopping data collection, etc. (specified in Article 7). Second, Automotive Data Processors should obtain consent from users before collecting Personal Information Data.

Further, the Provisions state that Sensitive Personal Information can only be collected for the purpose and necessity of ensuring the security and safety of the vehicle and drivers. In addition to notifying and obtaining users’ consent, as mentioned above, the data processor should also delete the data collected within 10 working days if users request the deletion.

 Requirements in processing Important Data

The Provisions state that all Important Data should be principally stored within the territory of PRC and cannot go through cross-border transmission without the approval of relevant regulatory authorities. Data processors should undertake the following responsibilities while processing Important Data:

  • Conducting regular risk assessments or risk audits, and reporting the results to the relevant regulatory authorities;

  •  When a cross-border transmission of Important Data is truly necessary for business needs, conducting a security assessment organized by the CAC and other relevant regulatory authorities; and

  • Annually on Dec. 15, filing an Annual Report regarding security management to the relevant government departments.

Finally, the Provisions also ask Automobile Data Processors to “establish channels for complaints and reports” and set up facilitative complaint and report portals to handle user complaints and reports in a timely manner.

 

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins