In China, the Cybersecurity Law of the People’s Republic of China (‘CSL’) effective on 11 June 2017 sets the legal foundations for networks and information handling. Under CSL, the principle legal basis is established to regulate digital security and guide relevant bodies to adopt rules and regulations. Today, the legal framework for cyber, data and personal information security reflects the comprehensive and mature digital ecosystem in China and cross-border exchanges.
The following table below shows the three main laws regulating cyber, data, and personal information security and its primary associated rules and regulations.
|PRC National Security Law|
|Cybersecurity Law||Data Security Law||Personal Information Protection Law|
|Regulations on Network Data Security Management (Draft for Comment)||Guideline for identification of critical data (Draft for Comment)||Information Security Technology – Personal Information Security Specifications (GB/T 35273-2020)|
|Measures for Cybersecurity Reviews||Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation) (Draft for Comment)||Provisions on the Cyber Protection of Personal Information of Children|
|Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System|
Cyber, data, and personal information security legislation is regularly enforced, and criminal liabilities can be pursued if the violation constitutes a crime. For companies, implementing the correct control mechanisms and reporting systems is extremely important to reduce legal liabilities. We provide a Q&A summarising what is deemed as cyber, data, and personal information security in China and best compliance practices.
Q: Which companies are subject to CSL?
A: CSL applies to all network operators in China and is defined as owners, administrators of the network, and network service providers. In other words, companies that establish and utilise an internal network such as an IT system to manage the company is regarded as network operator.
Q: What are the security obligations for network operators?
A: Under Article 21 of CSL, network operators shall fulfill the following obligations of security protection according to the requirements of the classified protection system and ensure that the network is free from interference, damage, or unauthorised access, and prevent network data from being divulged, stolen or falsified.
In practice, companies should determine the security level of their network and establish corresponding measures to protect the network. Such obligations are further fleshed out in the Guiding Opinions on Implementing the Cybersecurity Multi-Level Protection System and Critical Information Infrastructure Security Protection System (‘Opinions’). Under the Opinions, network operators shall conduct a self-assessment and set out a defined corresponding multi-level protection scheme (‘MLPS’). Self-assessment shall first determine the MLPS level and assess whether the current measures meet the requirements of the determined MLPS level.
There are 5 MLPS levels and the higher levels require stricter protection measures. The MLPS level is determined by the following two factors:
- the importance of the network system concerning national security and social and economic development; and
- in the case the network is damaged, the corresponding degree of damage may be caused to national security, social, and economic development, and legitimate rights and interests of other individuals or organisations.
Usually, critical information infrastructure (‘CII’) networks that may affect social order and public interest are classified as level 2 or above and level 5 is utilised for state-owned military systems.
MLPS levels above 1 require an authorised third-party assessment and such assessment shall be filed at the public security for review. Once approved, the MLPS certification shall be issued. It is important to note that MLPS certification for MLPS levels above 1 is mandatory.
Q: What network operators are deemed as CII?
A: CII is defined under CSL network infrastructure and information systems operated and managed, which will result in serious damage to national security, national economy and people’s livelihoods, and the public interest if they are sabotaged, broken down, or suffering from information leakage.
Currently, the industries provisioned in Article 31 of CSL are as follows:
- public communications and information service,
- energy, transport;
- water conservancy;
- public services;
- e-government affairs and
- other important industries and fields and other critical information infrastructure.
Q: What are the security obligations for CII?
A: Under CSL, CII shall fulfill the following obligations of security protection,
- Set up independent security management institutions and designate persons responsible for security management, and review the security background of the said responsible persons and personnel in key positions;
- Periodically conduct cybersecurity education, technical training, and skill assessment for practitioners;
- Make disaster recovery backups of important systems and databases;
- Formulate contingency plans for cybersecurity incidents, carry out drills periodically; and
- Other obligations stipulated by laws and administrative regulations.
In practice, a Chief Operator Officer (‘COO’) shall be established as the key person responsible for CII security protection and duties shall include establishing, refining, and implementing the cyber security accountability system. The COO is fully responsible for CII security protection and subject to penalties and liabilities, as stipulated in the legal liabilities of CSL, the person directly in charge can be punished for violations.
