On May 28, 2019, the Cyberspace Administration of China (“CAC”) released draft Data Security Administrative Measures (the “Measures”) for public comment. The Measures, which, when finalized, will be legally binding, supplement the Cybersecurity Law of China (the “Cybersecurity Law”) that took force on June 1, 2017, with detailed and practical requirements for network operators who collect, store, transmit, process and use data within Chinese territory. The Measures likely will significantly impact network operators’ compliance programs in China.

The Measures are basically consistent with China’s relevant existing guidelines and national standards, such as: the Information Security Technology – Personal Information Security Specification (“Specification”), the amended draft of which was released for public comment on February 1, 2019; the Guide to Protection of Security of Internet Personal Information released April 11, 2019; the Self-Assessment Guide on the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations, which entered into effect on March 1, 2019; and the Identification Methods of Collection and Use of Personal Information in Violation of Laws and Regulations for Public Comments, which took force on May 5, 2019. The Measures, however, are in some respects more stringent than these guidelines and standards. And, unlike the guidelines and national standards, which detail best practices or are good references for understanding practical enforcement, the Measures will be legally binding.

The Measures cover 40 articles in total, divided among four chapters, that address data collection, processing and use and data security. Certain notable provisions are summarized below.

Regulated Data and Activities
The Measures cover the collection, storage, transmission, processing and use of data by networks within China, as well as the protection and administration of data security, unless these are undertaken for purely family/personal reasons.

The Measures also cover “important data,” defined as “the data that might directly affect national security, economic security, social stability and public health and security in case of disclosure, such as non-public government information, population data covering a large area, gene health data, geographic data and mining data.” In general, “important data” does not include information related to business operations, internal management or personal data. Though the authorities have discretion in interpreting what important data is in practice, these exceptions suggest that data generated from a network operator’s business operation will not necessarily be subject to review by the cyberspace administration authorities.

Rules for the Collection and Use of Personal Information
Network operators must publicly disclose their rules for collection and use of personal information (the “Rules”) in a privacy policy or some other means. The Rules must cover individuals’ rights (of inquiry, correction and deletion of personal information, as well as right to withdraw consent), and provide certain information about the personal information to be collected and if the controller discloses the information to third parties. The Measures also create requirements around retention – namely, that the retention period in practice must match the retention period described in the Rules, and that network operators shall delete the personal information when the data subject’s account is closed unless the information is anonymized.

Exceptions for the Disclosure of Personal Information
Generally, consent is required to disclose a data subject’s personal information to third parties. The Measures state that such consent is not required if:

  • personal information is collected from a lawful and public source and the collection is not contrary to the individual’s will;
  • the individual voluntarily publishes his/her personal information;
  • the personal information is anonymized;
  • it is necessary for law enforcement purposes; or
  • it is necessary to maintain national security and social and public interests and protect a data subject’s life or safety.

Filing Requirement
Network operators that collect sensitive personal information and/or important data for “business operations” are required to file certain information regarding the data (such as the operator’s rules, methods and purpose for collection and use of the data at issue), though not the content of the data, with the local cyberspace administration authority. “Business operations” is not defined, and it remains to be seen whether the term only refers to collecting data for purposes of developing the commercial value of data, or if it is broader and generally refers to any data collection activity in the course of business operations.

Obligation to Submit Data to Governmental Authority
The Measures require network operators to provide data under their control upon request (relating to national security, social governance or economic regulation) from a competent governmental authority.

Regulator Approval for Certain Cross-Border Transfers
The Measures require network operators to take certain steps before sharing or transferring important data outside of China, including seeking approval from the relevant industrial regulatory authorities.

Data Breaches
Notification – In the case of an actual or probable data breach affecting personal information, network operators should promptly notify the data subject (by phone, text, email or mail) and report the issue to the relevant industrial regulatory authorities and cyberspace administration authorities as required by law. The Measures do not provide specific timing requirements in the case of data breaches.

Presumption of Fault – Unless the network operator can prove it has no fault, the operator will be held fully or partially liable for damage stemming from a data breach caused by third-party applications. This new presumption of fault may push network operators to more closely supervise third-party applications and their security practices.

Network operators that violate the Measures may be subject to public exposure, confiscation of illegal gains, suspension or a shut-down of their business, disabling of their website or the revocation of relevant business permits or licenses. Crimes will be investigated and punished in accordance with relevant criminal law.

The Measures are open to public comment until June 28, 2019.