2020 has been an active year for developments in China’s cybersecurity and data protection regimes. In this e-bulletin we highlight the major regulatory and enforcement developments during the year in three key areas:
Security protection, where continuous regulatory efforts have been made to supplement technical standards in order to progress the establishment of the multi-level protection scheme (MLPS), with the police taking a more active approach to inspecting compliance with the MLPS regime.
Data protection, where two milestone pieces of legislation, the Personal Information Protection Law and the Data Security Law, started their progress through the legislative process, and important standards on personal information protection and risk assessment were updated or released; and
Supply chain security, where developments have focused on establishing the regulatory framework for commercial encryption and the supply chain security of Critical Information Infrastructure.
Further details are set out below. In each case we set out a reminder of the obligations under the Cyber Security Law and provide a brief summary of the main developments during this year.
For a more regular update on the latest developments, please see our monthly e-bulletins (click here for the most recent one).
I. Security protection
Reminder of legal obligations
Under Article 21 of the Cyber Security Law, network operators are required to implement the multi-level protection scheme for network security. Under this scheme, each network operator must be assessed and graded according to the security protection level applicable to it. This will determine the set of security protection obligations that it must comply with.
A network operator’s security obligations include, among others:
a. formulating internal security management systems and operation manuals, appointing personnel responsible for network security, and discharging network security protection responsibilities;
b. taking technical measures to prevent acts that could harm network security, hacking and viruses;
c. monitoring and recording the operational status of the network and network security incidents, the log document for which must be kept for no less than six months; and
d. taking data classification, backup (for important data) and encryption measures.
In particular, Articles 31 to 39 impose more stringent obligations, including a data localisation requirement, on selected network operators of critical importance to state security or the national economy or public interest. These are known as critical information infrastructure (CII) operators. In July 2017, the Cyberspace Administration of China (CAC) published draft regulations on the protection of critical information infrastructure, which have yet to be enacted (please click here for our analysis on the draft regulations).
Under Articles 56 and 59, in the event of a breach of the security protection obligations, the competent authorities may (i) demand a meeting with the legal representative of the network operator; (ii) order rectification; (iii) issue warning letters; and (iv) impose a fine on the network operator and the person directly responsible for the breach. In serious cases, criminal penalties could arise. The Ministry of Public Security, namely the police, and its cyber police arm are charged with enforcing the regulations.
The National Information Security Standardisation Technical Committee (TC260), the body responsible for drafting cybersecurity standards, continues to supplement the framework of standards for the MLPS, publishing the Guide for MLPS Grading in April 2020, among others. With the framework of standards being established, the Ministry of Public Security (MPS) is strengthening enforcement. In September 2020, the it released a guidance opinion urging the ministries and organisations of the central government and centrally-owned enterprises to step up their implementation of the MLPS and protection of CII
The authorities have yet to make any further progress in clarifying the protection regime governing CII. The guidance opinion urges the relevant ministries to draft rules for identifying CII in their respective industries or sectors and to take charge in identifying the CII and filing details with MPS. MPS’ role includes designing, implementing and establishing the overall protection scheme.
Whilst historically penalties for failing to implement the MLPS were usually triggered by investigations into security breaches (such as hacker intrusion), in 2020 we saw cases where the police conducted routine checks resulting in penalties for entities that had not implemented the MLPS. Inspection activities by local police relating to the MLPS have also been increasing.
Outlook for 2021
Establishing the framework for MPLS standards has cleared the obstacle preventing large-scale implementation of the scheme. We expect implementing regulations for the MLPS to be published in 2021, which will likely be coupled with more wide-sweeping enforcement campaigns. Whilst is unclear whether the authorities will offer more clarity on CII regulation, it is now clear that the industry and sector regulators will be responsible for drafting the rules. It remains to be seen which regulator will be the first to do so. Before that, however, we expect the long over-due regulations on the protection of CII to be published.
II. Data protection
Reminder of legal obligations
The Cyber Security Law requires network operators to adhere to the principles of legality, legitimacy and necessity in dealing with personal information. The law also imposes a series of data protection obligations on network operators, including, among others, obligations to inform data subjects and obtain consent, take remedial measures in a data breach, and enable data subjects to exercise certain rights in respect of their personal information. Breach of the law could give rise to administrative as well criminal penalties.
- Civil Code The Civil Code (click here for our views) was promulgated in May 2020 and took effect on 1 January 2021. For the first time, the Civil Code enshrines the right to privacy and the principles of personal information protection. It defines personal information and sets out the legal basis for personal information processing, the obligations on the personal information processors, the rights of individuals to their personal information and the duties on administrative bodies. In the latest judicial interpretation relevant to Civil Code published in December 2020, the Supreme People’s Court expressly stipulated “personal information protection dispute” as a cause for bringing a civil action under the Civil Code.
- Personal Information Protection Law (PIPL) The PIPL (please click here for our views) was submitted to the Standing Committee of the NPC for its first review in October 2020, and the draft was released for public comments. The draft PIPL expands the scope of personal information and sets out the key concepts and principles for processing personal information. It replaces the current consent-based protection regime with a new one allowing multiple legal bases for processing personal information, as well as setting out more detailed requirements for consent. The draft PIPL also lays down obligations on processors when sharing and transferring personal information to third parties. The safeguards on export of personal information and the requirements on data localisation are less stringent and more practical as compared to the previous export regulations published in 2019. The GDPR-style extraterritorial effect extends the application of the PIPL to processors outside of China. Individuals may exercise a comprehensive set of rights against processors, and processors are required to take a range of measures to protect personal information. The CAC is responsible for coordinating the ministries who are charged with regulating and supervising the protection of personal information, and the draft PIPL equips them with a wide range of powers to discharge their duties. It sets out the legal liabilities for those processing personal information and dramatically increases the economic penalties that may be imposed for breaches. Significantly, public interest litigation is introduced into the personal information protection regime for the first time. New technologies such as automated decision-making are also regulated by the draft PIPL. Although there are a number of points still to be clarified by future drafts and guidelines, we can now see for the first time the future regulatory landscape of the personal information protection regime in China. Once the PIPL is enacted, it will have a far-reaching impact on protection of personal information as well as the business and compliance practices for companies.
