China’s data protection regulatory framework is far from unified as a single comprehensive law, on the contrary, the legal requirements are scattered across several laws, regulations, non-binding standards, and consultation papers.
China’s primary Cybersecurity regulator is the Cyberspace Administration of China (CAC), which also supervises and administers related matters. Nevertheless, several other institutions are also relevant in the Chinese data protection environment, such as the National Information Security Standardization Technical Committee (NISSTC), the Ministry of Public Security (MPS), and the Ministry of Industry and Information Technology (MIIT).
The central pieces of legislation dealing with cybersecurity and data protection are the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL).
The Cybersecurity Law, which regulates the construction, operation, maintenance, and use of networks within the territory of China, became effective in June 2017, and a draft amendment is on its way to being approved.
In terms of applicability, the CSL applies to all network operators established in China, with stricter rules for those who operate “critical information infrastructures” (CII). CII refers to any network facilities and information systems in important industries and fields that may seriously endanger national security or the national economy, for example, if they are damaged or lose their functions or their data are leaked, such as public communication, energy, transportation, science, and technology.
The Regulation on Protecting the Security of Critical Information Infrastructure (关键信息基础设施安全保护条例), published in 2021 by the State Council, implements general rules applicable to critical information infrastructure operators (CIIO) and, under certain circumstances, to network operators dealing with CIIO.
The CSL’s draft amendment, released for comments by the CAC last September 2022, if approved as it is, will increase fines for violations of cybersecurity and revise the legal responsibility system for the security protection of CII and personal information protection, the latest based on the provisions of the PIPL.
Years after the release of the CSL, the Data Security Law became effective in September 2021. Developed to regulate data processing activities and data security management in general, the DSL introduced the concept of different categories of data: ordinary data, important data, and core data.
The DSL provides that relevant industries and fields must prepare and release complementary measures concerning how data in such industry-specific areas should be processed. Therefore, entities handling a high amount of data or operating in industries that may be considered sensitive should follow industry updates closely.
Finally, the last of the three laws that compose China’s data protection legal framework, the Personal Information Protection Law, became effective in November 2021.
The PIPL regulates the processing of personal information of individuals in China (not only Chinese citizens) and has a solid extraterritorial application to those overseas individuals or organizations processing personal data collected in China to provide products or services and/or to analyze or assess the conduct of natural persons.
At first, the high fines to organizations and persons in charge (up to RMB 50 million and RMB 1 million), in addition to the possibility of facing other administrative penalties, civil, and even criminal liability, seemed a distant reality to entities processing personal data under the PIPL, as there were many gaps to be filled by supplementary regulations.
With the increase of additional regulations, guidelines, and technical specifications, there was also an upsurge in enforceability by the authorities, notably last year.
As expected, 2023 has already started strong, and the authorities have finalized regulating the mechanisms for cross-border transfers of personal information, which will affect most organizations with business in China.
In late February 2023, the CAC released the long-awaited final version of the Measures on Standard Contract for Cross-Border Transfers of Personal Information (个人信息出境标准合同办法), which will become effective on June 1, 2023. According to the document, processors intending to use the standard contract as a compliance method for conducting overseas transfers will have a six-month grace period for implementation.
Under the PIPL, there are three valid mechanisms to be used for cross-border transfers of personal information, which are: i) undergo a security assessment with the authorities, ii) obtain a certification from a qualified agency, and iii) enter the standard contract and record if with the authorities.
While the security assessment is mandatory in specific situations, mostly involving transfers of many individuals’ data, important data, and CIIO, the certification and standard contract can be used by any processor in China as long as it does not fall under the situations where a security assessment is required. In addition, the certification may also be obtained by entities without a physical presence in the territory.
With that in mind, for organizations processing personal information and transferring such data overseas, this seems to be the last call to implement a compliance plan and avoid facing the feared PIPL penalties.
In terms of compliance, conducting a personal information protection impact assessment (PIA), for instance, is a fairly good starting point for those with a basic compliance structure since this is a mandatory requirement for any overseas transfer, and part of the procedures for all the mechanisms mentioned above.
For those waiting until the last minute, mapping out and classifying the data and processes of the organization is the first step to identify the compliance gaps and start preparing a strategy to be implemented as soon as possible.
Achieving a solid level of compliance through realistic and sensible policies and tactics demands resources and commitment, but it is not an impossible task. Furthermore, having a reliable and stable data governance structure also improves overall business processes and company management.
BNLS Law Firm offers its clients a full range of legal services in China focusing on international clients (in particular Israeli and European) and supporting their activities from pre-incorporation legal feasibility studies, through company formation, agreements with local and international partners, corporate commercial and labor agreements, IP registration and licensing, general legal advice to dispute resolution and litigation.
With its international perspective, BNLS combines the expertise of Chinese lawyers and foreign legal consultants. BNLS has rich experience in supporting clients in different sectors throughout all stages of their China and Hong Kong operations, including clients who are active in information technology, medical devices, cybersecurity, water management, agro-tech, smart mobility, human resources, investment, banking, aviation, furniture, construction, trading (wholesale and retail), education, advertising and various consulting services.
*This article is written by Vanessa Albuquerque from BNLS Law Firm（上海搏纳朗盛律师事务所）.
Feel free to contact BNLS Law Firm professionals (firstname.lastname@example.org) for advice on any of these matters.