China's privacy and cyber authorities have been busy in the last month enacting substantial enhancements and clarifications to data protection compliance obligations; and even more changes are expected before the end of 2020. Key highlights - and the key steps for local and international organisations to take - are as follows:

  1. New national level laws: an enhanced right of the individual to personal data protection, including the right to bring personal civil claims for breach of data privacy, has been included in the new PRC Civil Code, and will take effect on 1 January 2021. It is expected that this will increase individuals' awareness of data privacy rights in China. This development is seen as a stepping stone towards the introduction of a first national-level, comprehensive personal data protection law in China, which is anticipated to be published before the end of 2020. These developments currently appear to be a consolidation and clarification of the existing data protection framework in China, but organisations should prepare for:
    • far greater numbers of data subjects being aware of, and exercising, their data privacy rights; and
    • closer scrutiny of personal data protection compliance

    in the coming months, and the possibility of further changes to the China data protection framework cannot yet be ruled out.

  2. Enforcement actions and crackdowns growing: Q2 2020 has seen steady growth in the number and scope of enforcement actions for privacy and cybersecurity infringements, including from local and industry (e.g. banking) authorities. Fines are now routinely being imposed, and administrative actions are attracting more press coverage, alongside shut down of infringing apps, systems or businesses. The investigations are becoming more involved, meaning increased risks of disruption to business and costs to manage them, which can be particularly difficult given the current post-pandemic business uncertainties. These increased enforcement risks, together with recently enacted cybersecurity measures, highlight the need for organisations to be prepared for regulatory compliance investigations (whether in person (dawn raids), by phone or even via online/WeChat questionnaire), as these are also growing in number. This includes ensuring robust incident/investigation management and governance protocols are in place.
  3. Don't forget MLPS: although uncertainties remain as to how organisations should be filing their Multi-Level Protection Scheme ("MLPS") self-assessments, we are now seeing authorities prioritising MLPS compliance. In particular, a new campaign launched by the Police Security Bureau (PSB) in Shanghai Pudong is stressing that businesses should have completed initial MLPS activities and filings before the end of October 2020. The MLPS scheme requires organisations with systems or even websites in China to self-assess - and for some levels obtain certification - and file their systems against five tiers of cybersecurity compliance requirements. Many businesses have put MLPS programmes on the back burner during the pandemic, but it appears likely that MLPS compliance investigations will commence in earnest from the end of this year.
  4. Managing apps, online content and VPN risks: these all continue to be a focus for enforcement by the authorities. In particular new content measures highlight the need for organisations to be operating content monitoring programmes. Existing programmes should also be reviewed and updated in light of these new measures, in particular:
    • content monitoring mechanisms must cover the entire content publishing lifecycle; and
    • internal rules must be rolled out, and actively monitored and managed across the organisation.
  5. "Important data": it is expected that lingering uncertainties as to what constitutes "important data" under the PRC Cybersecurity Law will finally be resolved via new clarification guidelines, anticipated to be published shortly. Organisations have struggled to date with categorising "important data" in practice. The current definition is "data [which], if leaked, may directly affect national security, economic security, social stability, public health and safety". It is hoped that these guidelines will also provide welcome clarification on data localisation rules affecting "important data".
  6. Are you (now) a CIIO?: For those organisations already notified that they are a critical information infrastructure operator (CIIO), additional procurement restrictions came into force on 1 June 2020. These affect procurement of "critical network products and services". Uncertainties still remain for some organisations as to whether or not they are a CIIO. Recent reports suggest that a broader definition may now be being applied by the authorities to capture organisation that process substantial consumer datasets. Therefore, organisations should continue to monitor closely correspondence from the relevant regulators.

Originally published 10 June 2020 .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.