China proposes further clarifications to its data security and management regime: businesses to take note
China’s draft Network Data Security Management Regulations (“Draft Regulations”, here in Chinese), released on 14 November for one month’s public consultation, provide further detail to the three-pronged cyber-regulatory framework of the Cybersecurity Law (the “CSL”), Data Security Law (the “DSL”) and Personal Information Protection Law (the “PIPL”). Significantly, the Draft Regulations are to be passed at the level of administrative regulations, which are of higher status than departmental rules or national standards.
While a few articles of the Draft Regulations do give practical operational detail on certain aspects of the CSL, DSL and PIPL, more needs to be done to provide a workable set of rules for commercial operators – particularly multinationals, financial institutions and consumer-facing platforms.
In addition, the Draft Regulations build upon the general requirements for comprehensive systems and procedures for handling data in the DSL, and supplement these with requirements to employ techniques such as access controls and password protection. Platform businesses are mandated to comply with additional requirements (mainly from an antitrust perspective), including on disclosure of privacy practices and use of algorithms. Public consultation and, for large platforms, regulatory approvals, are required to implement certain rules and policies, which could significantly slow the ability of platforms to adjust data practices to new competitive and regulatory developments.
IT and compliance heads may accordingly need to prepare expanded budgets, in anticipation of the Draft Regulations (which unlike national laws, do not need to go through a three-stage legislative approval process) coming into force in 2022.
Below are some significant characteristics of the Draft Regulations:
Regulatory categories
- The Draft Regulations describe three types of data: general data, important data, and core data.
- The scope of “important data” is similar to that in other rules and guidelines including the most recent draft Information Security Technology – Identification Guide of Key Data (the “Draft Key Data Guidelines” – see our note here).
- Broadly speaking, the Draft Regulations impose the following additional requirements on businesses that process “important data” or (as denoted by an “*” below) personal information of over a million people:
- Extra-territorial jurisdiction (see below);
- *Reporting requirements following M&A of targets possessing such data (see “Significant M&A reporting” below) as well as other reporting to the Cybersecurity Administration of China (the “CAC”) on data export (see “Annual report” below) and on identification of important data;
- Disclosure of arrangements for sharing, trading and entrustment (see “Wider basic disclosures” below):
- Data transfer agreements (see below):
- Additional breach reporting obligations (see “Serious incidents” below):
- *Mandatory regulatory consent to share, trade or entrust the data (both offshore and onshore);
- *Security assessment requirements if sharing, trading, entrusting or sending data outside the Chinese mainland and submitting an annual security assessment report to the municipal-level CAC before 31 January each year (list of reportable items prescribed in the Draft Regulations); and
- *Appointment of a data security officer, who is empowered to report directly to the CAC on data security incidents without going through top management.
- It is not specified that personal information is “general data”; though, based on other rules and guidelines (that have stated that personal data does not normally constitute important data), this is likely to be the case. However, many of the requirements on important data in the Draft Regulations are already mirrored in the PIPL with regard to personal data.
- The Draft Regulations categorise data in the finance sector (together with other strategically important sectors such as industrials, transport, telecommunications, energy and defence technology) that is required for safe production and safe operation as generally being “important data”, departing from the position in the Draft Key Data Guidelines (which dropped the finance sector from this category). It will therefore be important for financial institutions to ascertain whether classification of their data under the data protection laws more broadly will be managed at a national or industry level.
- The Draft Regulations seem to propose that data obtained by a business from any source (for example, a supplier or other business counterparty), not just data generated by the business itself, should be processed in compliance with the data security obligations under the Draft Regulations. This would mean (for example), a financial advisor obtaining important data from a corporate client as part of a due diligence exercise needs to follow the same consent process which the client went through when it obtained the data. This will be a challenging compliance requirement for businesses to track both their own as well as counterparty important data.
Extraterritoriality: application to be clarified
- Under the Draft Regulations, China’s regulators could seek to enforce data protection rules upon data processing activities outside of the Chinese mainland that (i) facilitate provision of products of services into the Chinese mainland, (ii) analyse and assess the behaviour of individuals or organisations in the Chinese mainland, or (iii) involve important data. It is not clear whether the Draft Regulations are intended to apply all rules to all relevant types of data processing by offshore persons, or to maintain the differentiation under the PIPL and DSL (that the principles relevant to processing personal information of individuals generally remain only applicable to cross-border B2C business, and not to cross-border B2B business where processing of personal information is not of such prominent relevance). Multinational organisations, in particular, will be keen to clarify this, as a matter of urgency.