Additionally, CII are required to store data related to personal information and important data in the territory of China and a security assessment is required to export such data. Therefore, relevant personal information and general data cannot be collected in China and exported to data centres outside China without meeting specific criteria. Under DSL and PIPL, the cross-border transfer shall proceed through a graded data system.
Q: What is defined as data under the Data Security Law (‘DSL’)?
A: The DSL defines the scope of data to encompass both electronic and non-electronic forms. Companies that handle data including collection, storage, use, processing, transmission, provision, and disclosure of data, shall be subject to DSL.
Q: What are the security obligations for companies handling data?
A: Obligations are dependent on the type of data handled. For all companies conducting data handling activities, the DSL stipulates the following obligations:
- establish and perfect a data security management system across the entire workflow;
- adopt lawful and proper methods in collecting data and obtaining data by illegal means is forbidden;
- organise and conduct data security education and training;
- adopt the corresponding technical measures and other necessary measures to ensure data security; and
- take immediate disposal measures, notify users as required and report the matter to the relevant competent department.
For companies handling data classified as important data, the following obligations are provisioned:
- specifying responsible personnel and management bodies for data security;
- designating a data security officer and establishing a data security management body.
The data security management body is led by the data security officer and shall perform the following responsibilities:
- studying and making recommendations for major decisions related to data security;
- developing and implementing data security protection plans and data security incident emergency response plans;
- conducting data security risk monitoring, and disposing of data security risks and incidents promptly;
- organising activities such as data security awareness, education and training, risk assessment, and emergency drills to be conducted regularly;
- receiving and disposing of data security-related complaints and reports;
- reporting data security situations to cyberspace authorities and other competent or regulatory authorities promptly as required.
The data security officer is a significant role and shall hold relevant data security expertise and management experience. Additionally, the personnel shall be a member of the data processor’s decision-making level and be authorised to directly report data security situations to cyberspace authorities and other competent or regulatory authorities.
Q: What data is classified as important data?
A: DSL identifies two types of data subject to stricter data management and legal liabilities. Firstly, core data is defined as related to national security, the lifelines of the national economy, important aspects of people’s livelihood, and major public interests shall be subject to stricter management.
Secondly, a specific important data catalogue shall be formulated by each region and department according to their varying needs. Though formulations of regional and industry standards shall be guided by the national mechanism, to ensure uniformity. Competent industry departments are entrusted to define the scope and permit the scope to adjust according to industry developments.
Currently, there are two regulations drafts for comment which specify general definitions of data grading.
- The Draft Administration Regulations on Network Data Security outlines data to be classified into ordinary, important data, and core data.
- Practice Guidelines for Cybersecurity Standards – Guidelines for Network Data Classification and Grading outline the Data levels according to the damage level.
- Level One Data: if data is leaked and misused there are no damages to the legitimate rights and interests of individuals and organisations
- Level Two Data: if data is leaked and misused there are minor damages to the legitimate rights and interests of individuals and organisations
- Level Three Data: if data is leaked and misused there are ordinary damages to the legitimate rights and interests of individuals and organisations
- Level Four Data: if data is leaked and misused there are severe damages to the legitimate rights and interests of individuals and organisations
Personal Information Protection
Q: What is deemed as personal information under Personal Information Protection Law (‘PIPL’)
A: Personal information includes both electronic and non-electronic records, however, excludes information processed anonymously. In other words, information that does not identify a natural person – for example, the address of Joe X.
Companies outside of China are not exempted from PIPL. Any company outside of China that processes the personal information data of individuals in China can be subject to PIPL.
Specifically, PIPL outlines the following circumstances for companies outside of China:
- Where the purpose of the activity is to provide a product or service to an individual located within China;
- Where the purpose of the activity is to analyze or assess the behavior of an individual within China; or
- Any other circumstance as provided by law or administrative regulations.
Practically, companies outside of China should conduct a risk assessment of their information database.
Q: What are the security obligations for companies handling personal data?
A: PIPL provisions the following obligations for companies processing personal information (‘Processors’).
Processors are required to inform the individual of the following matters in a conspicuous way, in clear and easy-to-understand language, and in a truthful, accurate, and complete manner:
- The organisational or personal name and contact information of the personal information processor;
- The purpose and method of processing personal information, the type of personal information to be processed, and its retention period;
- The way and procedure for the individual to exercise his/her rights provided for by this Law; and
- Any other matter is to be informed as required by law or administrative regulations.
