On May 28, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for Data Security Management (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here.) The comment period ends on June 28, 2019.

The release of these Draft Measures demonstrates China’s continuing efforts to implement the data protection requirements imposed by China’s Cybersecurity Law (“CSL”). For example, under Article 41 of the CSL, network operators must notify individuals of the purposes, methods and scope of the information collection and use, and obtain their consent before collecting or using individuals’ persona information. Furthermore, under Article 42 and 43 of the CSL, network operators must not disclose, tamper with, or damage citizens’ personal information that they have collected and they are obligated to delete unlawfully collected information and amend incorrect information.

To implement the CSL, the CAC and the Standardization Administration of China issued a national standard for personal information protection (“Standard”) on January 2, 2018, which took effect on May 1, 2018 (see our previous blog post about that Standard here). A draft amendment to the Standard (“Draft Amendment”) was released for public comment on February 1, 2019 (see our previous blog post about the Draft Amendment here). The new Draft Measures incorporate some of personal information protection requirements specified in the Standard and the Draft Amendment, and also introduce a number of new requirements for the protection of “important data,” which was initially mentioned in Article 21 and 37 of the CSL, but was not defined.

Requirements Overlapping with the Standard and Draft Amendment

For personal information protection, most requirements proposed in the Draft Measures overlap with the requirements of the Standard and Draft Amendment. The key requirements are explained in greater detail below.

Notice and Consent

The Draft Measures requires “network operators” (defined as “owners and managers of networks, as well as network service providers”) to publish their “rules for data collection and use” in their privacy policies (or in other forms made available to data subjects) and obtain informed consent from data subjects prior to the collection of their personal information (Article 7 & 9).

The “rules for data collection and use” that network operators are to publish must include certain information prescribed by Article 8, including:

  • basic information of the network operator;
  • names and contact details of the network operator’s main responsible person and the person in charge of data protection;
  • purposes, types, volume, frequency, methods and scope of the data to be collected;
  • place of storage, data retention period and what the network operator will do with personal data after the retention period expires (e.g., delete or anonymize);
  • practices adopted in the event that personal information is provided to third parties;
  • security strategies implemented; and,
  • data subject rights and how complaints will be handled.

To address the issue of bundled consent, the Draft Measures also prohibit network operators from forcing or misleading data subjects to consent to the collection of their personal information through “pre-checked authorization” or bundled functions (e.g., by alleging that such data collection is necessary for improving services or the user experience, providing personalized recommendations, or researching and developing new products).

In addition, if a data subject provides personal information necessary to use the “core function” of a service, the network operator must provide that core function. If an individual refuses to provide consent or withdraws consent to the collection of personal information for ancillary services, then the network operator may not cease the provision of core services to that individual (Article 11).

Data Retention

The Draft Measures require that personal information be retained no longer than the retention period described in the privacy policy. Unless personal information is anonymized, network operators are required to delete the personal information after a data subject’s account has been closed (Article 20).

Data Subject Rights

The Draft Measures specifically require network operators to respond to data subjects’ requests (e.g., data access, correction, deletion and closure of accounts) within a reasonable time. Note that under the Standard, network operators are required to respond to data subjects’ requests within 30 days (Article 21).

Personalized Recommendations and Target Advertising

The Draft Measures impose specific requirements on network operators who use personalized recommendations and targeted marketing techniques which are enhanced by personal information and algorithms. Article 23 requires such network operators to:

  • identify the news or information presented to a data subject as a “targeted push,” and provide a user-friendly opt-out mechanism; and,
  • if a data subject chooses to reject it, then to withdraw the “targeted push” immediately and delete the device identifiers associated with the user.

Sharing of Personal Information

Prior to sharing personal information with third parties, network operators are required to assess the security risks associated with such data sharing and obtain consent of the data subjects, unless one of the following exceptions apply:

  • the personal information is collected from lawful public sources and sharing it does not obviously violate the wishes of the data subjects;
  • the personal information is proactively published by the data subjects;
  • the personal information has been anonymized;
  • the sharing is necessary for law enforcement by government agencies;
  • the sharing is necessary for protecting national security, public interests and/or the lives of data subjects.

Incident Response

When a security incident occurs or the risk of a potential security threat increases, network operators are required to adopt remedial measures immediately and promptly notify data subjects of the incident by telephone, text message, email or physical mail. Network operators are also required to report the incident to the respective industry regulator and the CAC (including the CAC’s local counterparts) in accordance with “relevant requirements.” At present, the precise scope of “relevant requirements” remains unclear.

