On 14 November 2021, the Cyberspace Administration of China (CAC) released the draft Network Data Security Management Regulations (the draft Regulations) and is accepting public comments until 13 December 2021.

The draft Regulations comprise 9 chapters and 75 articles with broad coverage of all types of electronic data. Once finalised and adopted by the CAC, the draft Regulations will provide more detailed practical guidance on how to implement the general legal requirements under national laws with a higher legal authority that have been adopted by the National People’s Congress and its Standing Committee, such as the Cybersecurity Law (CSL), the Data Security Law (DSL) and the Personal Information Protection Law (PIPL).

In this alert, we focus on and summarise the supplemental rules introduced by the draft Regulations, including: (i) the data classification and multi-level protection scheme (MLPS); (ii) special obligations for processors of important data; (iii) special obligations for online platform operators; (iv) prohibited activities; (v) data incident reports; and (vi) network security assessments.

Highlights

Data classification and multi-level protection scheme (MLPS)

The CSL and DSL laid down the principle that the state will establish a categorised and hierarchical data protection system. Further to this, the draft Regulations clarify how data should be categorised under this system:

  • There are three main categories of data: general data, important data and core data. It is critical first and foremost to determine if any data is important or core data. Data that falls within neither of these categories is classified as general data.
  • While core data1 is defined in the same way as in the DSL, the draft Regulations provide the following illustrations of what would constitute important data:

(i) undisclosed government data, work secrets, intelligence data and judicial enforcement data;

(ii) data which is subject to export control, data concerning a core technology, a design proposal, or production flow, and data derived from scientific research in the fields of, among others, encryption, biology, electronic information, or AI, that could have a direct impact on national security or China’s economic competitiveness;

(iii) the state’s economic operating data, business data of key industries and statistical data that is explicitly required to be protected and controlled pursuant to national laws, administrative regulations or departmental measures;

(iv) data concerning safety production, operations, key system components or supply chains in any of China’s key industries, such as manufacturing, telecoms, energy, transport, water conservation, financial services, and national defence, as well as the state’s tax and customs regime;

(v) state’s basic data relating to populations and health, natural resources and the environment in the fields of genetics, geology, mining, meteorology, etc., where the data exceeds a specific volume or level of accuracy specified by the competent authorities;

(vi) operational and security data pertaining to the nation’s infrastructure and critical information infrastructure (CII), and data concerning the geographical location of and security measures in force at national defence facilities, military areas, national defence research and production entities, and other important and sensitive places; and

(vii) other data that may impact the nation’s political system, its sovereignty, the military, the economy, culture, social interests, technology, ecology, resources, nuclear facilities, offshore interests, biology, outer space, the Arctic and deep sea.

It is not a straightforward yes or no answer as to whether data constitutes important data or core data. A comprehensive analysis needs to be done as part of this process and it is also essential to check if any industry-specific laws, regulations or national standards apply.

  • Personal data and important data will be subject to “key” protection and core data to “strict” protection.
  • Any system that may, in principle, process important data must hold above level 3 MLPS certification and meet the security requirements for CII. A system processing core data must enforce stringent security measures pursuant to applicable regulations.

Special obligations for processors of important data

In addition to the above protection scheme, the draft Regulations require processors of important data (including those processing personal data of more than 1 million individuals) to comply with the following special obligations:

  • Designating a DPO with an appropriate background and level of experience, and establishing a data security management team led by the DPO.
  • Filing with the local CAC at the city level within 15 business days after they determine that data is important data (in other words, they are processor of important data), which will include the DPO’s basic information such as the DPO’s contact information, the purpose of processing as well as the scale, the type of data processed, the retention period, and where the data is stored (and if there is a major change in the information on file, the processor must update the record on file).
  • Arranging trainings on data security for all personnel annually and any technical or management personnel working on data security must receive training for at least 20 hours a year.
  • Conducting an annual security assessment, either through a self-assessment, or by a qualified third party, and submitting the annual assessment report to the local CAC by 31 January of the following year.
  • Obtaining consent from the local supervising authority (if any) for the industry concerned or the local CAC before engaging in the sharing, trading, or processing through third parties of important data.

