China is increasingly emphasising government sovereignty on cyberspace and data, rapidly evolving its cybersecurity and data regime, enacting numerous rules and policies, and formulating national standards for cybersecurity and data protection. Privacy rights and security principles are rooted in the PRC Constitution, Civil Code and National Security Law, grounded in three established pillars of law: the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL).
INTERACTION OF PILLAR LAWS
Among those three pillar laws, the CSL is fundamental to cyberspace sovereignty, establishing the overall security framework. The DSL aims to protect the security of processed data, and PIPL is dedicated to regulating personal information processing.
The DSL and PIPL both claim extraterritorial power to protect data and personal information processed by infrastructure protected by the CSL. The DSL will punish any data processing outside the PRC if detrimental to national security or public interest, or the lawful rights and interests of any Chinese citizen or entity. Similarly, processing personal information outside the PRC for offering products or services to individuals or assessing the behaviour of individuals in the PRC needs to comply with the PIPL.
Businesses in China should also comply with specialised rules in specific industries and local data regulations. Continual efforts by various industrial regulators and local governments address cybersecurity, especially in medical and health, finance, automobile, and internet information services (such as algorithm recommendation services) locally and nationally.
The Cyberspace Administration of China (CAC) recently released long-awaited findings of a cybersecurity review against ride-hailing giant DiDi, resulting in a USD1.2 billion fine. The review was initiated before the revised Measures on Cyberspace Security Review came into effect on 15 February.
Since that revision, the scope of cybersecurity review has extended to specifically apply to network platform operators seeking overseas listing while processing personal information of more than a million users.
The review also applies to the procurement of network products or services by operators of critical information infrastructure, or data processing by operators of network platform operators, if national security is, or is likely to be, impacted.
Among those three circumstances triggering review, data processing by network operators is the most difficult to self-determine, as there is no explicit legal guidance about relevant factors. Seemingly, any big platform processing a large volume or various types of data may be subject to review.
To be safe, either don’t run a large network platform, or if you do, voluntarily apply for a cybersecurity review to receive notice of no further action. Otherwise, face a similar risk to huge academic research database China National Knowledge Infrastructure (CNKI), currently under review for national security reasons.
Multi-level protection requirements on information systems and networks are also updated under the CSL. Under the multi-level protection scheme (MLPS) regime, network application operators should assess their network applications and associated risks, with each application assigned a “security level” based on its nature, importance and severity of potential impact if compromised.
Levels range from one to five, and the higher the level, the more stringent the security requirements the operator should adopt. Subject to the security level, operators are required to get their network application assessments filed or assessed by the public security authority, and adopt appropriate security measures.
To safeguard data sovereignty, the CSL imposes data localisation requirements on critical information infrastructure operators. The DSL and PIPL stipulate that any request by a foreign judicial body or law enforcement authority for the provision of data or personal information stored in China is subject to prior approval by competent authorities.
The CAC Security Assessment Measures of Cross-border Data Transfer, which came into effect on 1 September, allow data processors a six-month transition period to comply. Previously, the CAC issued the draft Provision on the Standard Contract for Personal Information Cross-border Transfer, similar to the EU’s standard contractual clauses (SCCs). The National Information Security Standardisation Technical Committee (TC260) also released the Practice Guidelines for Cybersecurity Standards – Specification for the Security Certification of Personal Information Cross-Border Processing Activities, introducing a certification framework for cross-border data processing.
According to the measures, a CAC-led mandatory security assessment will be triggered under statutory situations prescribed in the CAC Security Assessment Measures of Cross-border Data Transfer.
By contrast, the security certification is expected to address frequent personal information transfers among subsidiaries or affiliates of the same corporate group, while the SCC will be the main tool for cross-border data transfers without needing prior CAC approval. However, given the low thresholds for security assessment, it likely will become the pervasive means to transfer cross-border data.
The DSL establishes a general requirement on data classification management and protection according to the importance of data to the national economy, national security, public interest and society, as well as the potential degree of harm in case of a security breach. A core data is the highest of the three-tier system, subject to strictest protection and expected to be determined by central government agencies.
Important data is in the mid-range. Industrial regulatory authorities and local governments will respectively define important data in various industries and administrative regions, and processors will follow the definition catalogue to determine the scope of their important data. But for now, there is only a draft national standard on important data identification, along with a preliminarily administrative regulation defining it in the auto industry, and a draft regulation in the industrial and information technology sectors. It may take a while for all core data and important data to be identified nationwide.
PERSONAL DATA PROTECTION
The PIPL provides comprehensive protection covering the entire processing cycle of personal information, requiring processors to take appropriate measures to ensure safety and imposing stricter requirements on processing sensitive information. Processors are required to obtain a lawful basis before processing any personal information, including a consent of data subjects and a variety of other lawful bases. They are also required to follow the principles of legality, legitimacy, necessity and good faith, comply with legal requirements, and retain relevant records to demonstrate compliance, or defend potential claims.
In addition, the PIPL grants data subjects comprehensive rights, both substantive and procedural, over their personal information, such as the right to know, decide, have portability and complain.
ENFORCEMENT AND PENALTY
The pillar laws impose harsh criminal, administrative and civil liabilities against cybersecurity and privacy violations. For example, under the PIPL, illegal gains may be confiscated, with fines ranging from RMB1 million (USD142,000) to RMB50 million, or 5% of annual business turnover. The person directly in charge and other directly liable persons can be fined up to RMB1 million. The record-breaking DiDi fine is the most recent example. A draft proposal to amend the CSL with even steeper penalties was released for public comment on 14 September. Chinese prosecutors and courts are clearly more active over personal information protection and data-related crimes in civil and criminal cases.
TRENDS AND DEVELOPMENTS
The government believes the digital economy and data assets will be the next key competition area in the world, and is prioritising building, maintaining and defending sovereignty in cyberspace.
It can be reasonably expected that the development trend in the next three to five years will very likely present:
- CSL enforcement, with MLPS 2.0 implementation, will be strengthened to establish a solid and secure base for cyberspace sovereignty;
- DSL development, through data categorisation and classification, will be completed and fully implemented in all industries and administrative regions; and
- The PIPL will continue to be localised by more judiciary enforcement against foreign entities, subject to the law.
The above trends and developments of the cyberspace security laws determine that there will be more administrative punishments, judicial review and extraterritorial enforcement efforts in the coming years. Therefore, multinational companies in China and offshore entities remotely interacting with China should keep a close watch on the legal, administrative and judicial developments and understand timely and clearly the relevant underlining statement of the development by working with qualified local counsels and making proper adjustments in its business operation for compliance purposes.
GLOBAL LAW OFFICE
35 & 36/F Shanghai One ICC, No.999
Middle Huai Hai Road, Xuhui District
Shanghai, 200031, China
Tel: +86 21 2310 8288