China Data Protection and Cybersecurity - Annual Review of 2021 and Outlook for 2022 (I)
Written By
Legal Director
China
I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.
The year 2021 proved to be a milestone for data protection and cybersecurity in China. Most notably, the Personal Information Protection Law (“PIPL”) and the Data Security Law (“DSL”) came into force in September and November respectively. The PIPL, the DSL and the Cyber Security Law (“CSL”) together represent the “troika” of the Chinese data protection and cybersecurity regulatory framework. Beyond the troika, implementing rules have sprung up, and the gloves are coming off in enforcement. As we are heading into 2022, what are the new challenges for businesses? Let’s take a closer look at these developments and what we can expect from them in the year 2022.
We will highlight our observations on major regulatory and enforcement developments in 2021 in the following four key sections, i.e.
- Personal information protection, where the PIPL was finally adopted and took effect, with implementation rules springing up concerning key topics such as data localisation and cross-border data transfer, facial recognition, algorithms, as well as mobile application;
- Data security, where we saw further developments in identification and protection of important data, data classification system, data security review regime and its impact on overseas listings, etc., prompted by the milestone DSL coming into force;
- Cybersecurity, where continuous regulatory efforts have been made to strengthen protection of the critical information infrastructure (“CII”), enhancement of the multi-level protection scheme, and network security monitoring and reporting system;
- Sectoral development, where regulators in various industries and sectors have made their efforts to strengthen . We will focus on automotive, finance and healthcare industries.
In this first article, we will give an overview of the overarching data protection and cybersecurity regulatory framework in China, and development in personal information protection.
Part I. Highlight of the Year 2021: the troika and beyond
2021 saw the formal formation of the three-pillar regulatory framework for cybersecurity and data protection, i.e.
- The CSL, effective on 1 July 2017, is the first comprehensive legislation in China forming the backbone of cyber security. It provides for the security protection obligations of "network operators" and "critical information infrastructure operators" ("CIIOs") in China.
- The DSL, effective on 1 September 2021, enhances data security by establishing a categorised data security system applicable to online and offline data processing activities, covering both personal or non-personal information. The DSL focuses on the protection of “important data” and “core data” that are information relevant to national security, national economy, people’s livelihood and public interest. (see Part III in our second article for further details)
- The PIPL, effective on 1 November 2021, protects personal information with a focus on safeguarding rights of individuals to their personal information, compared with the more security-centric CSL and DSL. (see Part II for further details)
Beyond the troika, a series of implementation regulations, rules as well as national or industrial standards were released for public consultation or formally promulgated in 2021, designed to provide more practical guidance on compliance. The troika, supplemented with implementation rules, will further strengthen the data and cyber governance and enforcement efforts in China.
Part II. Personal Information Protection
1. Regulatory developments
1) The Personal Information Protection Law
The long-awaited PIPL was officially adopted by the National People’s Congress Standing Committee on 20 August 2021 and took effect on 1 November 2021.
While the PIPL shares many similarities with the EU General Data Protection Regulation (“GDPR”) in many aspects (such as the extraterritorial effect, data processing principles, legal bases for data processing, notification and consent requirements, the controllers-processors relationship, data subject rights, data governance and accountability requirements, etc.), there are also important differences.
In particular, i) legitimate interest is not recognised under the PIPL as a lawful basis for data processing; ii) requirements for a separate consent apply to specified scenarios such as processing of sensitive personal information; iii) cross-border transfer of personal information is permitted if the personal information processor has passed a governmental security assessment, is certified for data protection, or enters into a standard contract with the foreign data recipient . . Non-compliance with the PIPL may give rise to administrative fines of up to 5% of the annual turnover or RMB50 million (approx. US$7.8 million) and personal liability. (click here for our views on the PIPL)
2) Data localisation and cross-border data transfer
The regulation of data export has long been one of the major concerns for multinationals doing business in China. Apart from the data localisation rules applicable to CIIOs under the CSL, the DSL and the PIPL further restrict data exports by data processors who are not-CIIOs and. are obligated to fulfil certain condition before data exports. In particular, personal information processors whose processing meets specified thresholds or data processor exporting important data may need to go through a governmental security assessment.
A notable regulatory update on data export is the draft Measures of Security Assessment for Data Export (“Data Export Measures”) released by the Cyberspace Administration of China (“CAC”) for public consultation in late October 2021. The draft Data Export Measures lays down a hybrid data export regime of self-assessment and governmental security assessment, and sets out a more detailed and broadened scope of data subject to governmental security assessment when being exported, which includes:
|
“i. Personal information and important data collected and generated by CIIOs; ii. Any important data that is to be exported; iii. Personal information of a data processor that processes personal information of 1,000,000 individuals or more; iv. Personal information of a data processor that in aggregate exports (i) personal information of over 100,000 individuals or (ii) sensitive personal information of over 10,000 individuals; and v. Such other information as designated by the CAC.” |
For further details of the draft Data Security Measures, please refer to our previous article here.
3) Mobile applications and in-app miniprograms compliance
The CAC and the National Information Security Standardization Technical Committee (“TC260”) continued to issue a series of formal or draft rules and guidelines applicable to data processing activities by operators of mobile applications (“APPs”) and mini- programs. For example, the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (“APPs Provisions”, effective on 1 May 2021) prohibit APPs from refusing to provide basic functions or services to the users due to their refusal to provide personal information that are not necessary for such functions o services. The APPs Provisions list out 39 types of APPs, their basic functions, and the types of personal information necessary for the basic functions of these APPs.
