On May 28, 2019, the Cyberspace Administration of China (the “CAC”) issued Draft Administrative Measures for Data Security (the “Draft”) for public comment. The Draft provides strict and detailed rules for the collection and use of data by network operators in China. Details are below:

Every network operator should disclose its policies for the collection and use of personal information

This requirement is generally consistent with existing regulations, i.e. that network operators may collect personal information only if the user is both informed of and consents to the way in which that information will be collected and used, which in turn requires comprehensive disclosure of the network operator’s own policies for the same.

However, the Draft does provide a newly detailed list of what each network operator’s policies should specifically address, i.e. including but not limited to: basic information on the network operator; name and contact information for the person in charge of operations and the person in charge of data security; the purpose, type, quantity, frequency, method and scope of personal information to be collected and used; the approaches and methods by which the personal information subject can revoke consent and inquire, modify or delete their personal information; and channels for complaints and reports. 

The Draft also provides requirements as to the form of such rules, including that if the rules are included in a privacy policy, they should be relatively centralized and clearly indicated for easy reading.

Note that the definition of “network operator” retains the same meaning as in the Cybersecurity Law, namely “owners or administrators of any network or any network service providers”.

Personal Information should not be collected under the pretext of improving services

Same as stipulated in the existing rules for collection and use of personal information, the Draft is clear that user consent cannot be collected in the form of default authorization. The Draft further specifies that network operators are not allowed to force or mislead users to agree to collect their personal information in the form of function bundling under the guise of improving service quality, improving user experience, targeted push of information or developing new products.

Further, the Draft provides users the right to opt out of authorization for collection their information which is not for the network operator’s core service, under which case, the network operator can't refuse to provide its core service to the user based on the reason that such user disagrees to provide its personal information other than those already provided for the core service. However, the Draft does not provide the definition for core service. Accordingly, determining a network operator’s core service becomes a critical decision. For example, for an internet search service provider, is its core service search or advertisement, and can the user opt out of the advertising service but still use the search service?

New filing requirements for the collection of important data and sensitive data

The Draft requires network operators who collect important data or sensitive personal information for commercial purposes to file a record with the local cyberspace administrative authority. However, there is no definition of "sensitive personal information" in this Draft. There was a definition of “sensitive personal information” provided in the national standard “Information Security Technology — Personal Information Security Specification” issued in 2015, but it is not clear if that definition should be applied here.

The Draft does provide a definition of “important data”, but it is quite broad and imprecise, i.e.: data that may directly affect national security, economic security, social stability, public health and safety, such as undisclosed government information, large-area population, genetic health, geography, and mineral resources. Important data generally does not include business operations and internal management information, personal information, and etc.

Lastly, detailed rules and procedures for the required filing requirement have not yet been provided.

Content pushed or synthesized using big data must be clearly marked

To address that growing concern over the use of big data in promotions and marketing, the Draft specifies that when using user data and algorithms to push news information or advertisements (defined as a "Targeted Push"), the word "Targeted Push" must be included in an obvious way, and the recipient must be given a way to stop receiving such Targeted Pushes from the network operator. If the recipient then chooses to stop receiving the Targeted Push, the network operator must stop the Targeted Push and delete the user’s data collected in connection with the Targeted Push, e.g. the device identification code.

The Draft also stipulates that if any news or blog posts are automatically synthesized using big data, artificial intelligence or other technologies, the articles must be clearly marked with the word “Synthesis”.

Network operators now liable for user losses related to data security caused by third-party apps available on the platform

This is the one of the strictest new requirements under the Draft. If finalized in its current form, the Draft would provide that the operators of any platform that gives users access to third-party apps: (i) must specify data security requirements for all such third-party apps on the platform, and must “supervise” the compliance of such third party apps with data security management , and (ii) will be liable in whole or in part for losses to users caused by such third party apps due to data security issues, unless the operator can prove that it was not at fault. Given the obligation to “supervise” compliance, it would be reasonable to anticipate that there will be a high threshold for proving lack of fault.

This creates a new and heavy burden for platform operators to police the data security practices of apps made available on the platform. And until detailed rules for allocating and proving liability between platform and app are promulgated, there will be significant uncertainty around potential costs and any needed changes to the platform model.

Conclusion

The Draft is generally consistent with the existing rules on data security, but includes a number of innovations that, if included in the final form, will create additional material obligations for advertisers and platform operators.