On 28 May 2019, the Cyberspace Administration of China (CAC) released the “Data Security Management Measures”. Those measures had rules and regulations to expand the Cybersecurity Law 2016, which came into effect on 1 June 2017. The focused measures of the Draft were data protection and personal information, which can affect national security, economic security, social stability, public health and safety.
Now, the new measures also adopt a broad EU-style definition of personal information. This definition also warns about, user’s consent in data collection and for further usage, registration of sensitive data collection, approval from the government for the transfer of cross-border data and notice of contraventions to Chinese regulatory authority and affected individuals.
The measures in the Draft has raised a broad concern in public regarding data protection. Because, as per the measures strict regulations will be applied to every company within China. However, the draft measures are currently at the public consultation stage and require to pass through a few revisions. Meanwhile, companies are expected to legally and technically assess their existing data protection practices and privacy policies.
Companies with operations within China must take the following precautions:
Conduct a data inventory for an in-depth understanding of the personal information and important data which Chinese entities use and hold.
Identify the new technologies for the collection and process of personal information, mainly in relation to artificial intelligence (AI).
To pay special attention to the cross-border data transfer of personal information and to prepare for updated global data strategies.
What is the scope of the Draft measures?
It covers data collection, storage, transmission, processing, use and many other aspects. Data security protection, supervision and companies having operations within China are also covered in the Draft Measures.
According to the draft “personal information” is, “information which is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person.” The Draft Measures have provided thorough details on how one can compliantly collect, store, transfer or delete personal data of person resides in China.
The measures also significantly defined “important data” as “data the leakage of which could directly impact national security, economic security, social stability, public health, and safety.”
Strict Statutory Requirements
For further clarification, the Draft Measures has combined the existing regulations, recommendations and a few draft proposals in a rational manner. It also covered the entire lifecycle of data with more exceptional standards of protection.
1) Protection of Personal Information
Article 7 in the Draft Measures mentions stricter and detailed requirements, over the collection and usage of the personal data. And, if a company collects and uses data from both websites and apps, separate rules must be made and published accordingly.
2) Protection of Important Data
If a company collects and uses important data for any business purpose, it has to submit a record filing application to local cyberspace authorities. The application should explicitly exhibit the purpose, scale, types and terms for the collection and usage.
3) Designation of Data Security Responsible Person
In Article 16, the Draft states a necessary condition to hire a “data security responsible person.”
If some company collects essential and sensitive information for its operation, then data security responsible person is a legal obligation in it.
4) Protection of Children’s Personal Information
The Draft Measures showed a keen interest in the protection of children’s personal information. Article 14 makes it mandatory that personal data collection of under-age (14) children must base on their guardian’s consent.
The publication of the Draft Measures indicates China’s progress for establishing a comprehensive legislation structure. This does not only control and regulate cyberspace but has immense future benefits.