The year 2021 proved to be a milestone for data protection and cybersecurity in China. Most notably, the Personal Information Protection Law (“PIPL”) and the Data Security Law (“DSL”) came into force in September and November respectively. The PIPL, the DSL and the Cyber Security Law (“CSL”) together represent the “troika” of the Chinese data protection and cybersecurity regulatory framework. Beyond the troika, implementing rules have sprung up, and the gloves are coming off in enforcement. As we are heading into 2022, what are the new challenges for businesses? Let’s take a closer look at these developments and what we can expect from them in the year 2022.
We will highlight our observations on major regulatory and enforcement developments in 2021 in the following four key sections, i.e.
In this first article, we will give an overview of the overarching data protection and cybersecurity regulatory framework in China, and development in personal information protection.
2021 saw the formal formation of the three-pillar regulatory framework for cybersecurity and data protection, i.e.
Beyond the troika, a series of implementation regulations, rules as well as national or industrial standards were released for public consultation or formally promulgated in 2021, designed to provide more practical guidance on compliance. The troika, supplemented with implementation rules, will further strengthen the data and cyber governance and enforcement efforts in China.
1) The Personal Information Protection Law
The long-awaited PIPL was officially adopted by the National People’s Congress Standing Committee on 20 August 2021 and took effect on 1 November 2021.
While the PIPL shares many similarities with the EU General Data Protection Regulation (“GDPR”) in many aspects (such as the extraterritorial effect, data processing principles, legal bases for data processing, notification and consent requirements, the controllers-processors relationship, data subject rights, data governance and accountability requirements, etc.), there are also important differences.
In particular, i) legitimate interest is not recognised under the PIPL as a lawful basis for data processing; ii) requirements for a separate consent apply to specified scenarios such as processing of sensitive personal information; iii) cross-border transfer of personal information is permitted if the personal information processor has passed a governmental security assessment, is certified for data protection, or enters into a standard contract with the foreign data recipient . . Non-compliance with the PIPL may give rise to administrative fines of up to 5% of the annual turnover or RMB50 million (approx. US$7.8 million) and personal liability. (click here for our views on the PIPL)
The regulation of data export has long been one of the major concerns for multinationals doing business in China. Apart from the data localisation rules applicable to CIIOs under the CSL, the DSL and the PIPL further restrict data exports by data processors who are not-CIIOs and. are obligated to fulfil certain condition before data exports. In particular, personal information processors whose processing meets specified thresholds or data processor exporting important data may need to go through a governmental security assessment.
A notable regulatory update on data export is the draft Measures of Security Assessment for Data Export (“Data Export Measures”) released by the Cyberspace Administration of China (“CAC”) for public consultation in late October 2021. The draft Data Export Measures lays down a hybrid data export regime of self-assessment and governmental security assessment, and sets out a more detailed and broadened scope of data subject to governmental security assessment when being exported, which includes:
“i. Personal information and important data collected and generated by CIIOs; ii. Any important data that is to be exported; iii. Personal information of a data processor that processes personal information of 1,000,000 individuals or more; iv. Personal information of a data processor that in aggregate exports (i) personal information of over 100,000 individuals or (ii) sensitive personal information of over 10,000 individuals; and v. Such other information as designated by the CAC.” |
For further details of the draft Data Security Measures, please refer to our previous article here.
3) Mobile applications and in-app miniprograms compliance
The CAC and the National Information Security Standardization Technical Committee (“TC260”) continued to issue a series of formal or draft rules and guidelines applicable to data processing activities by operators of mobile applications (“APPs”) and mini- programs. For example, the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (“APPs Provisions”, effective on 1 May 2021) prohibit APPs from refusing to provide basic functions or services to the users due to their refusal to provide personal information that are not necessary for such functions o services. The APPs Provisions list out 39 types of APPs, their basic functions, and the types of personal information necessary for the basic functions of these APPs.
New technology such as facial recognition technology (“FRT”) has been increasingly used by governments and organisations for various s purposes and aroused heated discussion about its lawfulness and necessity in China. With more cases being contested in the court, the Supreme People's Court issued a judicial interpretation in July 2021 to address FRT issues in civil trials, The judicial interpretation covers processing of facial information with FRT in both online and offline scenarios. Moreover, using a minor’s facial information is subject to strengthened protection with severer legal liability.
The TC260 also released draft national standards for data security requirements for using FRT, which, amongst others, in principle requires data processors not to identify minors under the age of 14 using FRT.
Under the PIPL, personal information processors must ensure that the automated decision-making is transparent and fair and should not treat individuals discriminatively in terms of trading conditions, such as prices.
The CAC released the Administrative Provisions on Algorithm Recommendation of Internet Information Services (“Algorithm Provisions”) on 31 December 2021 effective on 1 March 2022), which regulates using algorithms to recommend information to users. The Algorithm Provisions mainly set out technical and policy requirements, assessment and content moderation obligations, ecosystem management, user right enhancement and transparency principles, ethical requirements, and filing regime applicable to large platforms.
Moreover, the government is becoming more concerned about the unfair competition and monopoly behaviours of the internet platforms that have been exacerbated by the use of algorithm. As a result, in the Antimonopoly Guidelines on Platform Economy released by the Antimonopoly Committee of the State Council in February 2021, internet platform operators are prohibited from using algorithms to reach monopoly agreement, abuse market dominant positions or commit any other acts that exclude competition.
Local government have been more active in publishing their own data regulations. Most notably, two of China’s top-tier cities, Shenzhen and Shanghai, , passed their comprehensive data regulations respectively. Both regulations came into force on 1 January, 2022and cover protection of personal information, use of public data, data trading and transactions, and data security.
The year 2021 was a busy year for regulators enforcing the data protection laws and rules. Although the enforcement of the PIPL and DSL has yet to take off, some areas have become the priority of the regulators. In below tables, we set out our observations. Besides, there is an increasing number of civil cases where individuals have brought claims of personal information infringement in the court.
APPs, mini-programs and websites |
|
Regulators | Collection and use of personal information by APPs and websites have been subject to close scrutiny by the, CAC (and its local branches), the Ministry of Industry and Information Technology (“MIIT”) (and its local branches), Computer Virus Emergency Response Center (“CVERC”), and China Consumers’ Association (“CCA”). |
Enforcement overview and key focus |
In the past year, over 2500 APPs and websites were named for incompliance during regulators’ enforcement actions.
|
Penalties | In general, reported APPs were required to rectify the issues within 5-15 working days, and in some cases, APP failing to rectify the issues were removed from the APP stores and penalized with suspension of services, monetary fines or other severer punishments. |
FRT |
|
Regulators | CAC, MIIT, local Public Security Bureau (“PSB”), State Administration of Market Regulation (“SAMR”) (and its local branches) |
Enforcement overview and key focus |
|
Penalties | Warnings, monetary fines, deletion of the collected facial recognition data, order to rectify, etc. |
Public interest litigations | |
Enforcement regulators | The People's Procuratorate, China Consumers Association |
Enforcement overview and key focus |
The Supreme People's Procuratorate published 11 typical civil public interest cases regarding personal information protection in April 2021. During the year, the local procuratorate and the consumers associations launched quite a few public interest litigations focusing on the protection of sensitive personal information and vulnerable groups (including the minors, the disabled and the elderly), industries of education and health, and processors of a large volume of personal information. |
Penalties | Damages, deletion of illegally collected personal information, public apology, etc. |
Although the PIPL is finally here, there still are a number of question in relation to how some newly introduced obligations will be implemented and enforced in practice. Hence, in 2022 we expect to see the following legislative and enforcement trends: to actively