On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”).  A previous version of the Guideline was released for public comments on November 30, 2018.

Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting cybersecurity and combating cybercrime.  Following the issuance of the draft Regulations on Cybersecurity Multi-level Protection Scheme (the “Draft MLPS Regulation”, discussed in our previous post available here) and the Regulation on the Internet Security Supervision and Inspection by Public Security Agencies (also discussed in a previous post, available here) last year, the release of this new Guideline represents the latest efforts made by MPS to implement the CSL.

The stated goal of the Guideline is to “protect cybersecurity and individuals’ legitimate interests” and to “effectively prevent cybercrime involving personal information.”  Although not issued as a legally binding administrative regulation, this Guideline sets out the best practices recommended by MPS and will likely serve as an important reference for cybersecurity inspections that will be carried out by the agency and its local counterparts (i.e., local public security bureaus, “PSBs”).

To a large extent, this Guideline overlaps with China’s national standard on personal information protection, GB/T 35273-2017 Information Security Technology – Personal Information Security Specification (the “Standard”), which took effect on May 1, 2018.  The Guideline referred to the Standard as its “indispensable” reference, although at this stage, it is unclear how this Guideline will interact with other existing regulations and national standards.  Furthermore, this new Guideline provides more prescriptive requirements relating to a company’s cybersecurity infrastructure, both in terms of organizational support and technical measures to be implemented.

This post summarizes key requirements of the Guideline.

Scope of application

The Guideline aims to protect personal information collected by “personal information holder[s],” a term defined as entities or individuals who “control and process personal information” during the information life cycle.  The Guideline does not distinguish personal information controller and processor and thus will apply to both types of entities.

The Guideline also specifies that it is designed to give guidance to companies providing services via the Internet, as well as organizations or individuals who control and process personal information using private networks (专网) or other types of offline environments.

Classification, Internal Organization and Technical Measures

The Guideline generally follows the framework established under the Multi-level Protection Scheme, which classifies an information system physically located in China according to its relative impact on national security, social order, and economic interests if the system is damaged or attacked.  The classification levels range from one to five, one being the least critical and five being the most critical.  To classify an information system, an operator first conducts a self-assessment and then proposes a classification level on this basis to the MPS, which has the discretion to confirm or reject the classification proposed by the operator. Information systems that are classified at level 3 or above are subject to enhanced security requirements.

The Guideline requires personal information holders to implement a wide range of internal policies and processes to protect personal information.  These include putting in place organizational controls, including a dedicated group to oversee this process and publish, review and audit these internal policies periodically.  It also requires imposing personnel security measures in terms of hiring, screening, and training employees.  In addition, the Guideline specifies access control requirements for internal and external personnel, including identity verification, record retention protocols, and so forth.

Personal information holders are also required to adopt technical controls to protect their network infrastructure – such as network segregation, identification and authentication controls, redundancy measures for important network equipment, data backup and recovery measures, security audits, systems and communication security, and computing environmental controls.  In particular, the Guideline requires encryption protection for the migration process of cloud computing virtual machines, as well as data collection and transmission via “Internet of Things” devices.

Protection Throughout the Life Cycle of Personal Information

The Guideline sets out detailed requirements on how personal information holders should protect personal information throughout the information life cycle, covering the collection, retention, use, deletion, third-party processing, sharing, transfer and disclosure of personal information.

Consistent with the Standard, the Guideline requires personal information holders to obtain consent before sharing or transferring personal information to third parties – and even to obtain explicit consent before public disclosure of such information.  However, both of the Standard and Guideline provide several exceptions to this requirement. Under the Guideline, consent and/or explicit consent may not be required if the sharing, transfer or public disclosure is directly related to:

  • national security and/or national defense;
  • public safety, public health or issues of major public interest; or,
  • criminal investigation, prosecution, and enforcement.

Additionally, the Guideline prohibits personal information holders from the large-scale collection or processing of sensitive personal data relating to race, ethnic origin, political opinion or religious belief.  Personal information holders are also prohibited from publically disclosing the following types of personal information:

  • biometric data;
  • genetic and health data; and,
  • analysis generated from data relating to race, ethnic origin, political opinion or religious belief of Chinese citizens.

The Guideline also provides some other requirements that are similar to the Standard, such as data subjects’ right to access, correct and/or delete their data.

Data Storage and Cross-border Transfer of Personal Information

According to the Guideline, personal information generated and collected by personal information holders in China must be stored within China and adhere to specific rules if the cross-border transfer of data is necessary.  Under the CSL, only operators of Critical Information Infrastructure (“CII”) are subject to this data localization requirement. It is uncertain whether the Guideline intends to expand the scope of this requirement to all controllers and processors.  Also, for personal information stored on cloud platforms, the Guideline specifically requires that such information only be stored within China – otherwise, if cross-border data transfers are needed, specific rules should apply.  The Guideline has not yet explained what these “specific rules” entail for cross-border data transfers.

Breach Notification

In line with the Standard, the Guideline requires personal information holders to maintain an incident response plan, undertake regular training and emergency drills, and to notify regulators and affected data subjects of security incidents. Unlike the Standard, the Guideline specifically states that PSBs shall be notified after an incident occurs. The Guideline does not mention a specific timeframe for the notification, only that it must be “timely.”  Personal information holders are expected to assist PSBs with investigation and related evidence collection following a breach, as well as to mitigate identified risks.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Yan Luo Yan Luo

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a

With over 10 years of experience in global technology regulations, Yan Luo specializes in the intersection of law and technology, focusing on regulatory compliance and risk mitigation for technology-driven business models. Her key strengths include data protection, cybersecurity, and international trade, with a particular emphasis on adapting to regulatory changes and ensuring compliance to support technology sector business strategies.

In recent years, Yan has guided leading multinational companies in sectors such as cloud computing, consumer brands, and financial services through the rapidly evolving cybersecurity and data privacy regulations in major Asian jurisdictions, including China. She has addressed challenges such as compliance with data localization mandates and regulatory audits. Yan’s work includes advising on high-stakes compliance issues like data localization and cross-border data transfers, navigating cybersecurity inspections for multinational companies, and providing data protection insights for strategic transactions. Additionally, Yan has counseled leading Chinese technology companies on global data governance and compliance challenges across major jurisdictions, including the EU and the US, focusing on specific regulations like GDPR and CCPA.

More recently, Yan has supported leading technology companies on geopolitical risk assessments, particularly concerning how geopolitical shifts impact sectors at the cutting edge, such as artificial intelligence and semiconductor technologies.

Yan was named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Photo of Nicholas Shepherd Nicholas Shepherd

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing…

Nick Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the EU/UK General Data Protection Regulation (GDPR), ePrivacy Directive and its national implementing laws, EU/UK direct marketing laws, emerging state privacy laws in the United States, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border data transfers, data breach response, artificial intelligence, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements on transparency, consent, lawful processing, data sharing, and related issues.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick now leverages his multi-faceted legal background and international experience from the U.S. to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.