On May 28, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for Data Security Management (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here.) The comment period ends on June 28, 2019.
The release of these Draft Measures demonstrates China’s continuing efforts to implement the data protection requirements imposed by China’s Cybersecurity Law (“CSL”). For example, under Article 41 of the CSL, network operators must notify individuals of the purposes, methods and scope of the information collection and use, and obtain their consent before collecting or using individuals’ personal information. Furthermore, under Article 42 and 43 of the CSL, network operators must not disclose, tamper with, or damage citizens’ personal information that they have collected, and they are further obligated to delete unlawfully collected information and amend incorrect information.
To implement the CSL, the CAC and the Standardization Administration of China issued a national standard for personal information protection (“Standard”) on January 2, 2018, which took effect on May 1, 2018 (see our previous blog post about that Standard here). A draft amendment to the Standard (“Draft Amendment”) was released for public comment on February 1, 2019 (see our previous blog post about the Draft Amendment here). The new Draft Measures incorporate some of personal information protection requirements specified in the Standard and the Draft Amendment, and also introduce a number of new requirements for the protection of “important data,” which was initially mentioned in Article 21 and 37 of the CSL, but was not defined.