12 Mar Foreign Companies Should Be Aware of Evolving Cybersecurity Regulations in China
Since China’s Cybersecurity Law (“CSL”) came into force on June 1, 2017, its privacy and security regulations have been constantly updated and clarified. This year on January 25, 2018, China officially published National Standards on Information Security Technology – Personal Information Security Specification (“PI Specification”), setting the best practices to ensure CSL compliance.
The PI Specification is an important development because it explains critical data protection concepts introduced through general language in the CSL and describes best practices that will be expected by regulators for the collection, retention, use, and sharing of personal information. In addition, the PI Specification defines previously hazy key security language like “informed consent,” “explicit consent,” and “sensitive personal information.” If you are doing business and hiring people in China, you must verify that you are complying with the CSL and the PI Specification.
First Determine Whether Your Business Qualifies as a Network Operator or CIIO
The CSL categorizes companies into two types: “Network Operators” and “Critical Information Infrastructure Operators” (“CIIOs”). The CSL defines “Network Operators” to encompass all “network owners, administrators, and network service providers” which covers virtually any business that operates an internal computer network, or even just a website, in China. Multinational companies with Chinese subsidiaries or China-focused trade should assume that they are at least a Network Operator for purposes of the CSL.
Operators of “Critical Information Infrastructure” include companies in critical sectors such as radio, television, energy, transportation, water conservancy, finance, and other infrastructure that “will result in serious damage to state security, the national economy and the people’s livelihood and public interest if it is destroyed, loses function, or encounters data leakage.” CIIOs face heightened cybersecurity standards under the CSL.
2017 China Cybersecurity Law Requirements
The CSL covers a range of topics, from privacy of personal information to security standards. Whether you find yourself as a Network Operator or CIIO, you must:
• Obtain the data subjects’ informed consent to the collection of their personal information, regardless of the prospective uses or manner of processing of that data;
• Not disclose, tamper, or destroy personal information;
• Develop internal security management systems and procedures, appoint personnel responsible for network security, and implement network security protection responsibility;
• Monitor and record network activity and security incidents, and store network logs for at least six months; and
• Implement measures to classify, back up, and encrypt data.
Similar to the EU’s General Data Protection Regulation, the CSL’s Data Localization Requirement applies stringent standards to where data may be stored. The Data Localization Requirement requires all Network Operators to store personal and important data in China. When a Network Operator needs to transfer such data overseas, it must demonstrate the necessity of data export, and conduct a self-security assessment or submit to an official security assessment when a threshold test is met.
The 2018 Personal Information Security Specification Requires Particular Attention
The PI Specification is one of the most important national standards concerning protection of personal information in China and will become effective on May 1, 2018. The PI Specification sets forth the best practices to implement the CSL. The key updates are:
• Personal information: Under the CSL, “personal information” relates to information which can be used independently, or combined with other information, to identify a natural person. The PI Specification expands the definition of personal information further to include information that will reflect the activities of an identified natural person (e.g., tracking location information and communications content). Under the PI Specification, “personal information” now includes additional information reflecting a person’s activities such as geolocation data and browsing history.
• Sensitive Information: “Sensitive information” is more narrowly defined subset of personal information which includes information that, if leaked, illegally provided, or used without authorization, will endanger human rights and property interests, or cause damage to one’s reputation, physical and mental health, or lead to discriminatory treatment. Examples are a person’s precise location, biometric information, and personal information of minors under 14 years old.
• Explicit Consent Requirement: Due to its broad language, the CSL was ambiguous about whether consent for collection of information must be explicit. The PI Specification dictates that sensitive personal information requires clear and explicit consent. The PI Specification also indicates that requests to collect information must be given in an intelligible and easily accessible form. Activity that exceeds the scope of consent for the original collection and use of personal information must also be affirmatively consented to by the data subjects.
• Right to Access, Rectification and Erasure: Personal information subjects shall have the right to access, rectify, delete, and withdraw consent with regard to their personal information controlled by a personal data controller (referred to “data administrator” in the CSL). All such requests must be responded to within 30 days. Upon the request of a personal information subject, the personal information controller is required to provide the personal information subject with a copy of following personal information or, at the request of the personal information subject, transmit such copy to a third party provided it is technically feasible: personal basic information and personal identity information, personal health and physiological information and personal education information.
• Security Assessment: Security impact assessments are required for providing personal information collected and produced in China to offshore parties, and such assessment shall be conducted in accordance with the measures and methods formulated in the CSL.
• In addition to the above, the PI Specification also sets out other important provisions relating to data breach notification, data retention and storage, data transfer to third parties, and data governance.
Double Check Whether Your Business is in Compliance with the New Rules
Given the detailed provisions under the PI Specification and the significance of the new standards in the context of the CSL, particular attention should be given to compliance with both the CSL and PI Specification. Although PI Specification entails “recommended” standards for now, it could become mandatory if it is referred to in other laws and regulations, mandatory national standards, or binding contracts. Many experts expect that compliance with the new standards will be instrumental for businesses in China to demonstrate compliance with the data protection requirements under the CSL. Whether you maintain a business or hiring your staff in China, you should consult with your legal counsel about the new PI Specification and take actions to comply with the new requirements.
1. Courtney M. Bowman. “A Primer on China’s New Cybersecurity Law.”
2. ReedSmith. “China issues new personal information protection standard.”
3. Xiaoyan Zhang. “Cross-Border Data Transfers.”
4. ZacharyS. Brez. “Challenges and Advice for Multinational Companies in Complying with Chinese Cybersecurity Law.”
5. Jeffrey L. Poston. “Summary of the PRC Cybersecurity Law.”
6. Michelle Chen. “China Cybersecurity Law Update.”
Disclaimer: This blog and website are public sources of general information concerning our firm and its lawyers, as well as the information presented. They are intended, but not promised or guaranteed, to be correct, complete, and up-to-date as of the date posted. This blog and website are not intended to be, and are not, sources of legal opinion or advice. The materials, information, and communications on this blog and website do not apply to any particular person, entity, or situation, and do not apply to you or to your specific situation. You will need to consult with an attorney and/or other appropriate professional about your specific situation. Thank you.