On Aug. 20, 2021, the Standing Committee of China’s National People’s Congress promulgated China’s Personal Information Protection Law, which will take effect Nov. 1, 2021. Serving as China’s first comprehensive law in the personal information protection area and based on China’s Constitution, the PIPL aims to “protect the rights and interests of individuals,” “regulate personal information processing activities,” and “facilitate reasonable use of personal information” (Article 1).
Continue Reading Analyzing China’s PIPL and How It Compares to the EU’s GDPR

On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies:  Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).

According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.”  This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020.  Per the announcements, these apps are prohibited from registering new user accounts during the review period.

Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here).  It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.

This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information.
Continue Reading China Initiates Cybersecurity Review of Didi ChuXing and Three Other Chinese Mobile Applications

On June 10, 2021, the Standing Committee of China’s National People’s Congress (“NPC”) enacted the Data Security Law (“DSL”), which will take effect on September 1, 2021 (the official Chinese version is available here and Covington’s unofficial English translation is available here). This law creates a framework for the protection of broadly defined “data security” from a national security perspective.
Continue Reading China Enacts Data Security Law

On Episode 14 of Covington’s Inside Privacy Audiocast, Dan Cooper and Yan Luo discuss recent privacy developments in China, in particular as they relate to China’s draft Data Security Law.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

In Part 1 of this blog series (see here), we discussed recent data protection developments in China’s e-commerce sector.  In this post, we discuss recently issued rules aimed at improving data governance in China’s financial sector that could also have data protection implications.  These rules can be categorized as falling into two groups: the first group focuses on general data governance requirements applicable to all financial institutions, and the second group regulates specific types of financial services.

These new rules were published by the China Banking and Insurance Regulatory Commission (“CBIRC”) and People’s Bank of China (“PBOC”) during the first quarter of 2021, and include:

  • Guidelines for Data Capacity-Building in the Financial Industry (“Guidelines”) (official Chinese version available here);
  • Financial Data Security – Data Life Cycle Security Standard (“Standard”) (official Chinese version available here); and
  • Draft Credit Reporting Management Measures (“Draft Measures”) (official Chinese version available here).

Both the Guidelines and Standard provide detailed criteria for financial institutions on the proper collection, use and protection of “financial data,” while the Draft Measures introduce data-related requirements for licensed credit reporting agencies.  All of these new rules include data security requirements for both personal and non-personal data.


Continue Reading Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 2: Data Protection in the Financial Sector

When China’s legislature, the National People’s Congress (“NPC”), enacted the Cybersecurity Law (“CSL”) in 2017, it set into motion a new era of data governance in China.  Three years later, in 2020, the NPC followed up this landmark act with two other legislative milestones in this space: the draft Data Security Law (“DSL”) (see our blogpost here) and draft Personal Information Protection Law (“PIPL”) (see our client alert here).  Both the PIPL and DSL will be finalized this year.  Taken as a whole, these three laws form an over-arching framework that will govern data protection and cybersecurity in China for years to come.

While the DSL and PIPL have remained in draft form over the past year, the Chinese government has not stood idly by – instead, various Chinese regulators have continued to introduce data- and cyber-related rules in  key sectors.  Many of these sectoral rules do not appear to be primarily focused on data protection or cybersecurity, yet they may indirectly impact the collection, use and processing of personal information in specific sectors.  The rollout of these new rules has not been fully coordinated, and the approaches taken in some cases deviate from the over-arching framework mentioned above.  We expect this divergence to remain, even after the finalization of the PIPL and DSL.  Consequently, China’s data and cyber regime will likely present a complex web of regulatory rules for organizations to navigate – both now and in the years ahead.

In this blog series, we examine several recently-introduced data and cyber rules in the areas of e-commerce, finance, healthcare, and artificial intelligence – all of which are rapidly expanding sectors in China where the collection and use of massive amounts of personal information have given rise to a variety of regulatory concerns.  We will also explain, in the last blogpost of this series, China’s recent push to regulate how mobile applications can collect and process user data.

In our first blogpost of this series, we focus on recent developments in China’s e-commerce sector.


Continue Reading Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 1: Data Protection in the E-Commerce Sector

On the ninth episode of our Inside Privacy Audiocast, we peer through the looking glass at China’s approach to data protection and the latest developments in its emerging data protection and cybersecurity regime. Dan Cooper, Yan Luo and Zhijing Yu discuss the variety of legal instruments in China’s quickly-evolving data protection and cybersecurity regulatory

On July 2, 2020, the Standing Committee of the National People’s Congress of China (“NPC”) released the draft Data Security Law (“Draft Law”) for public comment.  The release of the Draft Law marks a step forward in establishing a regulatory framework for the protection of broadly defined “data security” in China, with a particular focus on the governance of “important data,” defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.”  Many provisions of the Draft Law remain vague and lack guidance on how they might be implemented in practice.

Continue Reading China Issued the Draft Data Security Law

On May 11, 2020, the State Cryptography Administration (“SCA”) and the State Administration for Market Regulation jointly issued the Commercial Encryption Product Certification Catalogue (First Batch) (“Product Catalogue”) and the Commercial Encryption Product Certification Measures (“Certification Measures”) (the announcement is available here), taking effect immediately.

Prior to the adoption of the Encryption Law (see our post on the Encryption Law here), manufacturers of commercial encryption products were required to apply to the SCA for the “Commercial Encryption Products Type and Model Certificate.”  The Encryption Law removed this approval requirement by establishing a voluntary certification scheme, which encourages manufacturers to voluntarily apply to qualified agencies for the testing and certification of their commercial encryption products.  The release of the Product Catalogue and the Certification Measures marks a critical step forward in implementing such a voluntary certification scheme under the Encryption Law.
Continue Reading China Issued the Commercial Encryption Product Certification Catalogue and Certification

In December 2019, the People’s Bank of China (“PBOC”) issued the draft Measures for the Protection of Financial Consumers’ Rights and Interests for public comment (“draft Financial Consumer Measures”) (an official Chinese version is available here).  Although the draft Financial Consumer Measures focus more broadly on consumer rights in the financial sectors, they imposes upon financial institutions privacy and cybersecurity obligations that—in certain instances—extend beyond the requirements stipulated in China’s Cybersecurity Law (“CSL”).

Following up on the draft Financial Consumer Measures, PBOC issued the Personal Financial Information Protection Technical Specification (“Financial Information Specification”) on February 13, 2020 setting forth additional privacy and cybersecurity requirements applicable to the life cycle of personal financial information collected and processed by regulated financial entities and other entities that process personal financial information (“Financial Industry Entities”). While the Financial Information Specification follows the general personal information protection principles under the Cybersecurity Law (“CSL”) framework, some specific requirements are worth highlighting, as explained below.
Continue Reading China Releases Personal Financial Information Protection Technical Specification