This post relates to Cooley’s Privacy Talks series – a webinar program featuring Cooley practitioners discussing practical guidance and best practices around managing data protection-related issues. Sessions range from the European General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA) – and all the other new data protection frameworks arising in the US, Asia and Latin America. Sessions will occur on a monthly basis in 2022.
China’s Cybersecurity Law (CSL), Data Security Law (DSL) and Personal Information Protection Law (PIPL) jointly form the overarching regime governing cybersecurity and data protection in China. These three fundamental laws have different focuses but overlap on certain key regulatory requirements. To assist multinational companies having operations in China in navigating through this complex landscape, this blog considers the key things to know about data protection laws in China.
#1: What is the overarching cyber and data security framework in China?
China’s CSL, DSL and PIPL are the three fundamental laws that form China’s overarching cybersecurity and data protection governing framework.
- The CSL was enacted on November 7, 2016, and took effect on June 1, 2017. It is China’s first law in the cybersecurity space. The CSL regulates the construction, operation, maintenance and use of networks in China. In particular, it establishes the regulatory frameworks[ZK1] for the Multi-Level Protection Scheme (MLPS) and the protection of critical information infrastructure (CII).
- The DSL was enacted on June 10, 2021, and took effect on September 1, 2021. It focuses on the protection of broadly defined “data security” from a national security perspective.
- The PIPL was enacted on August 20, 2021, and took effect on November 1, 2021. It is China’s comprehensive privacy law and bears resemblance to the European Union’s General Data Protection Regulation (GDPR).
In addition to these three fundamental laws, cyber and data protection rules also can be found in some other laws and sectoral regulations and rules.
#2: Who must comply with the PIPL?
Like the GDPR, the PIPL is intended to impose extraterritorial jurisdiction on personal information handlers (a concept similar to the “data controller” under the EU’s GDPR) whose processing is to provide products or services to individuals in China, to analyze or evaluate the behavior of individuals in China, or for other purposes specified by laws and regulations. This broad scope arguably covers any company or individual that processes the personal information of individuals in China (regardless of the individual’s nationality or residency).
#3: Does the PIPL require notice and consent prior to the processing of personal information?
Before processing personal information, a personal information handler must truthfully, accurately and completely notify individuals in an “eye-catching manner with clear and understandable language” that includes:
- The name and contact information of the personal information handler.
- The purpose and method of processing, and the type and retention period of processed personal information.
- Methods and procedures for individuals to exercise the rights provided under the PIPL.
- Other items required to be notified under laws or administrative regulations.
The PIPL also requires additional notice for certain specific processing activities. In the scenario of mergers and acquisitions or other business transactions where personal information will be transferred to the counterparty of the personal information handler, the personal information handler must notify individuals of the recipient’s name and contact information. In addition, before sharing personal information with another personal information handler, the handler must inform individuals of the recipient’s name and contact information, the purpose and method of processing, and the type of personal information to be processed by the recipient. If personal information will be transferred outside of China, the personal information handler also must notify individuals of certain additional information (as discussed further below).
Similar to the GDPR, the PIPL also mandates personal information handlers to rely on a legal basis for their processing of personal information. Available legal bases under the PIPL include:
- Consent, which is the primary legal basis under the PIPL. If consent is relied on as the legal basis, a “separate consent” will also be needed where:
- Sensitive personal information is processed.
- Personal information is shared with another personal information handler.
- The personal information is publicly disclosed.
- Facial recognition information collected in public areas is or will be processed for purposes other than public security.
- Personal information is transferred overseas.
- It is necessary for the conclusion or performance of a contract to which the individual is a party, or to implement human resources management in accordance with internal labor rules and regulations formulated and collective contracts concluded according to law.
- It is necessary for the fulfillment of statutory duties or obligations.
- It is necessary for coping with public health emergencies or for the protection of an individual’s life, health or property.
- Such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope.
- The personal information has already been disclosed by the individual, or other legally disclosed personal information is processed within a reasonable scope in accordance with the provisions of this law.
- Other circumstances exist as provided by Chinese laws and regulations.
#4: What are the obligations on companies that process “important data”?
As a general requirement under the DSL, all data processing entities (regardless of whether “important data” is processed) must fulfill the following obligations:
- Establish an internal data security management program.
- Carry out data security training.
- Adopt technical and other necessary security measures.
- Comply with the MLPS requirements if the internet or other information networks are used for the data processing.
- Respond to identified vulnerabilities and security incidents.
