Cybersecurity in China

We are now at a frustrating moment. COVID-19 cuts down the number of international trips, locks down many states and cities, keeps many of us at home, and drives more and more people online for work, life, and entertainment. Never before have we so warmly embraced internet-based businesses, never before have we exposed ourselves so thoroughly over the internet, and never before have we so seriously considered protecting our personal data and privacy information.

Businesses are also extraordinarily wary about the compliance risks of their use of personal data and online privacy regulations. There is the General Data Protection Regulation (GDPR) in the EU, with its traditional manufacturing giants, and there is the California Consumer Protection Act (CCPA) in California, the origin of the worldwide web and the base of many internet tycoons. What is there in China, with its history of imperial dynasties and, more recently, a test bed of innovative manufacturing technologies?

The law

China has not enacted one law that comprehensively covers all aspects of data protection and will not do so. In December 2019, the Standing Committee of the National People’s Congress announced a 2020 legislative plan to draft a Personal Information Protection Law and a Data Security Law. This is mainly because China wants its data protection mechanism to protect both personal data and online privacy that is important to individual citizens, and the so-called important data that are of governmental interest. This dual-purpose approach was a conservative one in an era of globalization. However, it may not seem so conservative after all, given the current breakdown in globalization, as evidenced by rising populism in several major Western countries.

Under the current mechanism, the regulations and requirements on data protection are spread across various laws, as well as some recommended operational standards at the national level. More specifically, China’s data protection legal mechanisms are spread throughout the following four areas:

(1) General data security requirements, including the Cybersecurity Law (CSL) and its implementing regulations and standards;

(2) National secret data protection, including the Law on Guarding National Secrets and its implementing regulations and rules;

(3) Personal information protection, including the Civil Law, the Law on Protecting the Rights and Interests of Consumers, and relevant national standards; and

(4) Important data protection, including the regulations that are applicable within an industry or a region issued by the ministries or local governments.

The regulators

Because of the dual-purpose nature of China’s data protection mechanism, China needs more than one regulator to govern both functions in its data protection scheme. The following five key regulators oversee data protection:

(1) The Cyberspace Administration of China (CAC), which leads the legislative efforts, and guides and co-ordinates law enforcement, among other regulators;

(2) The Ministry of Public Security (MPS), which is responsible for policing data protection crimes and network security violations;

(3) The State Administration for Market Regulation (SAMR), which supervises personal data protection-related activities in the market, such as the illegal invasion of consumers’ privacy;

(4) The Ministry of Industry and Information Technology (MIIT), which is responsible for data protection in telecommunications services; and

(5) Other ministries that oversee data protection compliance in the industries they respectively regulate.

Personal data and information

Principles of lawfulness, justification and necessity. The law generally requires network operators to engage in personal information-related business lawfully, with justifiable reasons and demonstrable necessity. The standards that determine lawfulness, with justification and necessity, can be found in several non-compulsory national standards released by the National Information Security Standardization Technical Committee (TC260), such as the Information Security Technology – Personal Information Security Specification.

Consent is a must. Under this principle, a network operator is required to announce its rules and policies on its collection and use of personal information, and to inform the personal information subjects of its purposes, means and scope of collection. Before any sensitive personal information is collected, a network operator must obtain the informed and explicit consent of the personal information subjects. Examples of sensitive personal information include human faces and bank accounts.

Requirements of whole lifecycle protection of personal information. The requirement to protect personal information covers its whole lifecycle, from collection to storage, to use, to processing, to sharing and transfer, until and including deletion and disposal. Some key requirements in each of the lifecycle phases are highlighted below:

Collection: Network operators must strictly comply with the principles of lawfulness, with justification, necessity and consent.

Use and process: Using and processing personal data must not exceed the scope of consents received before collection. When it is necessary to use and process personal data beyond the corresponding consents received, the network operators must obtain additional consents to the expanded scope. A noteworthy situation is data processing outsourcing, and a network operator must ensure that the above-mentioned requirement be strictly followed in its outsourced processing.

Storage: The storage of personal data is only allowed during the shortest period necessary to achieve the consented-to purpose. It is recommended that personal data be stored without identifying information, with personal identification indicators stored separately from the anonymous data. Encryption is recommended for the storage of sensitive personal data.

