China

When China’s new Cybersecurity Law takes effect on June 1, 2017, China will become another important jurisdiction to watch in the international data transfer space.

Before the new Cybersecurity  Law officially was promulgated on November 7, 2016, cross-border data transfer of data from China was largely unregulated by the government.  While many Chinese laws and regulations governed the collection, use and storage (including localization) of data, no binding laws or regulations contained generally applicable legal requirements or constraints on the transfer of data across Chinese borders.
Continue Reading Cross-Border Data Transfer: A China Perspective

In our previous post, we discussed seven draft cybersecurity and data protection national standards released by China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), on December 21, 2016.

Information Security Technology – Personal Information Security Specification” (“the Standard”) is the most significant standard being proposed.  Although not legally binding and lacking the force of law, such a national standard, drafted by CAC, is likely to serve as a reference point for CAC and other regulators to judge corporate data protection practices in China.  It may also reflect the direction in which China’s data protection regime is evolving.

In this post, we discuss the background of this draft Standard, its structure, and the general principles it proposes.  In a follow-up post, we will discuss key requirements for data controllers and data processors, as well as rights and protections for data subjects.
Continue Reading China’s New Draft National Standards on Personal Information Protection

By Tim Stratford and Yan Luo

China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released seven draft national standards related to cybersecurity and data privacy for public comment on December 21, 2016.  The public comment period runs until February 2, 2017.

These new draft standards are:

  • Information Security Technology – Personal Information Security Specification
  • Information Security Technology – Implementation Guide for Cybersecurity Classified Protection
  • Information Security Technology – Security Capability Requirements for Big Data Services
  • Information Security Technology – Guide for Security Risk Assessment of Industrial Control Systems
  • Information Security Technology —Security Technique Requirements and Test Evaluation Approaches for Industrial Control Network Monitoring
  • Information Security Technology — Technique Requirements and Testing and Evaluation Approaches For Industrial Control System Vulnerability Detection
  • Information Security Technology – Testing and Evaluation Methods for the Security of Hardcopy Devices

Continue Reading China Seeks Comment on Seven Draft Cybersecurity and Data Privacy National Standards

By Ashwin Kaja* and Yan Luo

Close on the heels of a sweeping new National Security Law, the Standing Committee of the National People’s Congress released last month for public comment a very significant draft Network Security Law (“Draft Law”), also referred to as the draft Cybersecurity Law.

Since it came into power in 2012, China’s current leadership has attached an unprecedented level of attention to network security, which it sees as a core aspect of national security. Marking the establishment of a new Central Leading Group for Cyberspace Affairs in 2014 that he himself would lead, President Xi Jinping declared that “network security and informatization are key strategic issues related to national security and development,” and that “national security no longer exists without network security.” President Xi went on, in those remarks, to call for the development of a legal infrastructure for the administration of cyberspace, with particular emphasis on the protection of “critical information infrastructure” (see further discussion below). The resolution of the Fourth Plenum of the Central Committee of the Chinese Communist Party in October 2014 echoed this theme.

The focus on network security appears to stem from the explosive development and extensive usage of network and information technologies, made more pressing by Edward Snowden’s disclosures in 2013 regarding activities of the US National Security Agency (NSA). Since the Snowden leaks, it has been repeatedly reported that the Chinese government is working actively to wean government networks and financial systems off of IT products and services from foreign companies. The Draft Law is the government’s latest effort to consolidate existing security-related requirements and grant government agencies more security-related powers. On its face, the Draft Law does not discriminate against foreign products and services. However, designed to “safeguard cyberspace sovereignty and national security,” it could be implemented to become an additional hurdle for foreign companies seeking to access China’s vast market if and when it comes into effect.
Continue Reading China Issues Draft Network Security Law

Just two days after disclosing publicly that it was “the target of a very sophisticated external cyber attack” in which the personal information of over 80 million customers was compromised, officials of Anthem Inc., the nation’s second largest health insurance company, are to brief staffers of the House Energy and Committee on the security breach. 

By Eric Carlson and Scott Livingston

On Friday, August 8, 2014, a Chinese court convicted British fraud investigator Peter Humphrey and his wife, Yu Yingzeng, a naturalized US citizen, of illegally obtaining personal information.  Mr. Humphrey was sentenced to two and a half years in prison and fined RMB 200,000 (about US $32,000); Ms. Yu was sentenced to two years in prison and fined RMB 150,000 (US $24,000).  For more information on the original arrests and Mr. Humphrey’s subsequent confession on state-owned TV, please see our earlier blog post here

The husband and wife team ran a China-based consulting firm, ChinaWhys Co., that specialized in providing risk advisory services to multinational companies doing business in China.  Under China’s Criminal Law, companies and individuals are subject to criminal penalties for illegally selling or obtaining the personal information of others where such violation is “serious.”  Prosecutors alleged that the couple violated the law’s prohibition on illegal obtainment by collecting 256 personal information records, including hukou (city residential permit) information, family information, and travel and phone records.  According to prosecutors, ChinaWhys purchased this information for RMB 800 to RMB 2000 (about US $130 to $325) per record and used it in background investigation reports prepared for ChinaWhys’ clients.Continue Reading Fraud Investigators Imprisoned for Illegally Collecting Personal Data in China

By Eric Carlson & Scott Livingston

On August 27, 2013, state-run China Central Television broadcast a taped confession of detained British fraud investigator Peter Humphrey confessing to having used “illegal means” to obtain the personal information of Chinese citizens.  This highly unusual broadcast of a confession made by a foreigner in China, along with other recent actions against data privacy violations, suggests an increasing focus by Chinese authorities on enforcement of laws and regulations relating to the protection of an individual’s personal information, and underscores the growing need for companies with operations in China to ensure their personal data collection, handling, and transfer policies comply with national laws and regulations.Continue Reading British Fraud Investigator Admits on Chinese State TV to Illegally Purchasing and Selling Personal Information

On July 16, 2013, China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”).  The Internet Provisions, which take effect September 1, 2013, provide specific implementation rules for telecommunication and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of “user’s personal information,” based on a more generally addressed national law protecting “personal electronic information” issued in December 2012 and entitled Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (see our previous client alert here).

“IISPs” is a broad category that includes all companies utilizing a mainland-based website (i.e. a website registered with or licensed by MIIT) to collect personal information (“PI”) from their customers or site visitors.  “TSPs” are those entities providing access to telecommunications services, such as China Mobile.Continue Reading China Issues Comprehensive Regulation on Collection and Use of Personal Information by Websites and Telecommunication Service Providers

China’s Ministry of Internet and Information Technology (“MIIT”) has promulgated a new regulation targeting manufacturers of mobile smart devices (such as smart phones) that prohibits them from preinstalling certain apps that raise privacy, security, or prohibited content concerns.  Entitled “Notice Regarding Strengthening the Management of Network Access for Mobile Smart Terminals,” the new regulation forbids mobile smart device manufacturers from pre-installing any app that:

  • collects or modifies a user’s personal information without express notification and user consent;
  • accesses a network without express notification or consent, causing unauthorized bandwidth use, monetary loss, information disclosure, or other negative consequences;
  • affects the smart device’s normal operations or the safe operation of the telecommunications network;
  • contains content restricted by PRC law (e.g., obscene, anti-government, or hate speech); or
  • infringes a user’s personal information, safety, legitimate rights or interests, or prejudices the security of network information.

Continue Reading China Regulates Smart Device Manufacturers’ Use of Pre-installed Apps