Companies operating in China have been desperate for clarifications since the promulgation of the important but ambiguous PRC Cybersecurity Law in 2017 introduced China’s first national-level legal framework on personal information and data protection. Some of these clarifications arrived in 2019 with new regulations, but with several new and onerous requirements. Stepped up enforcement in 2019 also provided some clarity, focusing on the illegal collection and sale of personal information, but with more limited penalties than can be seen under e.g. the GDPR. But heavier penalties may be coming.
Introduction
Starting in 2017, the groundbreaking PRC Cybersecurity Law (“CSL”) established the first general framework for PI and data protection and security in China, but many details were lacking, and companies operating in China struggled to comply, particularly when it came to cross-border data transfers, commercialization of data, and alternate data channels such as apps and third party sources. The whole regime is still not set in stone, but 2019 and early 2020 have seen the issuance of many new and detailed implementing rules and standards which are putting companies in a much better position to anticipate what their PI and data management practices in China will have to look like over the next several years.
Developments in 2019 and 1Q 2020 can be divided into final rules and draft rules:
Final Rules:
Key PRC PI and data management rules and standards now effective as of Q1 2020 include:
1. Information Security Technology — Personal Information Security Specification (“PI Specification”)[1].
The PI Specification is in nature a “recommended” national standard for information security and PI best practices. However, it is widely used by the authorities as a benchmark for compliance during enforcement actions.
The original PI Specification covered issues such as consent requirements, standards for PI collection, storage, and transfer, rights of PI subjects, PI security, and security incident reporting. The 2020 amendment adds “recommendations” on the use of user profiling, personalized display, automated decision making, collection, storage and sharing of personal biometric information, PI aggregation and integration, restrictions on forced-bundle consent for multi-business functions, and the management of third-party interference.
2. The Information Security Technology — Guide for De-identifying Personal Information (“De-identifying Guide”)[2].
This national standard, provides detailed guidance on how to carry out PI de-identification, which is one of the key obligations that a PI controller must fulfill according to the PI Specification, e.g., after collecting PI, PI controllers shall immediately replace the identifier on the PI and take technical and management measures to store the processed PI separately from information that can be used to recover the identity of individuals, making sure not to recover individual identities during later processing. Key points include:
The de-identifying process shall proceed as follows: (1) establish the targets, purposes and plan of the de-identification; (2) distinguish the identifiers; (3) process the identifiers via three steps, i.e., pre-processing, choice of de-identification models and de-identifying itself; and (4) verify at the senior managerial level that the de-identified PI meets the PI security protection requirements, and the applicability and usefulness of the de-identified PI. In parallel, supervision and review mechanisms should be deployed for the whole process.
Technologies for de-identification include but are not limited to statistical technology (e.g., data sampling and aggregation), cryptography (subject to applicable PRC laws); pseudonymization, randomization, and data synthesis.
3. Methods for Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information (“Identifying Methods”).[3]
The Identifying Methods provide specific guidance on what kind of activities would be recognized as violations of the various laws and standards on data and PI management, including failure to publicize rules for PI collection and use, failure to expressly state the purpose, manner and scope of PI collection and use, PI collection and use without consent, PI collection that is irrelevant to the services provided and in violation of the overriding “necessity” principle for PI collection, PI sharing/transfer without consent, and failure to provide an option for deleting or correcting PI as required by law or to provide a method to receive complaints and reporting.
At a high level, the Identify Methods reflect the current enforcement focus, i.e., non-compliant or illegal PI collection and use, which is prevalent in the market and a major source of consumer complaints and mistrust. Given this priority, it is expected that even more guidance on these issues will be issued in future, including with more details on enforcement procedures.
4.Personal Financial Information Protection Technical Specification (“PFI Specification”)[4]
The PFI Specification provides specific rules for the management of personal financial information (“PFI”), which is defined as PI collected, processed and stored by “FIIs” (financial industry institutions, covering both financial institutions and institutions providing PFI processing services) when providing financial products and services or obtained from other channels. Along with the newly released update of the Implementing Measures for the Protection of Financial Consumer Rights and Interests (Draft for Comments) (“Draft PFI Measures”), these specifications indicate the extent to which the PBOC is taking a targeted, industry-specific approach to PI within its jurisdiction. These rules largely align with the PI Specification, such as on sensitive payment information, explicit consent, anonymization, de-identification, etc. but adds new industry-specific parameters, such as on payment tokens, tracking data, card verification numbers, one-time-passwords, etc. There are also specifications on the scope and classification of PFI, and requirements for the different phases of the PFI life cycle.
5. Others
Other key regulations underscore the ongoing effort to tighten regulation of PI and data protection, including the Provisions on the Cyber Protection of Personal Information of Children[5], which addresses issues specific to children, and the Measures for the Information Technology Management of Securities and Funds Operators[6] which establish a detailed framework for information technology compliance, risks management, security, data governance, contingency plans and vendor issues in the securities and fund sector.