- Data Security Law (DSL) The DSL was submitted to the Standing Committee of the NPC for review and a draft was later released for public comments (please click here for our views). The draft DSL proposes to protect data, in particular, important data that is not personal information or a state secret. Depending on the data’s importance, it will be protected under a multi-level classified protection regime. Ministries and local governments are required to draft catalogues of important data and protect the data included in the catalogue. Important data processors must conduct risk assessment periodically and appoint personnel and departments responsible for data protection. The law also proposes a national security review regime, under which data activities affecting (or likely to affect) national security will be subject to national security review. If enacted, it will have a profound impact on data security practices in China as well as on those foreign organisations and persons processing data from China.
- Personal Information Security Specification Revisions to the Personal Information Security Specification were published in April 2020 and came into effect on 1 October 2020 (please click here for our views). The revised regime focuses on ensuring that the consent obtained by personal information controllers for processing personal information has been freely given, is specific and informed. In addition, new requirements are being added to enhance protection of personal information processed using new technologies, such as profiling and artificial intelligence. Compliance measures similar to those adopted by the European Union are also being introduced. The Guidance for Personal Information Security Impact Assessment was released in November 2020, and will take effect on 1 June 2021. The Guidance sets out the rules, principles, procedures and methodology for assessing the security risks of personal information processing activities, and is a major security measure required under the Specification and the draft PIPL.
- Mobile applications (Mobile Apps) In 2020, TC260 and the CAC continued to issue a series of formal or draft guidelines and standards applicable to data processing activities by Mobile App operators, These guidelines and standards cover the basic data protection rules, common issues, self-assessment, management of authorisation requests, use of software development kits, and minimum scope of personal information necessary for Mobile Apps functions.
- Financial industry The People’s Bank of China (PBOC) strengthened protection of financial data by rolling out regulations and standards in 2020. In February, the PBOC published the Personal Financial Information Protection Technical Specification, which lays down the principles and requirements for protecting personal financial information. Personal financial information is divided into three categories in accordance with its sensitively, and each category is attached with a different set of protection requirements. In September, the PBOC published the Guidelines for Data Security Classification, which divides financial data into five security levels according to the impact of a data breach on national security, public interest, privacy and private interest and provides for detailed rules for determining the levels. The PBOC also updated the Implementing Measures of Financial Consumer Protection in September including the requirements on the protection of consumer’s financial information, which came into force on 1 November 2020.
2020 saw a continuous increase of criminal cases in relation to infringement of personal information. Notably, the people’s procuratorates are now more willing to bring supplementary civil claims alongside prosecution proceedings in personal information-related cases. Certain procuratorates are taking more proactive actions in policing the protection of personal information, including initiating public interest litigation and issuing rectification notices.
Mobile Apps remain a key focus of enforcement. The Mobile App Working Group consisting of the CAC, the Ministry of Industry and Information Technology, the MPS and the State Administration for Market Regulation have launched multiple campaigns to crack down on personal information abuse by Mobile App operators.
Outlook for 2021
2021 is likely to see two milestone laws for data protection in China, the Personal Information Protection Law and the Data Security Law, being enacted. Both laws mandate a range of compliance measures. In addition, China is expected to publish a series of implementing rules and standards to supplement the emerging regulatory framework, which will present additional compliance challenges for many companies in the coming year.
We expect to see an increase in civil cases being brought under the Civil Code for infringement of personal information. If the PIPL is enacted in 2021, there will also be an increase in public interest litigation brought by the people’s procuratorates with more hefty fines being issued by the personal information protection authorities. Enforcement activities against illegal use of personal information by Mobile App operators will continue.
III. Supply chain security
Reminder of legal obligations
The Cyber Security Law requires that network products and services should meet compulsory national standards. In addition, key network equipment and network security products must be tested or certified by accredited institutions for compliance with such standards. The CAC and other relevant ministries are charged with publishing the list of key network equipment and network security products.
- New cybersecurity review regime The CAC and eleven other ministries jointly published the Cybersecurity Review Measures (please click here for our views) in April 2020, which took effect on 1 June 2020 and replaced the previous regulations on the security review of network products and services. These measures impose more stringent scrutiny over the cyber supply chain of CII operators, but also create uncertainty for suppliers of network products and services to CII operators. Although the lack of regulations on CII protection may prevent imminent fully-fledged enforcement of the Review Measures, CII operators and suppliers should prepare for their implementation once regulations on CII are promulgated.
- Commercial encryption After the promulgation of the Encryption Law (please click here for our views) in 2019, a series of regulations were published to implement the law in 2020. The State Cryptography Administration (SCA) and the State Administration for Market Regulation published their opinions on implementing the testing and certification of commercial encryption, the rules for certifying commercial encryption products and the catalogue of products that need to be certified. Lists of commercial encryption products that require a permit for import or export were published in December. The SCA also published the draft Administrative Measures for Commercial Encryption, which are aimed at implementing the provisions under the Encryption Law applicable to commercial encryption.
We have not seen enforcement cases relevant to supply chain security regulations.
Outlook for 2021
We expect the Administrative Measures for Commercial Encryption to be promulgated in 2021, which will complete the regulatory framework for commercial encryption and give rise to more enforcement activities.