Indication of timeframes under PRC data protection framework

Legal uncertainties have long been the biggest challenge for multinational companies in their data protection compliance in China. The Data Security Law (“DSL”), which became effective on 1 September 2021, and the Personal Information Protection Law (“PIPL”), which became effective on 1 November 2021, brought complexity to many issues as they referenced requirements under other laws and regulations. The situation is expected to improve since the Cyberspace Administration of China (“CAC”) released, on 14 November 2021, its draft Network Data Security Management Regulations (“Draft”) and invited public comments. The Draft introduces quantitative criteria which will hopefully increase clarity with regard to data protection compliance in the future. We will discuss the proposed quantitative criteria in this Insight.

Three working days or fewer

The term “data processor” has a much broader meaning under the People’s Republic of China law than under EU law, as under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the term encompasses the roles of both data processors and data controllers. A data processor is legally obliged to notify/report a personal information (“PI”) breach to both the data subject and the authorities in charge. However, Article 42 of the Cybersecurity Law (“CSL”), which took effect on 1 June 2017, and Article 57 of the PIPL both address this reporting obligation but remain silent on the time period within which the data processor must perform this obligation. Article 11 of the Draft now stipulates that a data processor shall first have a security and contingency management mechanism in place to prevent the impact of a PI breach from growing and to eliminate security deficiencies. Should a PI breach endanger an individual or an organisation, the data processor shall, within three working days, by telephone, text message, instant messaging tools, email, or other means, notify the concerned party of the PI breach together with the details set out below:

• details about the PI breach and risk exposure which, under the PIPL, shall cover categories of the PI leaked, altered, or lost, and reasons for the breach;
• negative implications;
• measures taken by the processor; and
• if complying with the PIPL, measures that could be taken by the data subject to mitigate damages, as well as the contact details of the data processor.

A public announcement should also be made if the aforementioned reporting is not practical. The PI breach should also be reported to the police. The Draft allows an exemption from the reporting obligation if so allowed by law. For example, Article 57 of the PIPL allows the data processor to not notify a data subject if the measures it took could prevent the occurrence of damages resulting from a PI breach, unless the competent regulator deems otherwise and requires the processor to comply with the notification obligation.

It should be noted that the above deadline will become much shorter and the respective reporting obligation could become much more complicated if a breach case concerns important data or more than 100,000 data subjects. The Draft gives equal weight to “100,000 data subjects” and “important data”, a term for which the Draft provides a specific scope under Article 73 (3). In such case, a data processor is required to follow the deadlines below to report the case to the CAC’s local branch at the municipal level as well as to the respective industrial watchdog:

• within eight hours of the occurrence of the breach, to report the quantity and categories of data concerned, possible impact, and measures taken or to be taken; and
• within five working days upon wrapping up the PI breach case, to report the cause of the case, adverse consequences, whether any entity is being pursued for liability, and improvement actions in the form of an investigation evaluation report.

15 working days

Another deadline often referred to under the Draft is 15 working days. The first application of this deadline in the Draft is the deletion or anonymisation of data if any of the following happens:

• the purpose of processing has been accomplished or the processing is no longer necessary for such purpose;
• the data retention period, as agreed with the data subject, or under the data processor’s privacy rules has expired;
• service to a data subject comes to an end or their personal account is de-registered; or
• due to automated collection technologies (e.g. surveillance in public venues), any unnecessary PI, the collection of which is inevitable, or any other PI is obtained without consent of the data subjects.

If it is difficult to follow the 15 working day deadline due to technical impossibility or business complexities, the data processor is legally required to limit its further PI processing to storage and necessary security measures while a reasonable explanation shall be given to data subjects, unless processing is otherwise required by laws and regulations.

The 15 working day deadline will also apply to the following:

• Data Subject Access Request (DSAR): a data processor is obliged to take action and respond within this deadline after receiving a request to copy, correct, supplement, limit processing, delete a data subject’s PI, when there is a request to withdraw a given consent, or to de-register their account. The Draft generally requires the data processor to make it convenient for the data subjects to exercise their aforementioned rights.
• Filing of important data: identification of important data will oblige the respective processor to conduct a filing with the local CAC at the municipal level within this deadline. The filing shall cover details of the data processor, including its internal data protection mechanisms and contact details of those responsible for data security functions, details of the processing (e.g. purpose, scale, method, scope, categories, retention period, and storage venues), and other filing details as required by the regulators. While any material change of purpose, scope, categories of data, and security measures shall trigger the filing requirement again. Nevertheless, filing of the important data concerned is not required to be filed.

Other relevant time periods

There are many other time periods under the Draft which will better facilitate multinational companies’ data compliance under Chinese laws. For example, the term of five years becomes a statutory duration for a data processor to retain respective records of processing if it provides PI to others, and shares, trades, or engages others to process important data. The respective records to be kept for five years shall include a record of consents, a log record on provision of PI to others, and a record of approvals for sharing, trading, or entrusting others to process important data. The Draft also introduces a requisite number of hours to regulate the training that a processor of important data shall follow, at least 20 hours of training every year shall be received by technical staff and management members who are in charge of data security matters.

Many articles of the Draft, such as Articles 13, 14, and 26, link a company’s compliance obligations with the number of data subjects concerned. Processing the PI of over 1 million data subjects may trigger:

• a cybersecurity review, which is closely associated with concern for national security, if a company goes public in a foreign capital market;
• filing by the data recipient to the local municipality in charge, in case of corporate merger, restructuring, or division; and
• all statutory obligations that apply to a processor of important data. Such obligations will include, for example, a security assessment organised by the CAC if such PI is to be transmitted overseas.

The above link between 1 million data subjects and important data is a very interesting development under the Draft, which again shows the importance of national security in the context of People’s Republic of China (“PRC”) data protection laws. This is quite different from the GDPR which mainly focuses on privacy topics. Ignoring such a difference is quite often the reason for any confusion in understanding the implications of the PRC data protection regime, which has been constantly and rapidly developing in recent years. Although the Draft does not answer all questions pending under the DSL and the PIPL, as well as the earlier CSL, the CAC’s efforts do shed light on many existing issues which will help to substantiate the compliance guidance for data protection in China. Whether the Draft will soon be launched, or just remain as the CAC’s legislative attempt, as seen in many other earlier cases, remains to be seen.