Processors may only collect personal information when the individual’s consent is obtained. Companies shall note the following when obtaining consent:
- The consent shall be voluntary, and the individual shall be explicitly informed.
- Individuals can request how their personal information is collected, stored, and require such information to be corrected and deleted.
- An individual shall have the option to decline.
- When users withdraw their consent, the processors shall halt the collection or promptly delete the collected personal information.
Though consent is waived under the following circumstances:
- Where it is necessary for the conclusion or performance of a contract to which the individual is a contracting party, or where it is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded;
- Where it is necessary for performing a statutory responsibility or statutory obligation;
- Where it is necessary for responding to a public health emergency, or for protecting the life, health, or property safety of a natural person in the case of an emergency;
- Where the personal information is processed within a reasonable scope to carry out any news reporting, supervision by public opinions, or any other activity for public interest purposes;
- Where the personal information, which has already been disclosed by the individual or otherwise legally disclosed
Sensitive personal information may only be processed for a specified purpose and includes:
- Religious beliefs;
- Specific identities, medical and health;
- Financial accounts, whereabouts, and other information of a natural person;
- Personal information of minors under the age of fourteen
For such data, companies are required to adopt strict measures. protect such data obtain specific consent, and inform the individual of the necessity and the impact on their rights and interests. For personal information of a minor under the age of fourteen, processors shall obtain the consent of a parent or guardian of the minor.
Practically, the department highlighted below will be substantially affected by sensitive data obligations.
|Business Operation||Sensitive Personal Information||Impact on operations|
|Human Resources||Employees’ addresses personal phone numbers, email addresses Position, work unit, education, religion, transcripts Bank accounts, salaries, and bonuses||Personal information in a labour contract does not require separate consent. However, could be subject to further rules and regulations|
|Finance and Accounting||Bank account, deposit information Clients’ and suppliers’ names, addresses, personal phone, job position||Financial personal information faces specific categorization Certain categories of sensitive financial personal information may need to be localized|
|Marketing/ eCommerce||Clients’ address, personal phone number, email address, software usage records, engagement records, transaction and consumption records||Personal pricing algorithms and automated decision-making through big data analysis are completely prohibited by the new PIPL and supporting regulations|
Q: Which type of personal information can be transferred overseas?
A: Companies may only transfer personal information outside of mainland China by meeting one of the following conditions:
- Where a security assessment organised by the national cyberspace authority has been passed;
- Where certification of personal information protection has been provided by a professional institution, under the regulations of the national cyberspace authority;
- Where a contract in compliance with the standard contract provided by the national cyberspace authority has been concluded with the overseas recipient, establishing the rights and obligations of both parties; or
- Where any other condition prescribed by law, administrative regulations, or the national cyberspace authority is met.
For companies, especially multinationals working with the personal information of employees and suppliers located in China, implementing the provisions to transfer personal information is essential to avoid penalties.
Under the Measures for the Security Assessment of Outbound Data Transfers effective from 1 September (‘Measures’), companies handling the personal information of more than 1 million individuals shall perform a security assessment prior to an overseas transform. Namely, companies processing the following volume of personal data are subject to the Measures.
- Transferring personal information of more than 100,000 individuals in accumulative from 1 January of the preceding year
- Transferring sensitive personal information of more than 100,000 individuals in accumulative from 1 January of the preceding year
- Other situations stipulated by the State Internet Information Department that require security assessment
Practically, companies outside the scope should be aware of the legal obligations since the Measures include a catch-all clause in the application scope.
Legislation concerning cyber, data, and personal information security in China are rapidly rolled out and enforcement is increasing. For companies in China, it is critical to implement a compliance mechanism and train employees on the changing legislation. Primarily, companies working with technology and handling data should take practical steps to understand and monitor the landscape. At Horizons, we advise clients to evaluate the following points:
- Do we process high data volumes and export such data overseas? Companies should evaluate whether data is shared with politically sensitive countries and whether such transfers will be politicised.
- Does the collected and processed data hold a high damage risk to national security? Specifically, the degree of damage in the case the data is leaked or tampered.
- Which industries are subject to higher scrutiny and enforcement? Monitoring enforcement allows companies to understand the practical application of such laws, rules, and regulations. Additionally, the company can gain insight into what regulators prioritise.