Share and transfer: Network operators must obtain additional consent before they share and transfer personal data to other entities. Network operators may also want to conduct security impact assessments before such sharing and transfer. During and after the sharing and transfer, network operators should clearly define the responsibilities and liabilities of the personal data recipients, and reasonably supervise the recipients’ performance.

Honoring the rights of the data subjects: Network operators must honour and respond to the requests of data subjects to withdraw their consent, correct or delete their personal data, request a copy of their data stored with network operators, and deregister their accounts with the network operators.

Important data

Unlike the protection of personal data, important data protection, the other purpose of China’s data protection mechanism, is still in its infancy. Only high-level references and principles have been established under the CSL, as well as some local regulations. The specialized regulation, the Administration Measures for Data Security (Draft Data Security Regulation), is still in draft form.

The localization requirement of important data protection largely remains a puzzle. Under the CSL, the Critical Infrastructure Institution Operator (CIIO) is obligated to localize the important data it collects and stores. The localization requirements include the local storage of such important data in China, and the transfer of such data cross-border only when necessary, and with a positive security assessment approval.

The CIIO is also required to backup and encrypt the important data in its processing. The Draft Data Security Regulation tries to provide considerably more detail than the CSL in implementing the localization requirements. However, neither the CSL nor the Draft Data Security Regulation give a clear clue or standard to determining the CIIO and the important data. Because of such vagueness in the above-mentioned basic law and regulation, several subsequent draft administrative regulations and rules have tried, confusingly, to expand the applicability of the localization requirements to other types of data, or to expand the definition of the CIIO. None of these efforts has yielded positive results.

A laudable approach is that several ministries and local governments have determined, or begun to determine, the important data of the industries or the regions that are within their jurisdiction. Examples of specifically identified important data include human genetic resources, population health information, geographic surveying information, personal credit information, and personal financial information. We anticipate that more and more industries and local governments will do the same to determine the characteristics of important data within their jurisdiction.

Recent hot regulatory topics

Apps. In 2019, in a noticeable development, several government agencies joined together to enforce the law against illegal app operations. The CAC, MIIT, MPS and SAMR jointly issued the “Announcement on the Implementation of Special Governance for the Illegal Collection and Use of Personal Information on Apps”. The crackdown ran throughout 2019, and particularly focused on improper privacy terms, incorrect descriptions of the scope of collection and use of personal information, and the collection of unnecessary personal data. The penalties imposed included public criticism, temporary shutdowns for correction, and permanent shutdowns.

In the meantime, a series of guidances and policies were released. Such guidances and policies require app operators to offer user-friendly privacy terms, inform users in sufficient detail of the correct scope and purpose of data collection, and obtain explicit consent before data collection.

Cookies. Cookies and similar technologies are commonly used to track and remember user status information, or to record the user’s behaviour on the website. Although there is no specific law regulating the use of cookies, there is a pervasive and common understanding in judicial practice that the use of cookies is a means to collect personal data. Therefore, network operators, when using cookies or similar technologies, should notify personal data subjects of the collection and its purposes, and the types of personal data to be collected, and obtain consents from them to minimize potential legal risks and disputes.

Web crawler. A web crawler is a widely used technical tool for automatic data collection. However, there is substantial legal risk if the user of the tool fails to identify, intentionally ignores, or deliberately violates any restriction on, or prohibition against, the use of the tool by web service providers. Such illegal use of crawler is subject to administrative or even criminal liabilities.

Software development kit (SDK). The SDK provided by third parties may collect device information and user personal data without the knowledge of the users and the service providers. In a 2019 law enforcement action, an SDK was found to have caused many cases of personal data protection violations. Potential violations and damages through the use of SDKs has attracted legislative attention. The Draft Data Security Regulation requires network operators to impose specific data security requirements and responsibilities upon SDK providers.

To avoid the legal risks of SDKs, our recommended practice is to: (1) seek representations and warranties from the SDK providers for data protection compliance purposes; (2) carry out reasonable technical tests against SDKs or applications with SDKs; and (3) conduct real-time monitoring of the SDK, or the applications with SDKs, and timely cut off an SDK’s access to any personal data.

Face recognition. Face recognition and other similar biometric applications are widely used to identify or verify the identities of people. Under the law, the human face is a type of biometric data, which is sensitive personal data subject to strict protection. Personal biometric data are collected and used through mobile or other devices by operators controlling the devices. Improper collection and use of face images create substantial legal risks.

