On April 10, 2019, the Chinese Ministry of Public Security (MPS) published, on the official website of the MPS Cyber Security Protection Bureau, the finalized Guideline for Internet Personal Information Security Protection (Guideline) after soliciting public comments since last November. The Guideline is voluntary and marks the latest in a series of implementations of China’s Cybersecurity Law (CSL) since its June 1, 2017, effective date. It follows the national standards governing the protection of personal information (Standards) (effective May 1, 2018) issued by the Standardization Administration of China (SAC) in January 2018. See our previous client alerts on the Standards and amendments. While largely similar to the Standards, the Guideline focuses on the technical and organizational cybersecurity controls for businesses providing services over the Internet. As China’s primary cybersecurity regulator under the CSL, MPS previously issued regulations specific to network operators’ multi-level protection scheme, as well as procedures for China’s Public Security Bureaus (PSB) to inspect Internet service providers. The Guideline sets forth MPS-recommended best practices to “protect cybersecurity and individuals’ legitimate interests” that will likely inform PSB cybersecurity inspections. 

Applicability

The Guideline applies to Personal Information Holders, defined as entities or individuals that “control and process personal information” through their provision of services using the Internet, private networks, or offline. This definition appears to combine the concepts of both data controllers and processors under the General Data Protection Regulation (GDPR); however, the mandatory CSL does not endorse either concept. 

Administrative controls

Personal Information Holders are required, inter alia, to establish a personal information administrative control system, implement, audit, and improve the system, appoint competent administrative staff, conduct background checks, training, and periodic qualification certification of such staff. 

Technical controls

As part of a comprehensive suite of policies and procedures (which must be audited and implemented by a dedicated internal oversight group), the Guideline imposes requirements on Personal Information Holders to protect the information they control and process through a series of technical safeguards including:

  • Communication network security: employ password and/or verification to protect the integrity and confidentiality of personal information.
  • Physical security: adopt measures to detect, prevent, and combat threats against the systems processing personal information.
  • Computing environment security: employ (two-factor or above) authentication to verify the identity of users who have access to the personal information processing systems; implement and audit access control; and prevent and detect intrusions of malicious code and malware. 
  • Application and data security: employ (two-factor or above) authentication, access control, and audit; ensure data integrity, confidentiality, availability, and sanitation.
  • Expansion security requirement: adopt verification or password techniques to protect the integrity and confidentiality of personal information during the migration of virtual machines in cloud computing; and use passwords to protect personal information collected by the Internet of Things. 

Business process

The Guideline provides high-level principles for protecting personal information during the process of collection, storage, use, deletion, third-party processing, data sharing and transfer, and public disclosure. Many of the principles are in line with those in the GDPR, with the following exceptions:

  • Mass collection of sensitive personal information pertaining to the ethnicity, people, political views, and religious beliefs of Chinese citizens is prohibited.
  • Summary information, rather than the original information, shall be collected when collecting biometrics data.
  • Processing of de-identified personal information that cannot be recovered may go beyond the limitations set forth in the relevant user agreement concerning personal information.
  • Automatic processing of user profiles is permitted, with an opt-out right granted to users in occasions such as use for precision marketing, search results sorting, personalized news, and targeted advertising; automatic processing of user profiles requires the user’s express consent in other occasions that may impact an individual with legal consequences, such as credit service and administrative justice.
  • User consent must be obtained for the sharing, transferring, or public disclosure of personal information, except when that information is required for reasons of national security, national defense, public safety, public health, vital public interest, crime investigation, indictment, trial, or verdict.
  • Public disclosure of personal physiological information, such as biometric information, genetic information, and disease, is prohibited
  • Public disclosure of analytic results of sensitive personal information, such as ethnicity, people, political views, and religious beliefs of Chinese citizens is prohibited.

Incident response

Additionally, the Guideline requires the implementation and maintenance of an incident response plan that addresses a Personal Information Holder’s practices and procedures with respect to required notifications to data subjects and regulators in the event of a security incident. Whereas the Standards do not specifically require notice be provided to PSBs, the Guideline mandates a “timely” notice be provided by Personal Information Holders, detailing the type, quantity, content, and nature of the personal information compromised, the potential impact of the breach, the remedial measures already adopted or about to be adopted, and contact information for relevant personnel dealing with the incident. Companies are also required to conduct an incident response training and emergency drill at least semi-annually. However, what constitutes a “security incident” is not defined.

Data localization

The Guideline focuses in part on information systems that are located in China, and utilizes a classification rubric, which takes the economy and national security into account, to assess the impact of an attack on or damage to such systems. The Guideline allows system operators to self-assess their system classification and suggest a classification to the MPS, but the MPS may reject the proposed classification in its discretion and impose additional security requirements if a higher classification is justified. The Guideline also appears to expand upon the CSL’s data localization requirement, which previously only applied to network operators, defined to mean owners and administrators of networks and network service providers. Under the Guideline, Personal Information Holders in China must store in-country the data they generate and collect, and must follow specific cross-border transfer requirements should a transfer be necessary (although the Guideline does not specify what the cross-border requirements would be).

Implications

The Guideline builds upon continued efforts to expand the scope and specificity of the CSL, and is indicative of trends toward increased protections for data subjects’ rights and privileges, which are likely to increase as the MPS and other Chinese regulatory mechanisms seek to impose more stringent requirements. Businesses with interests in China are likely to face continued challenges to comply with the expanding implementation of the CSL (especially with respect to broadening definitions of Personal Information Holders and data localization requirements).