It remains to be seen whether the final version of the draft Regulations will keep all of the above obligations, but if it does, it would impose a higher standard of compliance on processors of important data.

Special obligations for online platform operators

Under the draft Regulations, an online platform operator is defined as a platform that provides information publishing, social network, online transaction, online payment and online audio/video services.  Online platform operators are subject to stricter data protection responsibilities. In particular:

  • They must disclose their terms and privacy policies and the algorithms they use.  Where there are any changes that would cause significant impact to the users’ rights and interests, they must seek public comments for at least 30 business days and publish how the public comments have been considered and incorporated into the final versions and why other comments were rejected.  For online platforms with more than 100 million daily active users, the provisions of, and any such material amendments to, their terms and privacy policies must also be reviewed and assessed by a third-party institution designated by the CAC and approved by the local counterparts of the CAC and Ministry of Information and Technology (MIIT) at the provincial level.
  • They are responsible for any third-party products and services appearing on their platforms (such as application programming interfaces (APIs) and software development kits (SDKs)) and users may directly request compensation from the online platform operator for any damage caused by such third-party products or services.
  • Large-scale online platform2 operators must engage third parties to conduct annual security audits and publish the audit results.
  • They must not take advantage of data to discriminate among different classes of users (e.g., providing products under different prices or transaction terms without valid reasons), or to mislead, defraud or coerce users and process their data against their true intention and will, or to prevent mid or small scale companies from legitimately obtaining their data.

Prohibited activities

The draft Regulations set out certain compliance “red lines” by listing the following as prohibited data processing activities and further clarify that any support for such prohibited activities by providing technologies, tools, programs, advertisement or marketing, and/or payment/settlement services for these is also prohibited:

(i) data processing activities that cause detriment to the state’s national security, honour and interest or would divulge state secrets and/or work secrets;

(ii) data processing activities that infringe others’ reputation, privacy, copyright and other legitimate rights and interests;

(iii) obtaining data by theft or other illegal means;

(iv) selling or providing data to others in an illegal manner;

(v) producing, publishing, replicating and/or broadcasting illegal information; and

(vi) other acts that are prohibited by national laws and administrative regulations.

Data incident reports

Although the CSL and DSL already require the data processor to report data breach incidents, it is unclear when and how to perform such reporting obligations.  The draft Regulations provide more detailed procedures and timelines for notifying and reporting data breach incidents under the following scenarios:

 

Network security assessments

The draft Regulations create a new type of regulatory approval required by the CAC (‘network security assessment’) in case of the following:

  • any merger, restructuring or divestiture of an online platform operator that holds significant data resources concerning national security, or the nation’s economic development or public interests where this affects or could affect national security;
  • offshore listing by personal data processors that process the data of more than 1 million individuals;
  • listing in HK by the data processor, where this affects or could affect national security; and
  • other data processing activities that affect or could affect national security.

The CAC has the discretion to determine whether any of the relevant activities could affect national security.

Companies that conduct business through networks should pay special attention to the new network security assessment requirement and we strongly recommend that they prepare for this early on, so as not to delay or hinder any plans for corporate restructuring, financing or listing.

As regards the merger, acquisition or restructuring of a data processor that processes important data, or the personal data of more than 1 million individuals, a report to the local supervising authority or the local CAC must be made.

Takeaways

The draft Regulations demonstrate the resolve and commitment of the CAC in maintaining data and network security of important systems in China, by further strengthening the supervision and control over important data processors and online platform operators, in addition to personal data processors.  As part of gearing up for this law, it is recommended that:

  • Companies conduct internal reviews and analyses of the data that they process to identify whether any data might be considered important, or whether they process personal data of more than 1 million individuals.
  • Companies operating online platforms conduct security audits on third party services and products on their platforms, and review all applicable terms, privacy policies and algorithms to ensure that their services and products do not raise concerns relating to discrimination or unfair competition.
  • Companies consider setting up a local data protection team to deal with the upcoming legal requirements (and in particular the annual reports and security assessments as outlined above).