13 June, 2019
On May 28, 2019, the Cyberspace Administration of China (“CAC”) issued the Measures for Data Security Management (Draft for Comment) (the “Measures”), in order to solicit public opinions, which can be submitted up until June 28, 2019.
This article provides a summary of the key elements of the Measures.
I. Scope of Application
Article 2 of the Measures clearly stipulates that "these Measures apply to data collection, storage, transmission, processing, use and other activities via networks within the territory of the People’s Republic of China (hereinafter referred to as data activities), and to data security protection, supervision and management. These Measures do not apply to matters pertaining purely to household and personal affairs."
The definition of “network” according to the Cybersecurity Law1 is very broad, and it is our understanding that the scenarios in which the Measures apply will be similarly wide-ranging. The data-related activities of various types of organizations and individuals in China may be subject to the Measures and may. for example, include the collection of manufacturing-related data from industrial control systems by manufacturers, or information collected through local area networks or online by other general types of business.
While Article 2 provides a broad definition of “data activities”, the key types of data for regulation by the Measures are consistent with the definition used in the Cybersecurity Law, and remain "personal information" and "important data."
Article 38 of the Measures defines “important data” as “data such as undisclosed government information, large-area population information, genetic information, geographic information or mineral resources information, that if leaked could directly affect national security, economic security, social stability or public health and safety. Important data does not include production, operational and internal management information, personal information, etc.”
Although the definition of important data remains very general, the exclusion clause may be helpful to businesses in determining the scope of important data, since they can at least exclude their own production and operational data from such “important data.”
II. Strict Rules on the Protection of Personal Information and Important Data
The Measures reiterate and strengthen the provisions for the protection of personal information that were provided for in various previously issued regulations and guidelines, including the Personal Information Security Regulations, the Guidelines for Internet Personal Information Security Protection, and the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps.
Provide details of responsible person details and the means to withdraw consent
Article 8 explicitly requires that the rules for collection and use should clearly provide and highlight “the name and contact information of the responsible person for data security” and the “method of obtaining consent from the subject of personal information.”
Limitations on the purposes for information collection
Article 11 of the Measures stipulates that "network operators must not force or mislead personal information subjects to agree to the collection of their personal information in the form of default permission, function bundling, etc., on the grounds that it will result in an improvement in service quality or user experience, provide custom content, or help develop new products." The elements whose interpretation will be most likely to directly impact the related privacy practices of businesses are "not force or mislead the consent of personal information subjects” and “in the form of default permission, function binding, etc."
The Measures also make reference to the distinction between core functions and other functions that is drawn in the Personal Information Security Regulations, in which it is indicated that network operators shall provide core functions to personal information subjects when those subjects agree to the collection of personal information that applies to such core functions. However, network operators shall not refuse to provide core functions to information subjects if such subjects refuse to provide consent or revoke their consent for the collection of other information (which are not necessary for the core function).
Requirements for collecting personal information from minors
Article 12 of the Measures clearly stipulates that the collection of personal information from a minor under the age of 14 shall require the consent of his/her guardian.
Appointment and responsibilities of person responsible for network security
Article 17 of the Measures stipulates that if a network operator collects important data or personal sensitive information for the purpose of its operations, it shall nominate a staff member to be responsible for data security. Such person responsible for data security shall have data security expertise and appropriate management experience, shall participate in decision-making about data activities, and report directly to the principal responsible person of the company.
Filing the collection of important data and personal sensitive data
Article 15 of the Measures for the first time proposes that “network operators collecting important data or personal sensitive information for business purposes shall file with the local network information department. The filing content includes the collection and usage rules, the purpose, scale, method, scope, type and duration, etc., of collection and usage.”
The current definition of "personal sensitive data" in the Personal Information Security Regulations is quite broad, and includes mobile phone numbers, email addresses, system account numbers, web browsing history, precise positioning information, etc., and therefore should this element of the Measures ultimately be implemented, it may involve extensive filing requirements.
Providing pre-assessment of personal information and exclusion.
Article 27 of the Measures stipulates that before providing personal information to others, the possible security risks should be assessed and the personal information subject’s consent should be obtained.
It is currently not clear how such security risk assessment should be conducted.
Evaluation and approval before transferring important data
Article 28 of the Measures stipulates that “network operators shall assess the potential security risks before publishing, sharing, transacting or providing important data to overseas, and shall report to the competent industrial authority for approval. If the competent industrial authority is not clear, it should be approved by the provincial cyberspace administration department."
The security assessment requirements of the Measures are stricter than the applicable requirements of the Administrative Measures for the Assessment of Outbound Security of Personal Information and Important Data (Draft for Comment) issued by the CAC in 2017. The Measures not only require a security assessment for the release, sharing and trading of important data, but also require a security assessment report to be submitted to the competent industrial authorities or the counterparts of the CAC.
Notification obligation for personal information security incidents
Article 35 of the Measures for the first time explicitly requires that in the event of data security incidents such as disclosure, damage, or loss of personal information, or when the risk of such is significantly increased, the network operator should inform the personal information subject by telephone, SMS, email or letter.
III. New Provisions for the Use of Data
Labeling customized content
Article 23 of the Measures for the first time proposes that when network operators apply algorithms to user data in order to push specific news and commercial advertisements, etc., they shall clearly label such news and commercial advertisements as “customized” (定推 in Chinese) and provide users with the means to unsubscribe from such customized “push marketing” content.
When the user chooses to stop receiving push marketing, network operators shall stop such push marketing, and delete the data and personal information collected from the data, including any device identifiers.
This requirement is likely to have a significant and substantial impact on the current practices of the online advertising industry.
Label as “Generated”
Article 24 of the Measures proposes, also for the first time, that "when network operators use big data, artificial intelligence and other technologies to automatically generate news, blog posts, posts, comments and content, it should clearly be labeled as "generated". Content shall not be automatically generated with the intention of making profits or harming others."
The interpretation of "not be … with the intention of making profits" requires further explanation by the regulatory authorities.
IV. Strict Liability
Responsibilities for indirectly collected personal information
Article 14 of the Measures for the first time proposes that “network operators obtaining personal information from other sources shall have the same protection responsibilities and obligations as if the personal information was collected directly.”
Presumption of fault in data security incidents
Article 30 of the Measures stipulates that “network operators shall clarify data security requirements and responsibilities for any third-party applications which are connected to the network operator’s platform, and supervise third-party operators in order to strengthen data security management. If such third-party applications cause data security incidents and result in losses to users, the network operator shall be liable for part of or the entirety of the accident unless the network operator can prove that it has no fault.”
The application of the principle of the presumption of fault will impose an extremely high requirement on the network operators of platforms.
Data responsibility in M&A
Article 31 of the Measures stipulates, for the first time, that “When a network operator merges, reorganizes, or goes bankrupt, the data acquirer shall undertake the data security responsibilities and obligations. If there is no data acquirer, the data shall be deleted. Where the laws or administrative regulations provide otherwise, such requirements shall be followed."
Hence, for any merger or acquisition, if the acquirer takes on the data of the acquired party, it should take into account the corresponding data security responsibilities and obligations.
V. Our observation
The Measures propose many new requirements, responsibilities and obligations, some of which may significantly impact upon network operators including online and other types of business.
With the Measures still seeking public comment, we will pay close attention to and pass on further details of any legislative updates.
1. Cybersecurity Law of the People’s Republic of China, enacted November 2016, implemented June 2017
