China Releases Data Security Management Measures

 

11 June, 2019

 

 

Data security is one of the key emphases prescribed under China’s Cyber Security Law (CSL), which came into force in 2017. On 28 May 2019, the Cyberspace Administration of China released its Data Security Management Measures (draft for public comments) (Data Draft). The Data Draft is prepared based on the CSL, and has taken into account relevant supplementary legislation and recommended national standards (both currently in force and still in the process of soliciting public opinion). Based on this, the Data Draft sets forth detailed compliance requirements with respect to data security. 

After coming into force, the Data Draft will become one of the enforcement bases (as a supplementary legislation) for China’s government agencies. It will have higher legal effects than the recommended national standards (e.g., the Information Security Technology – Personal Information Security Specification (2018 version)), which do not have mandatory enforcement power. Compared with the CSL (the fundamental law which also works as a law enforcement base), the Data Draft has supplemented and expanded the interpretation of some existing rules. Among them, the areas with more substantial changes include:

 

No.	Matters regulated	CSL	Data Draft
1	Record-filing for the collection of important data and sensitive personal information	No specific rules.	Network operators collecting important data or sensitive personal information for business operation purposes shall file the record with local cyberspace administration.
2	Access by automated means	No specific rules.	Network operators use automated means (e.g., web robot) to access or collect website data must cease such automated access and collection if: (1) the access or collection seriously affects the website’s operation, e.g., their traffic of automated visits or data collection exceeds one-third of the website’s daily average traffic, and (2) so requested by the website.
3	Individual data subject’s rights	The CSL provides for the correction rightsand deletion rights for data subjects (e.g., users) to their personal information collected.	The Data Draft further defines the data subject’s consent withdrawal rights, information access rights, and account closure rights to personal information1.
4	Targeted push	No specific rules.	Network operators using user data and algorithms to push news information and commercial advertisements etc., shall clearly indicate the term “targeted push”, and provide the users with a function to stop receiving the targeted push information. When the user chooses not to receive the targeted push, network operators shall delete the user data as well as any personal information.
5	Automatically synthetized information	No specific rules.	Network operators using technologies to automatically synthesize information such as news, blog posts, posts and comments, shall clearly indicate the word “synthesized”. Moreover, such activity shall not be conducted for the purposes of making profits or damaging other person’s interests.
6	Security assessment on important data by government agencies2	The assessment applies to cross-border transfer of important data by critical information infrastructure operators.	The assessment applies to the publishing, sharing, transaction and cross-border transfer of the network operators’ important data3.
7	Duty to assist government agencies	Network operators shall provide technical support and assistance to public security authorities and national security authorities in their efforts to maintain national security and investigate crimes.	In order to perform their duties with respect to national security, social management, economic control and so forth, relevant competent departments of the State Councilmay require a network operator to provide relevant data in its possession in accordance with the laws.

 

As for the other compliance requirements, the Data Draft makes extensive reference to the relevant rules (e.g., the rules concerning the collection and use of personal information) under the recommended national standards, and tries to clarify some basic issues (e.g., it provides that “important data normally doesn’t include information related to the production, operation and internal management of businesses, or any personal information”).

 

Judging from the current text of the draft, Data Security Management Measures probably will impose heavier compliance burdens on network operators. On the whole, however, the data regulatory system established by this legislation is still conducive to data protection and compliance practice. We will continue to watch out for any further developments of this legislation.

 

Myles Seto, Partner, Deacons

myles.seto@deacons.com.hk

 

 

1Under the Data Draft, the provisions with respect to data subjects’ newly-added rights have made reference to the relevant rules of the national recommended standards Information Security Technology – Personal Information Security Specification (2018 version)).

2 The CSL provides that, if the “personal information” and “important data” collected and generated during critical information infrastructure operators’ operation within the territory of China are needed to be transferred overseas due to the operator’s operational necessity, then government agency’s security assessment shall be conducted, unless the laws provide otherwise. In contrast, the Data Draft only prescribes the rules with respect to government agency’ security assessment on network operator’s “important data”. As for “personal information”, the Data Draft merely stipulates that “overseas provision of personal information shall be implemented according to the relevant provisions”. In this article, we will not go into details of the personal information’s security assessment.

3 The recommended national standards Information Security Technology – Guidelines for Data Cross-border Transfer Security Assessment (draft for public comments) provide that, for a cross-border data transfer, network operators shall first conduct a security self-assessment and produce an assessment report. After that, according to the data’s importance and sensitivity, as the case might be, data transfer can be carried out under one of the following three models: (1) if the cross-border transfer doesn’t meet the threshold for reporting to the government agency, the data can be transferred voluntarily; or (2) if the threshold requirement for reporting has been met, after submitting the security self-assessment report  to the relevant government agency for record-filing, the data can be transferred overseas; or (3) if an approval from the relevant government agency is required, the self-assessment report shall be submitted to the government agency for their security assessment and, after obtaining their approval, the data can be transferred overseas. In contrast, the Data Draft seems to have tightened the relevant control, i.e., it no longer distinguishes the different types of the important data, but requires that all the publishing, sharing, transaction and cross-border transfer of the important data to go through the government agencies’ security assessment.