China sets regulations on network data security management

On November 14, 2021, the Cyberspace Administration of China (“CAC”) released its draft regulations on network data security management (the “draft regulations”) to public comment. The draft regulations are intended to implement parts of three existing laws: the Cyber ​​Security Act (“CSL”), the Data Security Act (“DSL”) and the Personal Data Protection Act (“PIPL”) (together the “Three Acts”) – by providing guidance on certain provisions and by establishing specific requirements for the implementation of certain principles contemplated in the Three Laws. In addition, new requirements are set in the draft regulations with regard to data processing activities. Once in effect, the draft regulations will impose even greater compliance obligations on companies than the PIPL.

The Draft Regulation consists of 75 articles and nine chapters. In this blog post, we discuss some of the key areas covered by the draft regulations.

Scope of Jurisdiction

The extraterritorial scope under the draft regulations is much wider than that under the three Acts. The Draft Scheme applies to the following two scenarios:

  1. If the network data processing takes place in China; and

  2. If the network data processing activity is outside of China, but involves individuals and organizations in China, if the purpose of the processing is to:

    • offer goods or services in China;

    • monitoring and evaluating the activities of individuals and organizations in China;

    • processing “key data” located in China; or

    • comply with all requirements of other Chinese laws and regulations.

Data Processor and Entrusted Party

The definition of “data handler” in the draft regulations is similar to that of “data controller” in other privacy laws, such as the EU General Data Protection Regulation (“GDPR”). While the GDPR distinguishes between a data controller, who determines the means and purposes of the processing of personal data, and a data processor, who processes personal data on behalf of the controller, the draft regulation does not formally define the concept of a data processor. According to the draft regulations, when a data processor entrusts a third party to process personal information on behalf of the data processor, this third party is referred to as the “trusted party” or the “contracting party”.

Data Classification and the Multi-Level Protection Scheme

Under the Draft Regulation, data is categorized as (1) general data, (2) key data or (3) core data, depending on the impact and degree of importance of the data for national security and public interests. In accordance with the CSL and DSL, the draft rules will require these categories of data to be protected based on China’s Multi-Level Protection Scheme (“MLPS”), which imposes data security standards for different classifications of data. For example, data processors will be required to take security measures (e.g, data backups, encryption, access control) and strengthen the security of their data processing systems, transmission networks and storage environments, based on the MLPS.

Data leak

Unlike the three laws, the draft regulations specify precise timelines within which data handlers must notify affected individuals and regulators in the event of a data breach. In particular, the draft regulations require data processors to notify affected persons of a data breach within three working days of the breach – including the potential risks and damages associated with the breach and the corrective actions taken by the data processor. If the data processor is unable to directly notify the affected individuals, it may publish a public notice of the breach. The draft regulation also requires the data handler to report a data breach to the Office of Public Security if the breach concerns a suspected crime.

If a data breach involves “key data” of more than 100,000 individuals, the data handler must also notify the CAC or the competent authority:

  • within eight hours of the data breach. This notification must include the (1) number of parties involved, (2) the type of breach, (3) the potential impact of the breach, and (4) identified or proposed remedial action; and

  • within five working days of the completion of an investigation into the infringement. With this notification, the data handler must provide an investigation report that includes, among other things: g., the (1) cause of the breach, (2) any damages caused by the breach, and (3) measures the data processor may take to protect against future breaches.

Retention of records when transferring data to third parties

While the PIPL is silent on the subject, the draft regulations require data handlers to keep records of individuals’ consent and logs of transfers of personal data. In addition, records or logs related to the sharing, trading or selling of “key data” must be kept for at least five years.

Cyber ​​Security Assessment

The draft regulations clarify the conditions leading to a cybersecurity assessment required by the CSL. A cybersecurity assessment is required under the draft regulations:

  • before any online platform that collects and stores a large amount of data related to national security, economic development and public interests undergoes a merger, restructuring or dissolution that affects or may impair national security;

  • before a data processor processing the personal data of more than one million individuals is publicly listed in another country;

  • whether the public mention of a data processor in Hong Kong affects or potentially affects national security (although it is not clear how this should be assessed under the draft regulations); and

  • for other matters that affect or may affect national security.

Separately, if an online platform establishes a headquarters, operations center or research center outside of China, the platform (i.e, the data handler) should report to the CAC or the competent authority in charge.

Complaint Report

Building on the complaint channels required under the PIPL, the draft regulations will also require data handlers to disclose on an annual basis (1) the number of complaints received; (2) the circumstances of the complaints; and (3) the data handler’s average response time when handling a complaint.

Copyright © 2022, Hunton Andrews Kurth LLP. All rights reserved.National Law Review, Volume XII, Number 26

Leave a Comment