In 2019, Zao, a face-swapping app that allows users to imitate famous actors, raised privacy concerns in China. It was later discovered that, by accepting Zao’s user agreement, Zao users gave unintentional permission to Zao’s developers to collect and store users’ facial images, and to sell them to third parties without further consent.

The MIIT criticized Zao for such an aggressive practice, and requested that Zao change its user agreement to cure such a personal data security concern. This is also part of the reason that, on 25 June 2019, TC260, in its updated national standard, provided specifically for biometric data protection.

Blockchain. Blockchain is a secure and decentralized ledger that can help companies maintain secured transaction records. However, private blockchains are likely to collect and store personal data. Retailers, for example, can collect and store massive volumes of data about their customers and their preferences, as well as their purchase histories and payment habits and amounts.

The Provisions on the Administration of Blockchain Information Services, which took effect on 15 February 2019, impose information content safety management obligations on blockchain information service providers, and require them to establish and improve management rules for user registration, information review, emergency response, and safety protection.

Although there have been no published cases of personal data violation involving private blockchain users since the statutory obligations have been established, the next dispute or violation may be around the corner.

Data protection compliance strategy

There are different approaches to protecting personal data throughout the world. The US took a more liberal approach, holding that, while personal data are a personal interest that should be under the absolute control of the data subjects, data subjects should take the primary efforts and responsibility to protect themselves, and the government should only take secondary responsibility.

Under such an approach, advanced technologies permit most of the high-technology companies to treat personal data as the “free” gold in the “Wild West”. The CCPA emerged at this critical time in California, the home to many high-technology companies, to restore the balance of power over personal data use to the data subjects. However, such a liberal approach encourages the development of new technologies, some of which require lots of training and analytical data and represent the “new technology first” policy of the US.

The EU took a different approach, holding that personal data are a personal interest that should be under the absolute control of the data subjects, and that the aggregation of the personal data of all EU subjects constitutes a new form of valuable intangible assets that belongs to the EU Commission. Therefore, the EU works to ensure that such personal interests are well preserved and protected.

Following such a path, it is not surprising that so-called digital assets’ levies or taxes would be imposed to finance the protection efforts by the governments of such personal interests. Such a conservative approach is used by the EU, which possessed a comparatively disadvantaged technological capability to withstand the invasion by technology giants from the US.

China’s data protection mechanism is still evolving. The central government understands that a correct data protection approach will define the country’s future. From a historical and governmental structural perspective, China inclines more to data protection mechanisms that are similar to those under the GDPR. However, China also understands that fully copying the data protection mechanism of the GDPR may create disadvantages in the competition between its technology giants and their US opponents, particularly in the areas where large amounts of data determine the development of certain technology, such as artificial intelligence (AI).

As a result, China created a parallel structure for data protection purposes. On one hand, its personal data protection is much less restrictive than the GDPR to leave room for technology advancement and exploration, but balances this by being more restrictive in protecting the data; On the other hand, it tries to define the concepts of the CIIO and the important data to create barriers against potential invasion from more advanced technology possessors. Such an approach represents the Chinese characteristic in defining the competing interests between technology and personal privacy in its data protection mechanism.

High-level compliance tips

If you are a foreign technology company that can fully comply with the requirements of the GDPR, you very likely have complied with the personal data protection laws of China.

However, if you are a US company and do not have a GDPR compliance strategy in place, what you may need to do is identify the gap between your current US-based personal data protection policy and the personal data protection requirements in China, and fill such a gap. But if you are a CCPA-compliant US company, you may have complied, or may only need to take very few steps to comply with China’s personal data protection requirements.

Whether you are an EU or US company, what you need to do to comply with the important data protection requirements is watch closely the developments of the CIIO and important data protection regulation and analyse whether the data you collect in China could be determined as important data. If yes, you may need to develop a special compliance strategy to address the important data protection in China. If not, you should be happy with what you have in place for compliance.

Xinyao Zhao and Estella Wang also contributed to this article

GLOBAL LAW OFFICE
26/F, 5 Corporate Avenue,
150 Hubin Road, Huangpu District,
Shanghai 200021, China
Tel: +86 21 2310 9517
Fax: +86 21 2310 8299
www.glo.com.cn