On July 21, 2022, the Cyberspace Administration of China (“CAC”) – the country’s primary regulator for cybersecurity and privacy – imposed a fine of RMB 8.026 billion (around $1.2 billion USD) on China’s largest ride-hailing company for violating data protection laws, including the Cybersecurity Law, Data Security Law and Personal Information Protection Law.
On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here). These Measures will take effect on June 1, 2020.
Under Article 35 of China’s Cybersecurity Law (“CSL”), operators of Critical Information Infrastructure (“CII”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security. To implement this requirement, CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors. On May 24, 2019, CAC released a draft version of the Measures (“Draft Measures”) for public comment (see our post on the Draft Measures here), aiming to update the review process established under the Trial Measures. The final version of the Measures replaces the Trial Measures and largely tracks the framework proposed in the Draft Measures.
Highlights of the final version of the Measures appear below.
Continue Reading China Issues New Measures on Cybersecurity Review of Network Products and Services
On November 20, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for the Publication of Cybersecurity Threat Information (“Draft Measures”) for public comment. (An official Chinese version is available here). The comment period ends on December 19, 2019.
The release of the Draft Measures marks an important step forward in implementing Article 26 of China’s Cybersecurity Law (“CSL”), which establishes that the publication of cybersecurity information (such as those related to system vulnerabilities, computer viruses, cyberattacks and/or network intrusions) to “the public” must comply with unspecified “relevant rules.” Article 26 does not specify what kind of entities or individuals are subject to this requirement; thus, it is unclear whether Article 26 applies to entities that have discovered vulnerabilities on their own networks and/or the activities of third parties that have uncovered cybersecurity threats to others’ networks, such as cybersecurity research firms.
The Draft Measures are intended to provide further guidance for these entities and individuals based in China that have threat information about other network operators’ network or information systems and outlines how they can publish the threat information in a compliant way. The Draft Measures are silent as to whether these requirements will apply to entities or individuals that are based outside of China and, if these requirements are applicable for the publication of threat information globally, how entities or individuals outside of China can comply. It is also unclear about the extent to which the Draft Measures would apply to network operators who become aware of cybersecurity threat information related to their own networks.…
On January 2, 2018, the Standardization Administration of China (“SAC”) released the final version of the national standard on personal information protection, officially entitled GB/T 35273-2017 Information Technology – Personal Information Security Specification (GB/T 35273-2017 信息安全技术 个人信息安全规范) (hereinafter “the Standard”). The Standard will come into effect on May 1, 2018.
As highlighted in our previous coverage of drafts of the Standard (see here and here), although it is nominally a voluntary framework, the Standard effectively sets out the best practices that will be expected by regulators auditing companies and enforcing China’s existing (but typically more generally-worded) data protection rules, most notably the 2016 Cybersecurity Law. Drafts of the Standard — even prior its finalization — have also in some cases been the basis for non-compliance remediation plans and undertakings agreed between companies and the Cyberspace Administration of China (“CAC”) following CAC audits, as we reported here.
The Standard applies to “personal information controllers,” namely any private or public organization that has “the power to decide the purpose and method” of processing personal information. This is seemingly modelled on European law’s “data controller” concept.
The Standard regulates the use of “personal information” by these controllers, a term largely aligned with strict conceptualizations of “personal data” under the EU’s General Data Protection Regulation (“GDPR”). Examples of “personal information” listed in an annex to the Standard include device hardware serial codes, IP addresses, website tracking records, and unique device identifiers, among other things. The definition of “sensitive personal information,” however, takes a different approach to the GDPR: rather than applying only to specific types of data, the Standard takes a risk-based approach, defining “sensitive” personal information as any personal information which, if lost or misused, is capable of endangering persons or property, easily harming personal reputation and mental and physical health, or leading to discriminatory treatment. According to the Standard, this could for example include national identification card numbers, login credentials, banking and credit details, a person’s accurate location, information on a person’s real estate holdings, and information about a minor (under 14 years old).
Similar to general principles of most data protection laws, the Standard requires transparency, specificity and fairness of processing purpose, proportionality (use and retention of only the minimum information necessary to achieve the stated purpose), security, risk assessment, and the respect of individuals’ rights to control the processing of information about them. It also requires either consent from individuals, or reliance on a limited range of exceptions set out in the Standard, for the purpose of collection and processing of personal information.
This article looks at some of these aspects in more detail, including some of their key divergences from European data protection law, including the GDPR. (Please note that this is not an exhaustive description of the Standard, nor is it a detailed comparison with the GDPR.)…
Continue Reading China Issues New Personal Information Protection Standard