Legal uncertainties have long been the biggest challenge for multinational companies in their data protection compliance in China. The Data Security Law (“DSL”), which became effective on 1 September 2021, and the Personal Information Protection Law (“PIPL”), which became effective on 1 November 2021, brought complexity to many issues as they referenced requirements under other laws and regulations. The situation is expected to improve since the Cyberspace Administration of China (“CAC”) released, on 14 November 2021, its draft Network Data Security Management Regulations (“Draft”) and invited public comments. The Draft introduces quantitative criteria which will hopefully increase clarity with regard to data protection compliance in the future. We will discuss the proposed quantitative criteria in this Insight.
The term “data processor” has a much broader meaning under the People’s Republic of China law than under EU law, as under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), the term encompasses the roles of both data processors and data controllers. A data processor is legally obliged to notify/report a personal information (“PI”) breach to both the data subject and the authorities in charge. However, Article 42 of the Cybersecurity Law (“CSL”), which took effect on 1 June 2017, and Article 57 of the PIPL both address this reporting obligation but remain silent on the time period within which the data processor must perform this obligation. Article 11 of the Draft now stipulates that a data processor shall first have a security and contingency management mechanism in place to prevent the impact of a PI breach from growing and to eliminate security deficiencies. Should a PI breach endanger an individual or an organisation, the data processor shall, within three working days, by telephone, text message, instant messaging tools, email, or other means, notify the concerned party of the PI breach together with the details set out below:
A public announcement should also be made if the aforementioned reporting is not practical. The PI breach should also be reported to the police. The Draft allows an exemption from the reporting obligation if so allowed by law. For example, Article 57 of the PIPL allows the data processor to not notify a data subject if the measures it took could prevent the occurrence of damages resulting from a PI breach, unless the competent regulator deems otherwise and requires the processor to comply with the notification obligation.
It should be noted that the above deadline will become much shorter and the respective reporting obligation could become much more complicated if a breach case concerns important data or more than 100,000 data subjects. The Draft gives equal weight to “100,000 data subjects” and “important data”, a term for which the Draft provides a specific scope under Article 73 (3). In such case, a data processor is required to follow the deadlines below to report the case to the CAC’s local branch at the municipal level as well as to the respective industrial watchdog:
Another deadline often referred to under the Draft is 15 working days. The first application of this deadline in the Draft is the deletion or anonymisation of data if any of the following happens:
If it is difficult to follow the 15 working day deadline due to technical impossibility or business complexities, the data processor is legally required to limit its further PI processing to storage and necessary security measures while a reasonable explanation shall be given to data subjects, unless processing is otherwise required by laws and regulations.
The 15 working day deadline will also apply to the following:
There are many other time periods under the Draft which will better facilitate multinational companies’ data compliance under Chinese laws. For example, the term of five years becomes a statutory duration for a data processor to retain respective records of processing if it provides PI to others, and shares, trades, or engages others to process important data. The respective records to be kept for five years shall include a record of consents, a log record on provision of PI to others, and a record of approvals for sharing, trading, or entrusting others to process important data. The Draft also introduces a requisite number of hours to regulate the training that a processor of important data shall follow, at least 20 hours of training every year shall be received by technical staff and management members who are in charge of data security matters.
Many articles of the Draft, such as Articles 13, 14, and 26, link a company’s compliance obligations with the number of data subjects concerned. Processing the PI of over 1 million data subjects may trigger:
The above link between 1 million data subjects and important data is a very interesting development under the Draft, which again shows the importance of national security in the context of People’s Republic of China (“PRC”) data protection laws. This is quite different from the GDPR which mainly focuses on privacy topics. Ignoring such a difference is quite often the reason for any confusion in understanding the implications of the PRC data protection regime, which has been constantly and rapidly developing in recent years. Although the Draft does not answer all questions pending under the DSL and the PIPL, as well as the earlier CSL, the CAC’s efforts do shed light on many existing issues which will help to substantiate the compliance guidance for data protection in China. Whether the Draft will soon be launched, or just remain as the CAC’s legislative attempt, as seen in many other earlier cases, remains to be seen.
Our China team looks at the impact of China's latest data security law on international businesses