On November 14, 2021, the Cyberspace Administration of China (“CAC”) released the draft “Network Data Security Management Regulations” (the “Draft Regulations”) for public comment. The Draft Regulations have major implications for companies that process data within China as, once adopted, they will implement the country’s three-pillar data protection regime framework:  the Cybersecurity Law (“CSL”); the Data Security Law (“DSL”); and the Personal Information Protection Law (“PIPL”).

The Draft Regulations are voluminous and cover a wide range of topics, including (1) identifying the companies that need to perform cybersecurity reviews, (2) establishing personal information and “important data” protections, (3) updating data breach notification & cross-border transfer requirements, and (4) restricting virtual private networks (“VPN”) used to bypass China’s “Great Firewall.”  It is currently unclear when the final version of the regulations will be implemented, or how closely they will reflect these Draft Regulations.  Find out more in this blog post.

Who is covered by the Draft Regulations?

The Draft Regulations apply to all persons or entities that process data inside mainland China (which excludes Hong Kong, Macau and Taiwan), irrespective of the location of the data processor or nationality of the data subject.

The Draft Regulations also have extra-territorial effect, and apply to all persons or entities that process the data of China-based individuals or organizations overseas if: (1) the purpose of the processing is to provide products or services into China, (2) the processing involves analysis or evaluation of activities of natural persons within China, or (3) the processing involves “important data”, as we discuss further below.

Cybersecurity Reviews

The Draft Regulations impose mandatory cybersecurity reviews on certain data processors, namely
(1) companies with a “large number” (currently undefined) of data resources, (2) certain listed companies that process over 1 million individuals’ personal information, and (3) companies whose data processing may affect Chinese “national security” (also undefined). The Draft Regulations lack details on cybersecurity review process.

Mandatory cybersecurity reviews are a relatively new concept in China, having first been proposed in the CAC’s draft Cybersecurity Review Measures in July to cover a more limited set of companies. That proposal would have applied only to companies with over 1 million individuals’ personal information seeking to list shares overseas.

Protection of Important Data

The Draft Regulations introduces strict additional protections for “important data”, defined as “data that may harm national security or public interests if it is tampered with, destroyed, leaked or illegally obtained or used”. Though the Draft Regulations set out non-exhaustive general categories of important data, sector-specific catalogues of important data will be released by the relevant authorities in due course.

Companies that process important data are required to follow the same, strict data protection requirements as companies that process personal information of over a million people, including mergers, restructurings and divestments of such companies requiring the buyer to report the transaction to the CAC.  The Draft Regulations do not specify whether the reporting must take place pre closing (potentially requiring approval of the transaction) or post closing.  These requirements are likely to also extend extraterritorially to companies located outside of China that process “important data”.

Data Incident Notification Rules

The Draft Regulations would also significantly modify the Chinese data incident notification rules by requiring companies to report any incident involving the leakage, destruction, or loss of important data or personal information of more than 100,000 people within 8 hours of after the occurrence of the incident, which may be impossible for companies to achieve for many incidents.  This is a significantly shorter timeframe than the 72-hour notification period under the GDPR which itself poses challenges for companies.  A written incident report is then required within five business days after resolution of the incident.  The report should address the cause of the event, harmful consequences, assignment of responsibilities for remediation, and remedial measures to be undertaken, among other things.

If these requirements are retained in the final version of the regulations, Companies will likely need to invest significant time and resources in ensuring these tight reporting deadlines can be complied with.

Additional guidance on cross-border data transfers

The Draft Regulations provide further guidance on the CAC’s Draft Measures on cross-border security transfer assessments (the “Draft Measures”), which were released in October for public comment. The Draft Regulations clarify that data processors may only transfer personal information and important data outside of China with the consent of the relevant individual and if one of the following conditions are satisfied:

  1. the transfer has passed a relevant CAC security assessment;
  2. the transferor and transferee have obtained a personal data protection certification—details of the certification scheme are yet to be finalized; or
  3. the transferor and transferee have entered into a standard contract for the data transfer. There is currently no guidance on what the standard contract will contain.

There are very limited exceptions to these requirements. The Draft Regulations also require companies that undertake cross-border transfers of personal data or important data to submit an annual data outbound transfer security report to the CAC by 31 January.

VPN Restrictions

The Draft Regulations impose strict penalties on companies and individuals that provide VPNs or other tools to bypass China’s online censorship system, also known as the “Great Firewall”. These include: (1) fines of up to 10 times the illegal profits of a company, or up to RMB 500,000 ($78,300) for individuals; (2) warnings, correction orders or confiscation of illegal profits; and (3) in serious cases, suspending or terminating business operations or licenses. These measures represent the Chinese government’s strictest effort so far to control domestic internet content.

It is not clear whether there will be exceptions or approvals for multinational corporations operating in China most of which rely on VPNs to access foreign services and carry out day-to-day operations.

Key takeaways for companies

The Draft Regulations are designed to be the first set of comprehensive implementing rules for the three pillars of Chinese data protection regime, and introduce a number of important changes to Chinese data protection law. It is currently unclear when we can expect to receive the final version of the regulations, or how closely the final version will reflect these Draft Regulations. As drafted, the proposed rules present many challenges for businesses – both domestic and international – and many questions remain outstanding.  Stakeholders should consider the implications and, where appropriate, liaise with and submit comments to the Chinese legislators through the channels provided.

We will analyze further developments in this area on our Data Blog.

****

Debevoise & Plimpton LLP, like other international firms in China, is not admitted to practice PRC law. Our views are based on our general experience in dealing with similar matters and consultation of published compilations of Chinese law. We would be pleased to arrange for assistance from licensed Chinese counsel should you require a formal opinion as to any of the matters set forth in this update.

To subscribe to the Data Blog, please click here.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Mark Johnson is a partner in the firm’s Hong Kong office and a member of the International Dispute Resolution Group. His practice focuses on commercial litigation, international arbitration and white collar/regulatory defense matters, particularly in the financial services sector. He can be reached at mdjohnson@debevoise.com.

Author

Philip Rohlik is a member of Debevoise’s Litigation Group whose practice focuses on international investigations, securities law and dispute resolution. Mr. Rohlik’s varied practice has included representation of U.S. and multinational companies in complex litigation and investigations, as well as in cybersecurity and data privacy issues, with a particular focus on Asia. He is recommended by The Legal 500 Asia Pacific (2021), with the guide describing him as “very thorough and hands on.” Based in Asia since 2011, Mr. Rohlik leads Debevoise's dispute resolution team in Shanghai. He can be reached at prohlik@debevoise.com.

Author

Ralph Sellar is an international counsel and English and Hong Kong qualified member of the firm’s International Dispute Resolution Group based in the Hong Kong office. Mr. Sellar is a commercial litigator with extensive experience in a range of banking litigation, including disputes relating to investment and wholesale banking, listed securities, OTC derivatives and structured products. He can be reached at rsellar@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Martha Hirst is an associate in Debevoise's Litigation Department based in the London office. She is a member of the firm’s White Collar & Regulatory Defense Group, and the Data Strategy & Security practice. She can be reached at mhirst@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.

Author

Eva is a PRC legal consultant resident in Debevoise's Shanghai office. She is a member of the Shanghai office disputes team focusing on compliance and litigation matters. She can be reached at eniu@debevoise.com.