Impact on corporate transactions
- Hong Kong listings. International investors were shaken in July by the revised Cybersecurity Review Measures in draft that sought to impose an enhanced cybersecurity review process on PRC companies possessing personal information of over a million subjects and wishing to IPO on a “foreign” listing venue (see our briefing here). The Draft Regulations seek to extend a similar review process (albeit with its own regulatory parameters) to any data processor that seeks a listing in Hong Kong SAR which affects or may affect national security (which is undefined).
- Platform M&A. Large internet platforms intending to undergo M&A or restructuring that might impact mainland China’s national security will also likely be subject to cybersecurity review pursuant to the Draft Regulations. Again, details of the actual review process must be awaited.
- Platform overseas expansion. Where a large internet platform establishes an overseas headquarters, operating hub or R&D centre, this international expansion will in itself require submission of a report to CAC and other relevant industry authorities at a national level, in addition to the potential application of a cybersecurity review process.
- Significant M&A reporting. Following the obligation under the PIPL for buyers to continue to fulfil a business’s duties towards management of information held by an acquired target, in (amongst others) a merger, division or restructuring where important data or the personal information of over one million individuals is held by the target, a report must also be submitted by the buyer to the relevant municipal-level industry authorities. Although seemingly a post-completion filing, the Draft Regulations do not clarify that this is not a pre-completion approval requirement. In any case, this step will need to be built into transaction documentation.
Consents to data processing
- Separate consent. Applying a uniform approach as the PIPL, the Draft Regulations prescribe certain circumstances where businesses are required to obtain a separate consent from an individual. To comply with the requirement, an individual consent should be obtained relating to each piece of personal information processed and each processing activity applied to it. As discussed in our recent alert, the processing conditions (other than consent) available under the PIPL will unlikely be readily available to businesses making cross-border transfers or operating B2B models, among others. Therefore, unless this separate consent requirement is modified before enactment of the Draft Regulations, meeting this requirement will be extremely onerous for businesses and cause consent fatigue for consumers alike.
- Unbundled consents. The Draft Regulations also propose that consents are obtained separately for processing by each business function disclosed (as described below). This unbundling of consents was also recommended under the PI Specification and fits with the more granular disclosures described below. Ultimately, however, it could be read to multiply the number of consents that some businesses must obtain in practice because they are offering various services.
Processing disclosures expanded
- Wider basic disclosures. The PIPL already includes expansive disclosure requirements when business operators share personal information with other data controllers or on a cross-border basis. The Draft Regulations seem to enhance them, by mandating that storage period and location are expressly notified to individuals (which goes beyond the requirements under the PIPL) before providing their personal information to other third parties. In addition, these disclosure requirements will apply to sharing, trading and entrustment of important data, a data type almost outside of the scope of requirements under the PIPL but effectively pulled in by the Draft Regulations, thereby increasing businesses’ compliance obligations.
- Transparency on multiple functions. The mandatory content prescribed for data privacy policies under the PIPL is expanded under the Draft Regulations to include granularity on the processing purpose, method and categories of personal information to be processed by each function of a service or product. This splitting out of multiple business functions was recommended under current authoritative best practice guidance (namely the Information Security Technology – Personal Information Security Specification, the “PI Specification”) but the Draft Regulation would make this compulsory for multi-faceted businesses (which deploy complex apps, etc.), again adding to compliance burden.
- Third-party management. The PI Specification recommends that data controllers make prescribed disclosures on third-party plug-ins and other points of access embedded in their websites and apps (see our previous alert here). These innocuous links between businesses have long been seen by the PRC authorities as a point of vulnerability in online data security, so the Draft Regulations propose mandatory warnings to users on third-party management.
- Protections and complaint channels. Further compulsory requirements are proposed to be added to privacy policies – as currently recommended under the PI Specification – with prescription around disclosures on security risks and protective measures relating to personal information processing, as well as descriptions on complaint and dispute resolution channels for users.
