On May 28, 2019, the Cyberspace Administration of China (“CAC”) released draft Data Security Administrative Measures (the “Measures”) for public comment. The Measures, which, when finalized, will be legally binding, supplement the Cybersecurity Law of China (the “Cybersecurity Law”) that took force on June 1, 2017, with detailed and practical requirements for network operators who collect, store, transmit, process and use data within Chinese territory. The Measures likely will significantly impact network operators’ compliance programs in China.
The Measures are basically consistent with China’s relevant existing guidelines and national standards, such as: the Information Security Technology – Personal Information Security Specification (“Specification”), the amended draft of which was released for public comment on February 1, 2019; the Guide to Protection of Security of Internet Personal Information released April 11, 2019; the Self-Assessment Guide on the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations, which entered into effect on March 1, 2019; and the Identification Methods of Collection and Use of Personal Information in Violation of Laws and Regulations for Public Comments, which took force on May 5, 2019. The Measures, however, are in some respects more stringent than these guidelines and standards. And, unlike the guidelines and national standards, which detail best practices or are good references for understanding practical enforcement, the Measures will be legally binding.
The Measures cover 40 articles in total, divided among four chapters, that address data collection, processing and use and data security. Certain notable provisions are summarized below.
Regulated Data and Activities
The Measures cover the collection, storage, transmission, processing and use of data by networks within China, as well as the protection and administration of data security, unless these are undertaken for purely family/personal reasons.
The Measures also cover “important data,” defined as “the data that might directly affect national security, economic security, social stability and public health and security in case of disclosure, such as non-public government information, population data covering a large area, gene health data, geographic data and mining data.” In general, “important data” does not include information related to business operations, internal management or personal data. Though the authorities have discretion in interpreting what important data is in practice, these exceptions suggest that data generated from a network operator’s business operation will not necessarily be subject to review by the cyberspace administration authorities.
Rules for the Collection and Use of Personal Information
Network operators must publicly disclose their rules for collection and use of personal information (the “Rules”) in a privacy policy or some other means. The Rules must cover individuals’ rights (of inquiry, correction and deletion of personal information, as well as right to withdraw consent), and provide certain information about the personal information to be collected and if the controller discloses the information to third parties. The Measures also create requirements around retention – namely, that the retention period in practice must match the retention period described in the Rules, and that network operators shall delete the personal information when the data subject’s account is closed unless the information is anonymized.
Exceptions for the Disclosure of Personal Information
Generally, consent is required to disclose a data subject’s personal information to third parties. The Measures state that such consent is not required if:
- personal information is collected from a lawful and public source and the collection is not contrary to the individual’s will;
- the individual voluntarily publishes his/her personal information;
- the personal information is anonymized;
- it is necessary for law enforcement purposes; or
- it is necessary to maintain national security and social and public interests and protect a data subject’s life or safety.
Filing Requirement
Network operators that collect sensitive personal information and/or important data for “business operations” are required to file certain information regarding the data (such as the operator’s rules, methods and purpose for collection and use of the data at issue), though not the content of the data, with the local cyberspace administration authority. “Business operations” is not defined, and it remains to be seen whether the term only refers to collecting data for purposes of developing the commercial value of data, or if it is broader and generally refers to any data collection activity in the course of business operations.
Obligation to Submit Data to Governmental Authority
The Measures require network operators to provide data under their control upon request (relating to national security, social governance or economic regulation) from a competent governmental authority.
Regulator Approval for Certain Cross-Border Transfers
The Measures require network operators to take certain steps before sharing or transferring important data outside of China, including seeking approval from the relevant industrial regulatory authorities.
Data Breaches
Notification – In the case of an actual or probable data breach affecting personal information, network operators should promptly notify the data subject (by phone, text, email or mail) and report the issue to the relevant industrial regulatory authorities and cyberspace administration authorities as required by law. The Measures do not provide specific timing requirements in the case of data breaches.
Presumption of Fault - Unless the network operator can prove it has no fault, the operator will be held fully or partially liable for damage stemming from a data breach caused by third-party applications. This new presumption of fault may push network operators to more closely supervise third-party applications and their security practices.
Penalties
Network operators that violate the Measures may be subject to public exposure, confiscation of illegal gains, suspension or a shut-down of their business, disabling of their website or the revocation of relevant business permits or licenses. Crimes will be investigated and punished in accordance with relevant criminal law.
The Measures are open to public comment until June 28, 2019.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code