China | Publication | June 2019
On May 28, 2019, Measures on Administration of Data Security (Measures) were issued by the Cyberspace Administration of China, along with an invitation for submissions in a public consultation. The Measures will constitute a binding regulation when finally issued and implemented, and will apply to both personal data and industrial data (the main focus being important data as described below), and to both websites and apps.
The Measures provide for a number of implementing provisions concerning aspects of data collection, data usage and processing, and data security administration. Given the specific requirements provided in the draft Measures, the Measures are likely to have a major impact on the data compliance performance of network operators once in force.
Based on the principles provided for in the Cybersecurity Law of China (CSL), the Measures prescribe further requirements in relation to, among others
The Measures require that the network operators’ privacy policies should include certain key items, which should include, among other things, the purpose, type, volume, frequency, means and scope of the personal data collection, the server location, and the procedures by which personal data subjects may withdraw their consent and by which they can examine, rectify and delete their personal data.
Such requirements have already been provided under a non-binding industry guideline, entitled Information Security Technology – Personal Information Security Specification (Personal Specification). However, such requirements will become a binding rule after the Measures are in force.
With respect of the filing procedure for the collection of important data and sensitive personal data, the Measures require that
The Measures also provide for a definition of “important data,” which refers to data that, once divulged, may lead to direct consequences in relation to national security, economic security, social stability or public health and security. It is similar to the definition provided for under other PRC rules. For example, although the CSL itself does not provide for a specific definition of “important data,” the term “important data” is defined under a non-binding draft industrial guideline, entitled Information Security Technology – Guidelines for Cross-Border Data Transfer Security Assessment (Guidelines). Under the Guidelines, “important data” means data that does not involve state secrets, but is nonetheless closely related to national security, economic development or the public interest. The Guidelines also contain an Appendix which gives further detailed guidance on an industry-specific basis.
The Measures do not provide for a definition of sensitive personal data, but taking in to account other PRC rules (such as the Personal Specification), a data subject’s name, cell-phone number, email address, and financial information are highly likely to be deemed as sensitive personal data. If that is the case, this would mean that nearly every network operator who collects personal data in China may be subject to the filing procedure under the Measures.
The CSL provides for a principle that network operators should obtain data subjects’ consent before data collection. The Measures, on the other hand, provide for certain exceptions to that principle by providing data subjects’ consent is not required if the personal data
The most important rule in the provisions of the Measures dealing with data usage and processing is the rule for cross-border data transfers.
The CSL introduced the concept of critical information infrastructure in key industrial sectors of China (CII). It requires that CII operators must go through a security assessment procedure and report it to the relevant competent PRC authorities if they intend to transfer personal data and/or important data abroad.
The Measures seem to extend such requirement to certain non-CII operators by requiring that every network operator should go through a self-assessment procedure and obtain the consent from the relevant industrial supervision department before it publishes, shares, trades or undertakes a cross-border transfer of important data. Because this provision, if implemented as it is now, will apparently extend this reporting obligation to non-CII operators, the requirement may potentially conflict with the data localisation requirements set out in the CSL.
With respect of data security administration, the Measures reiterate the principles under the CSL by requiring that, if there is any data breach, or a risk of a data breach is obviously increasing, then the network operators should notify affected data subjects and the competent PRC authorities.
The Measures also provide punishment measures for non-compliance or rule violation, which include, among other things, confiscation of illegal gains, suspension of business operations, website shut-downs, and revocation of business licences. Where the relevant offence constitutes a crime, both the company and the person in charge of that company may face the criminal punishment.
In addition, the Measures introduce a concept of a “person responsible for data security” and require network operators to appoint such a person if they plan to collect important data or personal sensitive data.
The person responsible for data security is a role very similar to the position of Data Protection Officer (DPO) under the European General Data Protection Regulation (GDPR). Under the GDPR, contrary to popular belief, what is decisive in terms of the legal obligation to appoint a DPO is not the size of the company, but rather, the core processing activities which are defined as those essential to achieving the company’s goal. Under the GDPR, if such core activities consist of processing sensitive personal data on a large scale, or are a form of data processing that is particularly far-reaching in relation to the rights of the data subjects, the company has to appoint a DPO.
The rationale for appointing a person responsible for data security under the Measures is, we believe, similar to that under the GDPR. Under the Measures, the legal duties of a person responsible for data security include
Once implemented, the Measures will no doubt become a major influence on the data compliance activities of network operators. For example, network operators may need to revisit their current privacy policies in order to address all the items required under the Measures. In addition, network operators who collect important data and/or sensitive personal data may need to implement process changes internally in order to comply with the new filing procedure.
Although the Measures constitute important legislative progress in relation to the data privacy regime in China, they still leave some significant areas to be clarified. For example, key issues such as how the filing procedure will be performed and how to resolve the potential conflict between the Measures and the CSL in relation to the requirements for important data localisation still need to be clarified.
Given the Measures are still in draft form, they may be subject to further modification before they are finalised. As a legal team specialising on PRC data compliance, we will keep monitoring changes in relation to the draft Measures and issue any updates if necessary.
Publication
Between November 2024 and January 2025, the Australian Securities and Investments Commission (ASIC) released draft guidance for the new sustainability reporting regime, as well as guidance on the financial Advisor reforms in the Treasury Laws Amendments (Delivering Better Financial Outcomes and Other Measures) Act 2024.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025