4) Application of facial recognition technology
New technology such as facial recognition technology (“FRT”) has been increasingly used by governments and organisations for various s purposes and aroused heated discussion about its lawfulness and necessity in China. With more cases being contested in the court, the Supreme People's Court issued a judicial interpretation in July 2021 to address FRT issues in civil trials, The judicial interpretation covers processing of facial information with FRT in both online and offline scenarios. Moreover, using a minor’s facial information is subject to strengthened protection with severer legal liability.
The TC260 also released draft national standards for data security requirements for using FRT, which, amongst others, in principle requires data processors not to identify minors under the age of 14 using FRT.
5) Algorithms and big data
Under the PIPL, personal information processors must ensure that the automated decision-making is transparent and fair and should not treat individuals discriminatively in terms of trading conditions, such as prices.
The CAC released the Administrative Provisions on Algorithm Recommendation of Internet Information Services (“Algorithm Provisions”) on 31 December 2021 effective on 1 March 2022), which regulates using algorithms to recommend information to users. The Algorithm Provisions mainly set out technical and policy requirements, assessment and content moderation obligations, ecosystem management, user right enhancement and transparency principles, ethical requirements, and filing regime applicable to large platforms.
Moreover, the government is becoming more concerned about the unfair competition and monopoly behaviours of the internet platforms that have been exacerbated by the use of algorithm. As a result, in the Antimonopoly Guidelines on Platform Economy released by the Antimonopoly Committee of the State Council in February 2021, internet platform operators are prohibited from using algorithms to reach monopoly agreement, abuse market dominant positions or commit any other acts that exclude competition.
6) Local data regulations
Local government have been more active in publishing their own data regulations. Most notably, two of China’s top-tier cities, Shenzhen and Shanghai, , passed their comprehensive data regulations respectively. Both regulations came into force on 1 January, 2022and cover protection of personal information, use of public data, data trading and transactions, and data security.
2. Enforcement developments
The year 2021 was a busy year for regulators enforcing the data protection laws and rules. Although the enforcement of the PIPL and DSL has yet to take off, some areas have become the priority of the regulators. In below tables, we set out our observations. Besides, there is an increasing number of civil cases where individuals have brought claims of personal information infringement in the court.
| APPs, mini-programs and websites |
|
| Regulators | Collection and use of personal information by APPs and websites have been subject to close scrutiny by the, CAC (and its local branches), the Ministry of Industry and Information Technology (“MIIT”) (and its local branches), Computer Virus Emergency Response Center (“CVERC”), and China Consumers’ Association (“CCA”). |
| Enforcement overview and key focus |
In the past year, over 2500 APPs and websites were named for incompliance during regulators’ enforcement actions.
|
| Penalties | In general, reported APPs were required to rectify the issues within 5-15 working days, and in some cases, APP failing to rectify the issues were removed from the APP stores and penalized with suspension of services, monetary fines or other severer punishments. |
| FRT |
|
| Regulators | CAC, MIIT, local Public Security Bureau (“PSB”), State Administration of Market Regulation (“SAMR”) (and its local branches) |
| Enforcement overview and key focus |
|
| Penalties | Warnings, monetary fines, deletion of the collected facial recognition data, order to rectify, etc. |
| Public interest litigations | |
| Enforcement regulators | The People's Procuratorate, China Consumers Association |
| Enforcement overview and key focus |
The Supreme People's Procuratorate published 11 typical civil public interest cases regarding personal information protection in April 2021. During the year, the local procuratorate and the consumers associations launched quite a few public interest litigations focusing on the protection of sensitive personal information and vulnerable groups (including the minors, the disabled and the elderly), industries of education and health, and processors of a large volume of personal information. |
| Penalties | Damages, deletion of illegally collected personal information, public apology, etc. |
3. Outlook for 2022
Although the PIPL is finally here, there still are a number of question in relation to how some newly introduced obligations will be implemented and enforced in practice. Hence, in 2022 we expect to see the following legislative and enforcement trends: to actively
- finalising key implementation regulations, e.g. the draft Network Data Security Management Regulations, which implements the CSL, DSL and PIPL;
- implementing the cross-border data transfer regime, including finalising the Data Export Measures, the formation of the standard contract(s) between data exporters and overseas recipients, and further clarifying the procedures for governmental data assessment;
- clarifying certain key concepts and data protection obligations under the PIPL such as “separate consent” (e.g. whether a separate consent should still be obtained if the legal basis for processing is not consent), the appointment of a data protection officer (“DPO”) and local representative (e.g. what is the threshold that will trigger the mandatory DPO appointment obligation, whether the DPO must be internal or can be outsourced, and whether the DPO must be based in China), and how the hefty financial penalties will be calculated and imposed;
- more active administrative enforcement actions and campaign against incompliance: current crackdown on non-compliant APPs and mini-programs will continue and we expect to see the first a few enforcement cases under the PIPL; and
- increasing civil lawsuits and public interest litigations against data protection infringement, brought by the people’s procuratorates, consumer associations and individuals.
