In recent years, a comprehensive legal framework has been implemented to regulate information security and data handling in China. Particularly in 2021, numerous data laws and regulations, relevant normative documents, and industry standards were adopted to form the blueprint for cyber and data security.
The following chart shows the regulatory regime of the cybersecurity and data protection in China. The Data Security Law, Cybersecurity Law, Personal Information Protection Law and other implementing regulations and guidelines form the main pillars of the framework.
|
PRC National Security Law |
||
|
Data Security Law |
Cybersecurity Law |
Personal Information Protection Law |
|
Guideline for identification of critical data (Draft for Comment) |
Regulations on Network Data Security Management (Draft for Comment) |
Information Security Technology - Personal Information Security Specifications (GB/T 35273-2020) |
|
Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation) (Draft for Comment) |
Measures for Cybersecurity Reviews |
Provisions on the Cyber Protection of Personal Information of Children |
II. Major Compliance Points for Foreign-Invested Enterprises
1. Mandatory Data Localisation and Cross-border Transfers
Certain classified data is required to be localised. Whilst such provision should not substantially affect foreign entities, it is still important to understand and keep abreast for any regulatory changes.
Article 31 of the Data Security Law requires that:
- Critical Information Infrastructure Operators (“CII Operator”), “important data” shall be stored in the territory of China and cross-border transfer is regulated by the Cybersecurity Law;
- For non-CII operators, the cross-border transfer of “important data” is expected to be regulated by the measures announced from the Cyberspace Administration of China (CAC) and other authorities.
Below are the two key provisions which define the industries included under CII Operator and important data:
- Critical Information Infrastructure Operator:
The Data Security Law does not define CII Operator, but under the Regulations on Critical Information Infrastructure Security Protection (Draft for Comment), Critical Information Infrastructure is defined as any information infrastructure that can endanger national security, national strategy, and civil welfare in the event of a data breach, compromised network, or system malfunction. Sectors of energy, finance, transportation, healthcare, education, social security, public utilities and so forth are identified as the relevant Critical Information Infrastructure industries.
- Important Data:
The Data Security Law does not define “important data”, but under the Measures for Data Security Management (Draft for Comment), the “important data” is defined as “the data that once divulged, may directly affect national security, economic security, social stability, or public health and safety, such as undisclosed government information or large-scale data on the population, genetic health, geography, mineral resources, and so forth. Generally, Important data should not include enterprises' production, operations, and internal management information, personal information, and so forth.
For foreign entities, such provisions can raise concerns and risks, especially identifying whether the company falls in the prescribed scope or not and whether the data processed are likely to be considered as “important data” with the potential to harm national security or social welfare once leaked or not.
Although, most foreign entities will mostly be considered as a non-CII Operator, foreign investors should remain vigilant to any forthcoming data cross-border transmission measures for non-CII operators.
2. Personal Information Protection
Another compliance point for foreign entities is personal information protection. Currently the Measures for Security Assessment of the Personal Information and Important Data Outbound Transmission (Draft for Comment) and the other is Measures on Security Assessment of the Cross-Border Transfer of Personal Information (Draft for Comment) require a security assessment of the overseas entities for the cross-border transfer of personal information. Once, the two Measures are adopted, foreign entities shall implement the necessary compliance procedures.
In the Measures on Security Assessment of the Cross-Border Transfer of Personal Information (Draft for Comment), only network operators are subject to safety assessment:
- Article 2 For Network Operator, the personal information and important data collected or generated in the course of operation within the territory of China shall be stored within the territory of China. In necessity of transfer, the safety assessment shall be conducted in accordance with the Measures.
- Article 4 The cross-border transfer of personal information is subject to the consent of such person. The purpose for cross-border transfer, content of information to be transferred, recipient of information, and country or region where the recipient is domiciled should be explained to such person. Transmitting minors' personal information overseas must be approved by their guardians.
Network Operators is broadly defined under Cybersecurity Law as “the owners and administrators of networks and network service providers”. Therefore, foreign entities should assess whether they will be considered as a Network Operator.
Generally, the information and network technology infrastructure of the foreign entities is owned, managed, and provided by their headquarters overseas. Usually, foreign entities' servers and databases are all located outside China and subsidiaries only utilise them during daily operation. As a result, it is unlikely for foreign entities to be defined as a "network operator" or be recognised as "network operator".
However, the Measures on Security Assessment of the Cross-Border Transfer of Personal Information (Draft for Comment) does specifically stipulates personal information protection obligations for foreign entities that collects personal information in China via a network.
The Article 20 of the Measures on Security Assessment of the Cross-Border Transfer of Personal Information (Draft for Comment) provides that:
Overseas entities, if collect personal information within the territory of China via network, shall perform the duties and obligation of the Network Operator through its legal representative or its entities within the territory of China.
Therefore, foreign companies shall abide to the Personal Information Protection Law and relevant laws and regulations. In the business operations, if it needs to obtain, transmit and process any personal information, the enterprise must strictly perform the obligation of disclosure and obtain the consent of the relevant persons. The enterprise shall inform the individual of the following items in a conspicuous way, in clear and easy-to-understand language, and in a truthful, accurate and complete manner:
- organizational or personal name and contact information of the personal information processor;
- purpose and method of processing personal information, the type of personal information to be processed and its retention period;
- manner and procedure for the individual to exercise his/her rights provided for by this Law; and
- any other matter to be informed as required by law or administrative regulations.
Any matters established as rules for personal information processing by personal information processors shall be made available to the public, and easy to access and store. Also, enterprises shall not bind consent matters, shall not force individuals to give consent, and must provide a convenient way to withdraw consent.
If an enterprise needs to transmit personal information across borders, it needs to complete the security assessment, submit the declaration form, the contract signed with the receiver and other materials required by the national network information authority. After the assessment is passed, it shall also establish retain records of the personal information cross-border transfer for at least five years.
3. Restriction on provision of data to overseas judicial or law enforcement authorities
Article 36 of the Data Security Law provides that:
The competent authority of the People's Republic of China shall handle the request for providing any data from a foreign judicial body and law enforcement body in accordance with relevant laws or the international treaty or agreement which the People's Republic of China has concluded or acceded to, or under the principle of equality and mutual benefit. Any organization or individual within the territory of the People's Republic of China shall not provide any foreign judicial body and law enforcement body with any data stored within the territory of the People's Republic of China without the approval of the competent authority of the People's Republic of China.
In other words, where personal information from China is involved, domestic entities and individuals shall not provide the data stored within the territory of China to foreign judicial or law enforcement authorities without approval from the competent authority of PRC, any approval is mandatorily and overrides any concluded international treaty or agreement.
For foreign companies, reviewing the current data processing and data mapping are essential to flag compliance issues. With the forthcoming regulations, and increasing reliance on data for digitalisation, companies should be implementing robust data and cyber compliance framework.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