If “important data” is processed, relevant entities must also designate a data security responsible person and office, carry out security assessment on a regular basis and file relevant assessment reports with competent authorities. As further discussed below, the cross-border transfer of “important data” also is subject to a security review organized by the Cyberspace Administration of China (CAC).
The DSL is silent on the definition of “important data.” Under the Measures for Security Assessment for Cross-Border Data Transfers, “important data” refers to “any data that, once tampered with, sabotaged, leaked or illegally obtained or used, may endanger national security, economic operation, social stability, and public health and safety.” The Chinese government also is in the process of formulating national standards and regulatory rules to provide further details about the scope of “important data.”
#5: Can companies transfer personal information and “important data” collected or generated in China overseas?
Chinese laws impose data localization requirements based on the status of the entities processing data and the type and volume of data processed or transferred.
- CII operators must store personal information and “important data” collected in China locally and are only allowed to carry out a cross-border data transfer after passing a security assessment, which will be further discussed later.
- Non-CII operators are required to localize storage of personal information only when processing personal information in a volume that reaches the threshold specified by the CAC. They may transfer personal information overseas after passing a security assessment.
Note that sectoral regulatory rules also may impose specific localization requirements applicable to data collected and generated in relevant sectors.
In addition to the localization framework outlined above, China also sets out separate requirements for the cross-border transfer of personal information and “important data.”
For cross-border transfers of personal information, the PIPL has imposed the following requirements:
- Providing notice and obtaining consent.
- Notice – The personal information handler must inform individuals of the name and contact information of overseas recipients, processing purposes and means, the types of personal information to be transferred overseas, and the means and procedures for individuals to exercise their rights.
- Consent – If the personal information handler relies on consent as the legal basis for the processing activity, then it must obtain a separate consent from the individuals for the cross-border transfer of their personal information. Note that if other legal bases are relied on (e.g., performance of a contract), a separate consent may arguably not be needed.
- Carrying out a Personal Information Protection Impact Assessment (PIPIA) – which is similar to the DPIA under the GDPR – prior to the cross-border transfer.
- Choosing one of the following lawful transfer mechanisms:
- Passing a security assessment conducted by the CAC when meeting any of the following thresholds:
- The entity transfers personal information outside of China as either a CII operator or a personal information handler that processes personal information of more than one million individuals.
- Since January 1 of the previous year, the personal information handler has cumulatively transferred the personal information of more than 100,000 individuals or the sensitive personal information of more than 10,000 individuals.
- Under other circumstances specified by the CAC.
- Obtaining a certification from an organization in accordance with rules issued by the CAC.
- Entering into standard contractual clauses issued by the CAC (a draft version has been released for public comments). A company relying on this mechanism must also file the standard contract it signed and its PIPIA reports with the CAC.
- Complying with mechanisms further specified under Chinese laws, regulations or rules released by the CAC.
- Passing a security assessment conducted by the CAC when meeting any of the following thresholds:
For the cross-border transfer of “important data,” companies must pass the security assessment conducted by the CAC (the first transfer mechanism noted above).
#6: When should a company apply for a cybersecurity review?
Under the Measures for Cybersecurity Review that took effect on February 15, 2022, a cybersecurity review will be triggered under the following circumstances:
- A CII operator procuring network products or services that may impact China’s national security.
- A “network platform operator” in possession of personal information of more than one million users applying for an initial public offering on foreign stock exchanges.
- A “network platform operator” carrying out data processing activities that may impact China’s national security.
Companies meeting one of the above criteria must apply to the Cybersecurity Review Office for a cybersecurity review. Note that the Cybersecurity Review Office also is authorized to proactively initiate a cybersecurity review after receiving approval from the Central Cyberspace Affairs Commission.
* Cooley LLP is not licensed to practice the law of the People’s Republic of China (PRC) and nothing herein constitutes an opinion or legal advice by Cooley with respect to PRC laws or otherwise. This blog may not be relied upon, construed as, or used as an opinion, interpretation of, or legal advice in any respect relating to or arising out of PRC laws or otherwise. This blog, and our review of the information referenced in this blog, is based solely upon our general familiarity with matters of the type referenced in this blog and the consultation with PRC counsel with respect to certain matters of PRC law or practice, as referenced in the blog, provided that notwithstanding such consultation, no opinions or legal advice with respect to PRC law are made herein. Any analysis, conclusion, advice or opinion with regard to the PRC laws, or otherwise with regard to any of the matters referenced in this blog, must be obtained from PRC local counsel.