Data transfer agreements
- Contracts with all recipients. The PIPL’s stipulation that contractual terms must be put in place for arrangements with onshore entrusted parties and for cross-border transfers is clarified to be equally applicable to the provision of data to other data controllers (including those onshore). Operators must agree terms on the purpose, scope, method and security measures to be implemented for the processing of personal information and (where applicable) important data, as well as liability allocation and ensuring that they have a means of supervising the data recipient.
Cross-border transfers
- Transfer mechanics and potential exceptions. The cross-border transfer mechanics applicable to personal information under the PIPL are proposed to be extended under the Draft Regulations to all forms of data. These requirements – including the use of the CAC’s template contractual terms once released – would seem to fall away where the data export is for the purpose of entering into or fulfilling a contract with the data subject or their life, health, or property is at risk. It is not clear whether this exception, which could be hugely advantageous to certain businesses, would override the requirement in the PIPL for contracts to be used unless a regulatory security assessment or professional certification is completed. A similar exception was not apparent under the draft Measures on Outbound Data Transfer Security Assessment released a couple of weeks earlier (see our post here) which will, therefore, need to be aligned with the Draft Regulations.
- Subsequent offshore transfers. The level of disclosure required to data subjects on data exporters’ intended sharing of the individuals’ personal information outside of the Chinese mainland was a point of contention under the PIPL. This seems to be clarified under the Draft Regulations, which require senders to specify the onward recipients’ security protection obligations and agree with data subjects that information can be sent on to those recipients. If this chain principle is so enacted, this would be onerous for organisations that require the flexibility to share information on an intragroup basis and/or rely on multiple offshore contractors and subcontractors to assist with data processing.
- Annual report. The Draft Regulations require (as was first seen in the 2019 iteration of the draft Measures on Security Assessment of Cross-border Transfer of Personal Information) data exporters to prepare reports on transfers of personal information and important information on an annual basis, for submission to the municipal branch of the CAC before 31 January each year. The requirement to name and provide contact details for all overseas data recipients would impose additional burden on businesses with multiple processing partners outside of the Chinese mainland, and potentially result in further restrictions being imposed on the transfer of data to certain jurisdictions.
Breach reporting
- Threshold for reporting; possible exception. While the general regulatory position until launch of the PIPL has required that all cybersecurity incidents and data breaches – actual and potential – be reported to the affected parties, the Draft Regulations suggest that security incidents that do not cause any harm to individuals and other organisations do not have to be reported to the affected parties. This will be welcomed by businesses that contest the need to report “fat finger”-type errors, but it is unclear how this rule would work in practice with the mandatory reporting requirements already prescribed under the higher legislation of the CSL and DSL.
- Deadline for reporting to affected parties. Where reporting to affected parties is required, the Draft Regulations require organisations to report to these customers and other parties within three working days (not dissimilar to the 72 hours permitted under the European Union’s General Data Protection Regulation for reporting to the relevant supervisory authorities). In practice, however, in complex businesses, even three working days may remain challenging if meaningful details are to be given of the incident, the causes and potential harm arising from it, and the remedial measures that have been adopted.
- Reporting serious incidents to authorities. Where important data or the personal information of more than 100,000 persons is lost or disclosed, organisations have additional reporting obligations. Firstly, within eight hours of the incident (which is an even shorter timeline than the 24 hours prescribed for incidents to be reported under other PRC internet security rules), a report must be made to the CAC, and other relevant authorities, at municipal-level including similar details to those to be described in the 3-day reports to interested parties. Then, within five working days after managing the incident, another report must be submitted to the same authorities on the organisation’s investigation and assessment of the incident, including how it will ensure similar events do not arise again. As for having 72 hours to gather and collate information to report, even five working days will often prove challenging to businesses that do not have cyber crisis measures operating at full preparedness. No doubt many organisations will need to invest time and resources into this compliance function.
- Police involvement. Reports to the public security bureau on security breaches are usually standard practice on the Chinese mainland, whether directly or indirectly via other regulators. The Draft Regulations suggest that police reports are only required where the incident is suspected of involving criminal activity.
There is no apparent timeline at this stage for enactment of the Draft Regulations, but clearly the proposed rules present many challenges for businesses – both domestic and international – and leave a number of unanswered questions. It will be crucial for stakeholders to consider the implications for them and, where appropriate, liaise with and submit comments to the PRC regulators through the channels provided.