On November 11, 2016, the Standing Committee of the National People’s Congress promulgated the “Internet Security Law of the People ‘s Republic of China” commonly referred to as the “Cybersecurity Law of China.” Unlike the EU’s General Data Protection Regulation (GDPR) which gave businesses two years to prepare, the new law becomes implemented June 1, 2017.
The law affects almost every business in China, and anyone else doing business in China. The law targets “critical infrastructure,” which is broadly defined and includes transportation, travel, network software and equipment suppliers, telecommunications, finance (banking, insurance, mutual funds), health care, online shopping platforms, information technology services (Internet Data Center, electronic information delivery and distribution, Internet Service Provider, Internet Content Provider), education, energy, marketing and advertising, social media, gaming, applications and public service. The new law applies to any entity that 1) maintains a computer network and 2) attaches that network to the internet.
While the law is cast as a far-reaching cyber security law, it also provides protection for personal data as well as severely limiting cross-border data transfers. Thus it is clearly also intended as a data privacy law targeting business. But unlike the data privacy laws of the U.S. and the EU, the Cybersecurity Law of China treats privacy as a data security problem, not the other way round.
Privacy experts will see a definition of personal data similar to that found elsewhere. The law defines personal data as data elements, stored in electronic or other form, which individually or in combination with other information allows the identification of a natural person’s individual identity. Elements include, but are not limited to name, date of birth, identity card number, personally distinctive biological information, address, telephone number, etc..
Highlights of the privacy protections afforded by the law include:
- Requiring informed consent from the data subject before data collection and use of personal information
- Privacy notices regarding purpose, extent and scope of collection & use.
- The entity must ensure data integrity of the personal information collected & stored
- Personal information must not be shared with third parties without consent
- The entity must provide technical safeguards for data security
- Individuals have rights to access and correction.
- Individuals may demand personal information be deleted in the event the data was collected or used unlawfully
- The entity must adopt data classification, back-up and encryption measures
The law also provides for data localization – if the personal information is collected in China, it must be stored on data infrastructure located in China. Coupled with those requirements, the Cybersecurity law contains provisions regarding cross-border data transfers from China. Key provisions include:
- The affected individual must consent to the transfer
- The transfer must be approved by the Cyberspace Administration of China (CAC) after a security review and evaluation
So far, an enabling regulatory infrastructure has not been put in place to enforce the Cybersecurity Law of China. As a result there are a number of uncertainties regarding scope, enforcement and the practical realities imposed on business under the new law. For example, there are no rules as yet regarding the forms of consent that will be acceptable. Further, there are no rules regarding the scope of the security review and evaluation before a cross-border data transfer is permitted.
Nevertheless, there are steps a company can take to set the stage for compliance until enforcement issues are resolved. The People’s Republic of China is a member of the Asia-Pacific Economic Cooperation (APEC), a regional economic forum of 21 member states bounding the Pacific Ocean. APEC developed the Cross Border Privacy Rules System (CBPR). The CBPR system requires participating entities develop and implement privacy policies consistent with the APEC Privacy Framework. It further requires compliance certification by an APEC CBPR system recognized Accountability Agent. Although China has not adopted the CBPR system, if an entity is CBPR certified by an Accountability Agent, it may reduce the likelihood of scrutiny of compliance with the Cybersecurity Law of China, or speed the approval of a cross-border data transfer, at least in the short term.
Time is short. Companies collecting personal information in China should ensure storage in local data center facilities immediately. Companies with global operations requiring cross-border data transfers should consider accelerating their privacy compliance programs, not to meet the GDPR’s March, 2018 timeline, but to avoid becoming the test case for CAC under the new Cybersecurity Law of China.