Two weeks after the Personal Information Protection Law (PIPL) entered into effect and a little over two months after the Data Security Law became effective, the Cyberspace Administration of China (CAC) released a draft of the key implementing regulation for both laws on 14 November 2021: the Administrative Regulations on Network Data Security.
The regulations have wide-ranging scope, with the key developments being:
Chinese listing applicants will need to apply for a cyber security review and obtain approval from the CAC:
- when listing anywhere outside of Mainland China or Hong Kong, if they hold the personal data of more than one million persons (confirming the equivalent requirement in the draft revised Measures for Cybersecurity Review issued in July 2021)
- when listing in Hong Kong if their activities may affect national security.
In practice all Chinese listing applicants will wish to approach the provincial-level CAC for an indication of whether their operations are considered to impact national security or risk investigation after listing, as happened earlier this year with Didi Chuxing, Full Truck Alliance (FTA) and Kanzhun. (Article 13)
Internet platform operators that hold data relating to national security, economic development or other public interests will similarly need to undergo a cyber security review before undertaking either a merger, restructuring or separation (demerger). (Article 13)
Organisations listed on overseas markets will be required to submit annual data security assessments to the provincial-level CAC by the end of January each year. Among other things, the assessment should include details of the organisation’s data security management systems and of any data security incidents that occurred during the previous year. (Article 32)
The government will implement a security gateway through which all data being transferred out of China will have to pass. This is one of the most singular requirements of the regulation and will clearly need clarification. (Article 41)
Data security incidents that cause harm will need to be notified to affected individuals and organisations within three working days. Notification may only be made by way of a substitute public announcement if it is not feasible to send individual notifications (Article 11). Under Article 57 of the PIPL, the CAC has discretion to direct that individual notifications will not need to be given if an organisation has successfully contained the incident to avoid harm.
A data security incident that involves the personal data of more than 100,000 people will have to be reported to the provincial-level CAC branch within eight hours. A written incident report will also need to be submitted within five working days. (Articles 11(1) and (2))
Mergers, restructurings and separations of organisations that hold the personal data of more than a million people will need to be reported to the provincial branch of the relevant sectoral regulator. This appears to be a post-completion reporting requirement rather than an approval requirement. (Article 14)
On closure of an account or the end of a data retention period, personal data will need to be either deleted or anonymised within 15 working days. Individuals will have to be informed if is not possible to delete or anonymise their data. (Article 22)
Organisations must respond to requests to exercise data subject rights within 15 working days. This is a reduction from the current 30-day timeline provided for in the Personal Information Security Specifications (March 2020). (Article 23)
Transfers of personal data outside of China for the purpose of concluding/ performing a contract to which the individual data subject is a party will not require a separate data transfer agreement, and will also not be subject to the requirement to obtain certification of data protection standards or undergo a security assessment either. This is a new and helpful exemption that is not provided for in the PIPL. (Article 35)
Organisations that transfer personal data outside of China will be required to submit an annual data exit assessment report to the provincial-level CAC by 31 January of each year setting out the type and amount of personal data transferred, where it is stored and the purpose of the transfer, among other things. Data security incidents occurring during the previous year will also need to be included. (Article 40)
The regulations confirm that ‘important data’ is data that may harm national security or public interests if it is tampered with, destroyed, leaked or illegally obtained or used and that individual sectoral catalogues of ‘important data’ will be released in due course. In the meantime, the regulations include a non-exhaustive illustration of certain very general categories of ‘important data’ (of which the most relevant categories for businesses are: core technology, design plans and production processes involved in technology that is subject to export controls; technical data related to cryptography, biotech or artificial intelligence; operational data in key industries such as telecommunications, energy, transportation, finance and defence; and the configuration of critical information infrastructure).
The following requirements applicable to organisations holding personal data outlined above will also apply to organisations that hold ‘important data’:
- the deadlines for reporting data security incidents (Articles 11(1) and 11(2))
- the obligation to report mergers, restructurings and separations (Article 14)
- the obligation to submit an annual data security assessment (Article 32)
- the obligation to submit an annual data exit assessment report (Article 40)
Organisations that process the personal data of more than a million people will be deemed to be subject to the same requirements that apply to organisations that hold ‘important data’. (Article 26)
Organisations will have to report to the provincial-level CAC within 15 working days of identifying what ‘important data’ they hold. It is as yet unclear whether organisations will be under requirements to identify ‘important data’ within any specific period once the sectoral catalogues have been released. (Article 29)
Article 31 suggests that the Security Review Measures will be applied to purchases of network products and services by organisations that hold ‘important data’ (as well as by critical information infrastructure operators), although this will need to be clarified.
The transfer of important data (both overseas and domestic transfers) or the appointment of a data processor to handle ‘important data’ will require the consent of the provincial-level CAC or other “competent authority”. (Article 33)
Transfers of ‘important data’ overseas will need the CAC’s approval by following the same security assessment process that will apply to transfers of personal data above the specified volume thresholds (see here for more details of the security assessment process). (Article 37(2))
Internet platform operators
The regulations contain a number of detailed provisions concerning internet platforms. Of these the most notable are:
- Internet platform operators with more than 100 million daily active users will be required to have their platform rules/ privacy policies evaluated by an accredited third party assessor and then approved by the CAC and provincial-level MIIT (the internet and telecommunications regulator). (Article 43)
- Large Internet platform operators (see definition below) will need to undergo an annual independent audit covering platform data security, their platform rules and standards of personal data protection. The results of the audit will need to be disclosed publicly. (Article 53)
Internet platform operators are defined to include social media platforms, video streamers, mobile/ online payments providers and e-commerce platforms. Large Internet platform operators are defined as those that have more than 50 million users, hold large quantities of personal data and ‘important data’, and have strong social mobilisation capacity and a dominant market position.
The consultation period runs until 13 December 2021.