In the most significant development this year (arguably more so than the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) coming into force), draft detailed guidance on how organisations can in practice comply with China’s strict data, e-commerce and online platform rules – including new compliance obligations – has been published.
The draft Network Data Security Management Regulation (“Draft Regulation”) was published for consultation on 14 November 2021, and is very wide-ranging in the compliance areas covered. Notably it includes a host of new, onerous regulatory approval and governance requirements for personal data controllers, organisations processing “important data” and operators of online platforms/e-commerce sites, including in the context of corporate transactions. It may also have an impact on IT vendors to organisations in the cloud market.
Key points for businesses to note:
- New prior assessment impact on corporate activities: perhaps the most onerous new provisions, the following are likely to delay – or even halt – current or planned corporate activities involving China business. Specifically:
- The Draft Regulation extends the need to conduct a network security assessment to any organisations falling into the following categories:
- a data controller undertaking an IPO outside of China that processes personal data of 1,000,000+ data subjects – these organisations will also need to submit annual data security evaluation reports to the local CAC branch by 31 January each year;
- a data controller undertaking an IPO in Hong Kong that may impact national security;
- any Internet platform operator involved in M&A activity or a corporate re-organisation and which controls a large number of data or information that may affect national security, economic development or public interest; and
- any “Large Internet Platform Operators” (i.e. operators of platforms that have: (a) over 50 million users; (b) process a “large volume” of personal data or “important data”; and (c) have market dominance and big social influence) that establish headquarters or operation or development centres outside of China.
In addition, any organisations: (i) engaged in M&A activity or a corporate re-organisation that involves “important data” or personal data of 1,000,000+ data subjects; or (ii) that become insolvent or are dissolved, must notify the relevant local authority (or local CAC branch) in advance.
2. Important data: processing of “important data” has often been overlooked by international businesses with operations in China, but stricter compliance obligations and transfer restrictions mean that “important data” must now become a greater focus of China data compliance programmes. Provisions affecting “important data” under the Draft Regulation include the following:
- The definition of “important data” has been clarified and limited. The Draft Regulation helpfully sets out a list of items that will be considered important data, and so removes some of the lingering uncertainty on this topic.
- It is also now clarified that the rules around handling of “important data” (under the DSL and the Cybersecurity Law (“CSL”)) have extra-territorial effect.
- Organisations are reminded of the need to register with the CAC within 15 working days of identifying “important data”. In addition, a new obligation to obtain prior regulator approval is introduced for organisations sharing, transactions involving or sub-processing of “important data”. Details of the approval process have not yet been published, but this could have a significant impact on – or at the very least delay – existing arrangements (whether intra-group or involving third parties) involving “important data”.
- More broadly, the Draft Regulation gives a signpost towards the new tiered data classification scheme that was introduced under the DSL, indicating that:
- data should as a minimum be classified as either: general, important or core data; and
- classification should be based on: (a) impact of the data on the legitimate interests of, and importance to, individuals or organisations, (b) national security and (c) public interest.This is a significant reminder to organisations to start data mapping and assessment of all China data sooner rather than later.
3. Additional data governance requirements: these new compliance steps will need to be built into China data compliance programmes, and will add to the “to do” list of newly appointed China DPOs:
- Annual cross-border data security report: data controllers transferring or accessing any personal data or “important data” outside of China must submit an annual data overseas transfer security report to the local CAC branch by 31 January each year.
- Additional record-keeping: the Draft Regulation also introduces new record-keeping requirements for personal data controllers, who (on top of the PIPL/PIS Specification requirements) must:
- keep records of personal data transfers and data sharing, and keep those records for five years; and
- maintain a complaints channels, for complaints to be made around security and processing of data, and keep records of complaints.
- Time to respond to DSRs: data controllers must respond to data subject requests within 15 working days (as compared to 30 days previously). Data subject rights processes will need to be localised for China, since this is a shorter response period than under many other data protection laws around the world.
- Additional compliance steps for “important data” and “large volume” personal data processors: the Draft Regulation imposes additional compliance obligations on organisations that process: (a) “important data” and/or (b) personal data of more than 1,000,000 data subjects (“large volume” personal data processors), as follows:
- mandatory data security training of not less than 20 hours per year for all personnel involved in data security or data management; and
- the need to submit an annual data security evaluation report to the local CAC branch by 31 January each year.
4. Cyber/data security and incident management: the Draft Regulation extends new obligations to systems as well as data:
- MLPS: the Draft Regulation reiterates the need for organisations to prioritise (if not already done so) undertaking the multi-level protection scheme (“MLPS”, first introduced under the CSL) for their systems hosted in China. This emphasises what has long been an enforcement priority of the Chinese regulators. The Draft Regulation also makes clear that any system processing “important data” should be classified at tier 3 or above within the MLPS assessment.
- Data security incident management and notification: the Draft Regulation clarifies some of the notification deadlines and reporting obligations for organisations processing personal data or “important data” (with very tight deadlines, as short as eight hours for certain organisations) to regulators and, in some circumstances to the police (PSB) and affected individuals or organisations (with deadlines as short as three working days in some cases). These are broader reporting requirements – and tighter reporting deadlines – than under data laws in other jurisdictions, not least the scope includes important data and reporting to affected organisations (not just individuals), so data incident management policies and procedures will need to be updated and localised.
- CIIO procurement restrictions extended: the Draft Regulation introduces procurement restrictions on CIIOs procuring cloud computing services, namely a pre-procurement security assessment must be undertaken in conjunction with the CAC. This would likely have implications on cloud vendors selling into the China market, as well as CIIOs looking to implement cloud solutions.
5. Accessing blocked sites and content: the Chinese authorities have set out a clear intention that they will take steps to identify and block access to Internet sites and content that are not permitted in China, and also use of illegal VPNs or other mechanisms designed to access such sites and content. It is clear that this remains an enforcement priority.
6. E-commerce and online platforms: following busy enforcement activity over the Summer, the Draft Regulation proposes onerous new oversight and compliance requirements over online and e-commerce operators. The principle of fair trading and responsible use of data collected via online platforms is introduced, along with specific obligations, such as:
- For platforms processing data of more than one hundred million daily active users, any changes to their platform terms or privacy policies would now need to be pre-approved first by a third party accreditation body, and then two different regulatory authorities.
- Large Internet Platform Operators would also need to engage an auditor to conduct an annual audit on: (a) the data protection and data security measures and policies; and (b) Ts&Cs deployed on the platform, and “disclose” (publish?) a copy of the audit report.
- Operators of marketplaces and other sites via which sell third party goods or services are now also potentially liable to purchasers to refund or replace defective goods or services sold on, or for other damages to users arising from the sale of the goods or services via, the platform. That is, they cannot simply rely on the third party seller being liable.
- Instant messaging services on online platforms must include functionality to allow users to distinguish between personal and business (“non-personal”) messages (with non-personal messages then specifically excluded as being personal information, although the scope is unclear).
- A reminder to undertake security audits on apps and WeChat mini-programmes; and a new requirement for platforms using AI or VR to process personal data to conduct a security assessment.
While still a draft (the consultation period closes on 13 December 2021), we would caution against simply ignoring the Draft Regulation, as it appears to be an important indication that managing compliance in China is going to get more arduous for both local and international businesses. Advance planning in case it is implemented “as is” is recommended.