China’s Data Security and Privacy Laws
To date, China relies on several privacy and security related laws. It does not have a comprehensive data privacy law. That’s about to change. China is moving forward with a set of privacy and security laws (Personal Information Protection Law, Data Security Law) focused on national security and the processing of newly defined categories of data. Below is a brief review of the laws.
Personal Information Protection Law (PIPL) China recently introduced a second version of the draft Personal Information Protection Law (PIPL). Like GDPR, PIPL has a broad extra-territorial effect. The law applies to processing of personal information of Chinese individuals that happens outside of China if the purpose is:
- To provide products or services to individuals in China
- To “analyze” or “assess” the behavior of individuals in China, or
- For other purposes to be specified by laws and regulations
Companies doing business with China should begin thinking about the pending impact of this law. Some of the considerations include:
- Basis of Processing: Currently, under China’s Cybersecurity Law, “consent” is the only available legal basis for collecting and using personal information. PIPL reads more like GDPR with multiple legal bases for processing. Some types of processing will however be based on consent. Examples include people under 14, or sharing sensitive information. The law calls for processing to be based on a “minimum necessary” standard and requirements for automated decision-making, concepts consistent with GDPR.
- Data Subject Rights: PIPL includes data subject rights including: a right to information and explanation on the data processing, to access, to correction, to object processing, to withdraw consent, and to deletion.
- Localization: Critical information infrastructure operators and businesses who process personal information of a certain volume (currently unspecified) are required to store the personal information collected and generated within the borders of China.
- Cross-border Transfers. Transfers will require:
- A security assessment administered by the Cyberspace Administration of China and record keeping of those assessments
- Notice and consent
- A standard transfer agreement
- Data Breach Notification. In the event of a data breach, PIPL requires businesses to take “immediate” remediation actions and notify the relevant agency and affected individuals. Currently the draft does not provide a time limit for notification.
- Penalties. Businesses that unlawfully process personal information or fail to take necessary security measures to protect personal information may be subject to fines up to 1 million RMB. Serious violations may see increased fines of up to 50 million RMB or 5% of the organization’s annual revenue for the prior financial year.
Data Security Law (DSL)
On June 10, 2021, China passed its Data Security Law (“DSL”). The DSL will impact all businesses operating in or doing business with China. DSL has extensive obligations and significant penalties tied to the processing of specific categories of data.
There have been two previous drafts of the DSL. The final version adds a new “national core data” category for data that impacts “national security, the lifelines of the national economy, are important to people’s livelihood, and important to the public interest.” This category of data is subject to enhanced processing restrictions. The exact definition of these data categories was intentionally written to be broad and vague to allow for flexible interpretation.
While the DSL will take effect on September 1, 2021, specific guidance on how to implement it has yet to be released. One significant example is on “Important data,” a key focus of the DSL, which is not defined in the DSL or other Chinese laws or regulations.
The DSL applies to all types of data processing activities, including collection, storage, use, refining, transmission, provision, and disclosure of data carried out within China. Some of the key proponents of the law are as follows:
- Data Categorization and Classification: Formulated by relevant government agencies, establish a data categorization and classification system with strong protection of “important data”. This will be based on the impact inappropriate use of the data would have on national security and public and private interests.
- Multi-Level Protection Scheme: Implementation of the Multi-Level Protection Scheme (“MLPS”) called out in the Cybersecurity Law. This will require specific levels of security based on the potential damage caused to national security, social order, or public interest as a result of breaches or network disruptions.
- Data Transfer Restrictions: Prohibits providing any data stored in China to law enforcement authorities or judicial bodies outside of China without prior Chinese government approval.
- Data Security: Extensive data security obligations will be imposed on companies processing or collecting data in China. For example, cross-border transfer of “important data,” will be subject to separate regulatory frameworks for Critical Information Infrastructure Operators (“CIIOs”) and non-CIIOs. CIIOs must follow the regulations under the Cybersecurity Law. Non- CIIOs must follow the rules to be promulgated by the Cyberspace Administration of China and other government agencies.
- Penalties: The DSL has severe penalties for businesses violating the law including:
- Suspension of the business
- Revocation of the business license
- Fines up to RMB 10 million (US$1,560,000)
- Potential criminal penalties.
- Individuals directly responsible for violations may be subject to fines up to RMB 1 million (US$156,000) and potential criminal penalties.
The new Chinese laws in many ways are in alignment with laws like GDPR. There are requirements for privacy rights, notifying users of incidents, performing impact assessments, consent for transfers, designation of a DPO, stringent data security, and severe penalties. They are also more extensive with respect to its citizens and government.
Although the laws still lack the important implementation and compliance guidance, companies doing business in and with China should begin reviewing their data processing activities for noncompliance risks.