Draft Rules:
Key draft rules on PI and data management issued as of Q1 2020 include:
1. Draft Measures for the Security Assessment of Cross-border Transfers of Personal Information (“Draft PI Cross-border Transfer Measures”)[7]
The Draft PI Cross-border Transfer Measures replace the Security Assessment of Cross-border Transfer of Personal Information and Important Data released by CAC for public comments on April 11, 2017. The Draft PI Cross-border Transfer Measures are part of an intensifying regime of increasing limitations on cross-border PI and data transfers out of the PRC. If enacted as proposed, these measures would materially impact cross-border PI transfers of Chinese users’ PI, and would result in a de-facto local storage requirement for many categories of PI. This is particularly the case as this draft expands the targeted entities from just “critical information infrastructure operators”, which is a fairly narrow category of companies, to all “network operators”, which covers nearly every company that manages any data or information online.
However, many details remain unclear, especially in respect of: (i) specific requirements for the security assessments that would theoretically be required for many types of cross-border PI transfers, and (ii) the requirement that overseas entities that collect personal information on Chinese users fulfill the same PRC law obligations as domestic companies, through their legal representative or entities in China.
2. Draft Administrative Measures for Data Security (“Draft Data Security Measures”)[8]
The Draft Data Security Measures elaborate on the concept of “important data”, which was originally introduced in the CSL and was initially defined in the Guidelines for Data Cross-Border Transfer Security Assessment (“Draft Data Guidelines”).[9] In addition to the similar requirements related to the PI collection, usage, storage and other restrictions in other PRC laws,[10] the Draft Data Security Measures would impose additional requirements and obligations with respect to “important data” and/or “sensitive PI”, including CAC filing requirements, a Data Protection Officer (DPO) requirement[11], cross-border transfer restrictions, etc.
3. Others
Draft Information Security Technology-Guidelines for Personal Information Notices and Consent (“PI Notice and Consent Guidelines”). [12] The PI Notice and Consent Guidelines would establish detailed rules for PI controllers when delivering notice and securing consent, including applicable and exempted scenarios, specific consent and methods for notice, consent models and designs, change and withdrawal of consent, etc. The Guidelines’ exhibits provide examples of key scenarios (e.g., Fintech, e-Commerce, SDK, IoT, protection of minors).
Draft Information Security Technology — Basic Specifications for Collecting Personal Information by Mobile Internet Applications (“The Mobile Apps Basic Specification”).[13] The Mobile Apps Basic Specification would provide basic rules for PI collection via mobile Apps, and maps out requirements with respect to the “minimum and necessary” principle for thirty (30) subsectors, including Internet news, e-Commerce, Apps store, network payment, Fintech, etc.
People’s Bank of China (“PBOC”) circulated draft Trial Measures on the Protection of Personal Financial Information & Data among banks on September 10, 2019, and released the Draft PFI Measures for public comment on December 27, 2019.[14] Both intend to further reinforce the regulation of PFI and provide more practical guidance.
<!--[if !supportFootnotes]-->[1] for the purpose of this article, excluding Hong Kong and Macao Special Administrative Regions and Taiwan.
<!--[if !supportFootnotes]-->[2] promulgated by General Administration of Quality Supervision, Inspection and Quarantine (“AQSIQ”), now merged into the State Administration for Market Regulation (“SAMR”) and Standardization Administration of China (“SAC”) on December 29, 2017, amended on March 6, 2020, effective as of October 1, 2020.
<!--[if !supportFootnotes]-->[3] promulgated by the SAMR and SAC on August 30, 2019, effective as of March 1, 2020.
<!--[if !supportFootnotes]-->[4] Promulgated by Cyberspace Administration of China (“CAC”), Industry and Information Technology (“MIIT”), Ministry of Public Security (“MPS”) and SAMR on November 28, 2019, effective as of the same.
<!--[if !supportFootnotes]-->[5] promulgated by People’s Bank of China (“PBOC”) on February 13, 2020, effective as of the same.
<!--[if !supportFootnotes]-->[6] promulgated by CAC on August 22, 2019.
<!--[if !supportFootnotes]-->[7] promulgated by the China Securities Regulatory Commission on December 19, 2018, and effective as of June 1, 2019.
<!--[if !supportFootnotes]-->[8] released by the Cyberspace Administration of China (“CAC”) on June 13, 2019.
<!--[if !supportFootnotes]-->[9] released by the CAC on May 28, 2019.
<!--[if !supportFootnotes]-->[10] released by the AQSIQ and SAC to seek public comments on August 25, 2017.
<!--[if !supportFootnotes]-->[11] CSL, PI Specification and other applicable laws and regulations laid out similar requirements on the protection of PI and data
<!--[if !supportFootnotes]-->[12] Article 17, Draft Data Measures.
<!--[if !supportFootnotes]-->[13] released by SAMR and SAC on January 12, 2020.
<!--[if !supportFootnotes]-->[14] released by SAMR and SAC on January 15, 2020.
<!--[if !supportFootnotes]-->[15] the Implementing Measures for Safeguarding Financial Consumers' Rights and Interests was first released by PBOC on December 27, 2016.