On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”). A previous version of the Guideline was released for public comments on November 30, 2018.
Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting cybersecurity and combating cybercrime. Following the issuance of the draft Regulations on Cybersecurity Multi-level Protection Scheme (the “Draft MLPS Regulation”, discussed in our previous post available here) and the Regulation on the Internet Security Supervision and Inspection by Public Security Agencies (also discussed in a previous post, available here) last year, the release of this new Guideline represents the latest efforts made by MPS to implement the CSL.
The stated goal of the Guideline is to “protect cybersecurity and individuals’ legitimate interests” and to “effectively prevent cybercrime involving personal information.” Although not issued as a legally binding administrative regulation, this Guideline sets out the best practices recommended by MPS and will likely serve as an important reference for cybersecurity inspections that will be carried out by the agency and its local counterparts (i.e., local public security bureaus, “PSBs”).
To a large extent, this Guideline overlaps with China’s national standard on personal information protection, GB/T 35273-2017 Information Security Technology – Personal Information Security Specification (the “Standard”), which took effect on May 1, 2018. The Guideline referred to the Standard as its “indispensable” reference, although at this stage, it is unclear how this Guideline will interact with other existing regulations and national standards. Furthermore, this new Guideline provides more prescriptive requirements relating to a company’s cybersecurity infrastructure, both in terms of organizational support and technical measures to be implemented.
This post summarizes key requirements of the Guideline.
Scope of application
The Guideline aims to protect personal information collected by “personal information holder[s],” a term defined as entities or individuals who “control and process personal information” during the information life cycle. The Guideline does not distinguish personal information controller and processor and thus will apply to both types of entities.
The Guideline also specifies that it is designed to give guidance to companies providing services via the Internet, as well as organizations or individuals who control and process personal information using private networks (专网) or other types of offline environments.
Classification, Internal Organization and Technical Measures
The Guideline generally follows the framework established under the Multi-level Protection Scheme, which classifies an information system physically located in China according to its relative impact on national security, social order, and economic interests if the system is damaged or attacked. The classification levels range from one to five, one being the least critical and five being the most critical. To classify an information system, an operator first conducts a self-assessment and then proposes a classification level on this basis to the MPS, which has the discretion to confirm or reject the classification proposed by the operator. Information systems that are classified at level 3 or above are subject to enhanced security requirements.
The Guideline requires personal information holders to implement a wide range of internal policies and processes to protect personal information. These include putting in place organizational controls, including a dedicated group to oversee this process and publish, review and audit these internal policies periodically. It also requires imposing personnel security measures in terms of hiring, screening, and training employees. In addition, the Guideline specifies access control requirements for internal and external personnel, including identity verification, record retention protocols, and so forth.
Personal information holders are also required to adopt technical controls to protect their network infrastructure – such as network segregation, identification and authentication controls, redundancy measures for important network equipment, data backup and recovery measures, security audits, systems and communication security, and computing environmental controls. In particular, the Guideline requires encryption protection for the migration process of cloud computing virtual machines, as well as data collection and transmission via “Internet of Things” devices.
Protection Throughout the Life Cycle of Personal Information
The Guideline sets out detailed requirements on how personal information holders should protect personal information throughout the information life cycle, covering the collection, retention, use, deletion, third-party processing, sharing, transfer and disclosure of personal information.
Consistent with the Standard, the Guideline requires personal information holders to obtain consent before sharing or transferring personal information to third parties – and even to obtain explicit consent before public disclosure of such information. However, both of the Standard and Guideline provide several exceptions to this requirement. Under the Guideline, consent and/or explicit consent may not be required if the sharing, transfer or public disclosure is directly related to:
- national security and/or national defense;
- public safety, public health or issues of major public interest; or,
- criminal investigation, prosecution, and enforcement.
Additionally, the Guideline prohibits personal information holders from the large-scale collection or processing of sensitive personal data relating to race, ethnic origin, political opinion or religious belief. Personal information holders are also prohibited from publically disclosing the following types of personal information:
- biometric data;
- genetic and health data; and,
- analysis generated from data relating to race, ethnic origin, political opinion or religious belief of Chinese citizens.
The Guideline also provides some other requirements that are similar to the Standard, such as data subjects’ right to access, correct and/or delete their data.
Data Storage and Cross-border Transfer of Personal Information
According to the Guideline, personal information generated and collected by personal information holders in China must be stored within China and adhere to specific rules if the cross-border transfer of data is necessary. Under the CSL, only operators of Critical Information Infrastructure (“CII”) are subject to this data localization requirement. It is uncertain whether the Guideline intends to expand the scope of this requirement to all controllers and processors. Also, for personal information stored on cloud platforms, the Guideline specifically requires that such information only be stored within China – otherwise, if cross-border data transfers are needed, specific rules should apply. The Guideline has not yet explained what these “specific rules” entail for cross-border data transfers.
In line with the Standard, the Guideline requires personal information holders to maintain an incident response plan, undertake regular training and emergency drills, and to notify regulators and affected data subjects of security incidents. Unlike the Standard, the Guideline specifically states that PSBs shall be notified after an incident occurs. The Guideline does not mention a specific timeframe for the notification, only that it must be “timely.” Personal information holders are expected to assist PSBs with investigation and related evidence collection following a breach, as well as to mitigate identified risks.