Newly Introduced Requirements related to “Important Data”

In addition to the requirements which overlap with the previously issued Standard and Draft Amendment, the Draft Measures also propose some new requirements, with a special focus on the protection of important data.

Under the Draft Measures, “important data” is defined as “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security.” Examples of “important data” include “unpublished government information, a large volume of data relating to population, genetics, healthcare, or geographical and mineral resources, but excluding operational and internal administrative data of companies and personal data” (Article 28 ).

Regulatory Filing for Collection of Important Data and Sensitive Personal Information

The Draft Measures require network operators to file their data collection practices with the local CAC if they collect important data or sensitive personal data for “operational purposes.” Presently, the definition of the term “operational purpose” is unclear. The purposes, volume, methods, scope, types and retention period of important or sensitive personal data that a network operator is collecting should be specified in their filing materials (Article 15). The filing process is still unclear and further guidance is expected to be released by the government. Note that “sensitive personal information” is not defined under the Draft Measures, but its definition can be found in the Standard, which states that “sensitive personal information” is “personal information the leakage, disclosure, or abuse of which could easily endanger personal and property safety, and easily lead to the harm of one’s personal reputation or mental and physical health, or lead to discriminatory treatment.” Examples of such information include information relating to a bank account, payment record, biometrics, personal mobile phone number, etc. Given the potentially broad scope of sensitive personal information, many network operators may be required to complete the filing, if this requirement is adopted as currently drafted.

Personnel Responsible for Data Security

Network operators collecting important data and sensitive personal information are also required to designate a responsible person who has data protection experience and knowledge to take charge of the data protection efforts of the network operators (“Responsible Person”). Under the Draft Measures, the Responsible Person shall report directly to the main responsible person of the network operator and must be involved in the decision-making process for material, data-related issues (Article 17).

The Responsible Person is required to perform the following duties (Article 18):

  • coordinate the establishment and implementation of an internal data protection program;
  • oversee the completion of data protection impact assessments;
  • report data protection practices and incident response results to relevant government agencies and the CAC; and,
  • handle data subject complaints.

Rules for Publishing, Sharing, Selling and the Cross-border Transfer of Important Data

Similar to the sharing of personal information, the Draft Measures also require network operators to conduct a risk assessment for any planned publishing, sharing, selling or cross-border transfer of important data. More importantly, the Draft Measures require network operators to obtain prior approvals from their corresponding industry regulator for cross-border transfers of important data. If an industry regulator cannot be identified, network operators shall file their application with the CAC at provincial level for approval (Article 28). Further guidance on exactly how the approval process will work is expected to be forthcoming.

In contrast, it appears that the cross-border transfer of personal information will not be subject to the approval requirements described above. The Draft Measures only state at a high level that the cross-border transfer of personal information shall be carried out in accordance with “relevant” laws and regulations (Article 28). This indicates that more details regarding the requirements for cross-border transfers of personal information are expected to be covered in separate regulations and national standards.

Other Requirements

Response to Government Request

Under the Draft Measures, network operators are required to provide “relevant” data requested by government agencies at the state level for purposes of protecting national security, maintaining social order and implementing economic controls (Article 36). This obligation is defined broadly and it is uncertain whether and how this requirement will change or expand the existing obligations under other Chinese laws and regulations which require companies to cooperate with government agencies.

Third-Party Applications

If a network operator allows third-party applications to collect data through its “platforms,” the Draft Measures require the network operator to specify security obligations and requirements in its contracts with third parties and encourage such third parties to implement robust data protection practices. In addition, if any security incidents occur on the network of the third parties and result in harm to users, the network operator could be partially (or even fully) liable for the losses suffered by users, unless the network operator can prove that it is not “at fault” (Article 30). It is unclear whether “at fault” in this provision refers to the network operator’s conduct related to a specific incident or in a broader sense about its data protection program.

Transfer of Data Under Merger, Acquisition, Reorganization or Bankruptcy

When a network operator undergoes a merger, acquisition, reorganization or bankruptcy, the data recipient is required to assume the data protection responsibilities with respect to the data transferred to it. If there is no data recipient, the network operator is required to delete the relevant data (Article 31).

Potential Penalties

The CAC (including the CAC’s local counterparts) may “summon” a network operator who fails to perform its data protection obligations under the Draft Measures and ask it to rectify its conduct (Article 33). If a government agency determines that a network operator has violated the Draft Measures, it may take disciplinary actions against it, such as confiscating illegal income, suspending relevant business operations for rectification, shutting down a website, or revoking a business license. If the violation constitutes a crime, the network operator may be subject to criminal prosecution (Article 37).