On 28th May 2019, the Cyberspace Administration of China (CAC) published on its official website the ‘Regulations Governing Data Security – Discussion Draft’ (Draft Regulations).
The Draft Regulations, following on from existing regulation such as the Cyber Security Law, look to govern the collection, use, security and management of personal data (PD) and ‘Critical Data’ within China. Key points contained in the Draft Regulations are:
- The term ‘Critical Data’ is clearly defined, and illustrative examples of its meaning are given. Critical Data means any data which, if disclosed, would likely materially and adversely impact national security; economic security; social stability; public health; or public security. Examples given include non-public government information in respect of demographics, genetic health, geophysics, mineral resources etc. ‘Critical Data’ is defined, generally speaking, as including neither corporate/commercial information nor PD.
- Re personal data, cyberspace operators who collect and use PD should formulate and make public detailed, simple, plain-language and accessible procedures for such PD collection and use (PD Procedures). These PD Procedures must set out the ‘how & why’ of such PD use and PD third-party sharing (if applicable). Further, cyberspace operators may only collect PD once users/customers have first clearly given their consent and have clearly familiarised themselves with the PD Procedures. Cyberspace operators must not use authorisations given to them to collect PD in order to engage in discriminatory or predatory pricing practices vis a vis the providers of such PD.
- Any collection by cyberspace operators of PD in respect of minors under the age of 14 must be accompanied by such minors’ parents/guardians’ express prior consent.
- Any cyberspace operators in the business of collecting either Critical Data or ‘sensitive’ PD should register themselves and their respective PD Procedures with their local CAC office, including in this registration identification of personnel accountable for such data’s security.
- Prior to the release to a third party by a cyberspace operator of PD it has collected, such cyberspace operator must (i) consider whether such release could, generally, carry any security risks; and (ii) obtain express consent from each and every subject (individual) of the PD. Exceptions to this requirement are (i) where any such PD is already in the public domain as disclosed by the PD subject; or (ii) as otherwise required/exempted by law. In circumstances where a cyberspace operator is contemplating publishing, sharing or transacting with Critical Data, or where Critical Data is to be provided to entities outside China, then in all such circumstances the cyberspace operator must first (i) assess all potentially associated security risks; and (ii) obtain approval from either the relevant industry regulator and/or from CAC itself (at a provincial level).
- Cyberspace operators must ensure that any third parties accessing and utilising a cyberspace operator’s platform are fully informed of data security requirements and responsibilities applicable to such platform access and usage. In circumstances where a third party’s utilisation of such platform causes a data security incident, with consequent loss or damage suffered by other users, then the cyberspace operator will assume partial or full liability for such losses, excepting in circumstances where the cyberspace operator can prove no negligence on its part.