On November 14, 2021, the Cyberspace Administration of China (“CAC”) released the draft “Network Data Security Management Regulations” (the “Draft Regulations”) for public comment. The Draft Regulations have major implications for companies that process data within China as, once adopted, they will implement the country’s three-pillar data protection regime framework: the Cybersecurity Law (“CSL”); the Data Security Law (“DSL”); and the Personal Information Protection Law (“PIPL”).
The Draft Regulations are voluminous and cover a wide range of topics, including (1) identifying the companies that need to perform cybersecurity reviews, (2) establishing personal information and “important data” protections, (3) updating data breach notification & cross-border transfer requirements, and (4) restricting virtual private networks (“VPN”) used to bypass China’s “Great Firewall.” It is currently unclear when the final version of the regulations will be implemented, or how closely they will reflect these Draft Regulations. Find out more in this blog post.
Who is covered by the Draft Regulations?
The Draft Regulations apply to all persons or entities that process data inside mainland China (which excludes Hong Kong, Macau and Taiwan), irrespective of the location of the data processor or nationality of the data subject.
The Draft Regulations also have extra-territorial effect, and apply to all persons or entities that process the data of China-based individuals or organizations overseas if: (1) the purpose of the processing is to provide products or services into China, (2) the processing involves analysis or evaluation of activities of natural persons within China, or (3) the processing involves “important data”, as we discuss further below.
The Draft Regulations impose mandatory cybersecurity reviews on certain data processors, namely
(1) companies with a “large number” (currently undefined) of data resources, (2) certain listed companies that process over 1 million individuals’ personal information, and (3) companies whose data processing may affect Chinese “national security” (also undefined). The Draft Regulations lack details on cybersecurity review process.
Mandatory cybersecurity reviews are a relatively new concept in China, having first been proposed in the CAC’s draft Cybersecurity Review Measures in July to cover a more limited set of companies. That proposal would have applied only to companies with over 1 million individuals’ personal information seeking to list shares overseas.
Protection of Important Data
The Draft Regulations introduces strict additional protections for “important data”, defined as “data that may harm national security or public interests if it is tampered with, destroyed, leaked or illegally obtained or used”. Though the Draft Regulations set out non-exhaustive general categories of important data, sector-specific catalogues of important data will be released by the relevant authorities in due course.
Companies that process important data are required to follow the same, strict data protection requirements as companies that process personal information of over a million people, including mergers, restructurings and divestments of such companies requiring the buyer to report the transaction to the CAC. The Draft Regulations do not specify whether the reporting must take place pre closing (potentially requiring approval of the transaction) or post closing. These requirements are likely to also extend extraterritorially to companies located outside of China that process “important data”.
Data Incident Notification Rules
The Draft Regulations would also significantly modify the Chinese data incident notification rules by requiring companies to report any incident involving the leakage, destruction, or loss of important data or personal information of more than 100,000 people within 8 hours of after the occurrence of the incident, which may be impossible for companies to achieve for many incidents. This is a significantly shorter timeframe than the 72-hour notification period under the GDPR which itself poses challenges for companies. A written incident report is then required within five business days after resolution of the incident. The report should address the cause of the event, harmful consequences, assignment of responsibilities for remediation, and remedial measures to be undertaken, among other things.
If these requirements are retained in the final version of the regulations, Companies will likely need to invest significant time and resources in ensuring these tight reporting deadlines can be complied with.
Additional guidance on cross-border data transfers
The Draft Regulations provide further guidance on the CAC’s Draft Measures on cross-border security transfer assessments (the “Draft Measures”), which were released in October for public comment. The Draft Regulations clarify that data processors may only transfer personal information and important data outside of China with the consent of the relevant individual and if one of the following conditions are satisfied:
- the transfer has passed a relevant CAC security assessment;
- the transferor and transferee have obtained a personal data protection certification—details of the certification scheme are yet to be finalized; or
- the transferor and transferee have entered into a standard contract for the data transfer. There is currently no guidance on what the standard contract will contain.
There are very limited exceptions to these requirements. The Draft Regulations also require companies that undertake cross-border transfers of personal data or important data to submit an annual data outbound transfer security report to the CAC by 31 January.
The Draft Regulations impose strict penalties on companies and individuals that provide VPNs or other tools to bypass China’s online censorship system, also known as the “Great Firewall”. These include: (1) fines of up to 10 times the illegal profits of a company, or up to RMB 500,000 ($78,300) for individuals; (2) warnings, correction orders or confiscation of illegal profits; and (3) in serious cases, suspending or terminating business operations or licenses. These measures represent the Chinese government’s strictest effort so far to control domestic internet content.
It is not clear whether there will be exceptions or approvals for multinational corporations operating in China most of which rely on VPNs to access foreign services and carry out day-to-day operations.
Key takeaways for companies
The Draft Regulations are designed to be the first set of comprehensive implementing rules for the three pillars of Chinese data protection regime, and introduce a number of important changes to Chinese data protection law. It is currently unclear when we can expect to receive the final version of the regulations, or how closely the final version will reflect these Draft Regulations. As drafted, the proposed rules present many challenges for businesses – both domestic and international – and many questions remain outstanding. Stakeholders should consider the implications and, where appropriate, liaise with and submit comments to the Chinese legislators through the channels provided.
We will analyze further developments in this area on our Data Blog.
Debevoise & Plimpton LLP, like other international firms in China, is not admitted to practice PRC law. Our views are based on our general experience in dealing with similar matters and consultation of published compilations of Chinese law. We would be pleased to arrange for assistance from licensed Chinese counsel should you require a formal opinion as to any of the matters set forth in this update.
To subscribe to the Data Blog, please click here.