The summer has been anything but slow in the People’s Republic of China. China is leaning into its regulation of emerging technologies, while attempting to strike a balance with its domestic economic priorities. In just the past few weeks, state authorities have issued a slew of draft measures and announced new initiatives – all with significant ramifications for businesses processing data within the PRC. From personal information processing to facial recognition to cross-border data transfers, what follows is a highlight reel of what you may have missed while you were away on vacation, with the comment period for many of these developments closing within the next few weeks.
This flurry of developments coincides with the United States’ Executive Order on outbound investment regulations that will limit a variety of American investments in certain Chinese technologies. Although many of China’s draft regulatory measures overviewed below had been long in the works, its recent announcements on cross-border data transfers will help better position the Chinese economy vis-à-vis markets beyond the United States.
Draft Administrative Measures of Compliance Audit on Personal Information Protection – On August 3, 2023, the Cyberspace Administration of China (“CAC”) issued the draft Administrative Measures of Compliance Audit on Personal Information Protection (“Audit Measures”) for public comment until September 2, 2023.
- According to the Audit Measures, personal information (“PI”) processors are required to conduct compliance audits on their PI processing activities on a regular basis. The frequency of the regular compliance audits depends on the amount of PI processed. A PI processor that processes more than 1 million individuals’ PI (“Mass Processors”) must conduct compliance audit at least once per year; non-Mass-Processors must conduct compliance audits at least once every two years.PI processors may internally conduct regular compliance audits or choose to engage a third-party auditor.
- The CAC may also require a PI processor to conduct a compliance audit if the CAC identifies any significant risks in its data processing activities or in response to a data breach. Here, if the compliance audit is conducted at the request of the CAC, a third-party auditor must be engaged; processors may not conduct the audit themselves.
- The Audit Measures provide a list of key issues and elements to be covered in a compliance audit. These require PI processors to manage their data throughout its lifecycle, from data collection to data destruction, and cover issues such as cross-border data transfers, incident response, and security risk assessments.
Information Security Technology – Security Requirements for the Handling of Sensitive Personal Information (Draft for Public Comments) – On 9 August 2023, the Secretariat of the National Information Security Standardisation Technical Committee (“TC260”) issued the draft recommendatory national standard: Information Security Technology – Security Requirements for the Handling of Sensitive Personal Information (“Standard”). Public comments are being accepted until October 8, 2023.
- According to the Standard, a PI processor may process sensitive PI only when there are “specific purpose(s)” and “sufficient necessity” to do so. In addition, where the processing is based on consent, a data processor should provide enhanced notification (e.g., a separate pop-up) to and obtain separate consent from relevant data subjects before processing their sensitive PI.
- Generally, processing of sensitive PI would be subject to stricter security requirements. These measures include disabling functionality that allows sensitive PI to be copied, printed, or captured in screenshots; encrypting internet-based transmissions; and implementing certain auditing and monitoring capabilities.
- The Standard also provides special security requirements for the processing of certain categories of sensitive PI such as biological, religious, medical and health, financial, whereabouts and children personal information.
- Notably, sensitive PI may be protected as important data if the amount reaches a certain threshold (which is not specified in the Standard).
Draft Regulations on Security Management of Face Recognition Technology Application (Trial) – On August 8, 2023, the CAC released the draft Regulations on Security Management of Face Recognition Technology Application (Trial) (“FRT Regulations”) for public comments until September 7, 2023.
- Generally, FRT should be used sparingly. Under the FRT Regulations, FRT may be used only when there are “specific purpose(s)” and “sufficient necessity” to do so, and when strict protection measures are taken. Where there are any other non-biometric identification technology solutions to achieve the same purpose or meet the same business objectives, these non-biometric identification technology solutions must be taken.
- No entities or individuals may use FRT to analyze sensitive PI, such as an individual’s race, ethnicity, religious beliefs, health status, and/or social class, unless (1) it is necessary to safeguard China’s national security, public security or to protect the life, health and property of a natural person in case of an emergency; or (2) separate consent has been obtained from the individual.
- PI processors are required to file a record with the local CAC within 30 working days when (1) using FRT in public places, or (2) storing more than 10,000 people’s face information.
- PI processors may not store original facial images, pictures, or videos unless (1) specifically permitted by law, (2) separate consent from the data subjects is obtained, or (3) the facial information is anonymized.
- To provide FRT services to the public, the underlying information system must meet the requirements for Level 3 under the Multi-Level Protection Scheme (“MLPS”). PI processors must also implement specific security measures to protect face information. These include encryption, security auditing, access controls, and intrusion detection.
Draft Measures for the Management of Data Security in the Business Domain of the PBOC – On July 24, 2023, the People’s Bank of China (“PBOC“) issued the draft Measures for the Management of Data Security in the Business Domain of the PBOC (“PBOC Measures“) for public comments until August 24, 2023.
- The PBOC Measures apply to the processing of PBOC business data within the territory of China. PBOC business data is defined as network data not involving state secrets that is generated and collected when carrying out various business activities for which PBOC assumes supervisory and management responsibilities.
- The PBOC Measures classify PBOC business data into three categories: (1) general data, (2) important data, and (3) core data. The category is based on the degree of precision and scale of data and impact on China’s national security.
- Under this three-tiered structure, data processors are required to further classify the PBOC business data into five levels, from low to high, based on the degree of harm that may be caused – to specific entities or the public interest more broadly — if the data is leaked or illegally acquired or used.
- The PBOC Measures also require data processors to determine the necessary level of data availability, based on the impact on business continuity if the PBOC business data is tampered with or destroyed.
- The PBOC Measures provide for detailed security measures, based on the classification of the data. Generally, PBOC business data is required to be stored within China. To transfer any PBOC business data outside of China, data processors must pass a CAC security assessment.
Opinions of the State Council on Further Optimizing the Foreign Investment Environment and Increasing Efforts to Attract Foreign Investment – On August 13, the PRC State Council issued the Opinions of the State Council on Further Optimizing the Foreign Investment Environment and Increasing Efforts to Attract Foreign Investment (“Opinion”).
- Among other things, such as tax and fiscal incentives to foreign-invested-enterprises (“FIEs”), the Opinion provides that China will establish a “green channel” for qualified FIEs for the security assessment of their cross-border data transfer activities, with the aim of accelerating the approval process for cross-border data transfers conducted by FIEs.
- The central government will also support Beijing, Tianjin, Shanghai, and the Greater Bay Area (including Hong Kong, Macau, Shenzhen, and Guangzhou) to issue a “list of general data” that can be freely transferred out of China. Here, too, the intent is to allow for easier business operations. The Opinion comes just weeks after an announcement that the CAC and Hong Kong’s Innovation, Technology and Industry Bureau had signed an unpublished Memorandum of Understanding (“MOU”) to facilitate cross-border transfers between the Greater Bay Area and Hong Kong, largely in an effort to establish Hong Kong as a data hub.
For further information, please contact:
Evan Y. Chuck, Partner, Crowell & Moring