1. Draft Cyber-data Security Regulation applies to cyber-data and personal information processing activities by data processors within China, and in some cases, outside China

In the Draft Cyber-data Security Regulation:

 “Cyber-data” (hereinafter “data”) refers to any recording of information by electronic;
 Accordingly, “data processing activities” include collection, storage, use, processing, transmission, provision, disclosure, deletion and other handling of data;
 A “data processor”, similar to a personal information processor under the PIPL, refers to an organization or individual who discretionarily determines the purposes and means of processing in the data processing activities. To further regulate processing activities of internet platform operators in their operations, the Draft Cyber-data Security Regulation introduced two concepts, “internet platform operator”, which refers to a data processor who provides to users information sharing, social communication, transaction, payment, audio-visual programs and other internet platform services, and “large-scale internet platform operator”, which refers to an internet platform operator who has more than 50 million users, processes huge quantity of personal information and important data and possesses strong social mobilization capability and dominant market position.

The Draft Cyber-data Security Regulation will not apply to any data processing by a natural person for his/her personal or family matters.

2. The Draft Cyber-data Security Regulation broadens cybersecurity review

A Draft Revision to the Cybersecurity Review Measures (the “Draft Revision”) released by CAC on July 10, 2021 provides that any purchase of network products and services by critical information infrastructure operators and data processing activities by data processors that affect or may affect State security require cybersecurity review. The Draft Revision expands the review to include any operator who possesses the personal information of more than 1,000,000 users and goes public abroad.

The Draft Cyber-data Security Regulation requires all the following activities to go through cybersecurity review:

(1) An internet platform operator who possesses a huge number of data resources concerning national security, economic development or public interest proceeds with merger, restructuring or division, which affects or may affect national security;
(2) A data processor who processes personal information of more than 1,000,000 people goes public abroad;
(3) A data processor goes public in Hong Kong, which affects or may affect national security;
(4) Other data processing activities that affect or may affect national security.

3. Data processors should carry out compliance audit on a regular basis

The Draft Cyber-data Security Regulation requires data processors to engage professional security protection audit firms to audit their compliance with laws and regulations in respect of processing personal information (not data). However, it is not clear that how regular such audit should be. Moreover, cyberspace administration authorities and competent authorities in charge will audit important data processing activities, focusing on whether data processors have complied with the laws and regulations in connection with important data protection.

4. Important data enjoys special protections

The DSL declares to establish a data classification and hierarchical protection system. It has broadly classified protected data as core data, important data, and other data. It further provides that important data will be defined by general and specific catalogues, and further obligations are set for processing of important data. Core data carries that greatest importance and will have a tighter system of management.

4.1 What is important data?

The Draft Cyber-data Security Regulation for the first time defines the important data, which generally refers to any data that, once it is falsified, damaged, leaked, or unlawfully acquired or used, may endanger national security or public interest. It sets out a significantly broad scope of the important data by providing a catalogue of important data which to some extent is vague.

4.2 How to share, transact and subprocess important data?

The Draft Cyber-data Security Regulation underscores the requirements of informed consents, data security and retention records in terms of sharing, transacting and subprocessing important data. Specifically:

Data Processor Informed Consents  To inform individuals of purposes, types, means, scopes, period and location of storage of personal information processing
 To obtain separate consents from individuals unless the applicable laws require otherwise or personal information has been anonymized
Data Protection Agreement  To enter into contracts with data recipient, specifying purposes, scopes and means of data processing, data security protection measures and other responsibilities and obligations in terms of data security
 To monitor data processing activities of data recipient
Retention Records To retain records of individuals’ consents, logs of personal information collection, records of approvals for sharing, transacting and subprocessing important data for a period of no less than 5 years
Security Assessment To conduct a prior dada security assessment
Governmental approval To acquire approval from municipal government in charge or, if no such municipal government in charge, from municipal cyberspace administration authority
Data Recipient Contractual Obligations  To perform obligations agreed with data processor
 Not to process personal information or important data beyond the mutually agreed purposes, scopes or means of processing

5. Cross-border data transmission

5.1 Legal bases of cross-border data transmission and exceptions

The Draft Cyber-data Security Regulation requires data processors to complete any one of the followings prior to cross-border data transmission except that the cross-border transmission of personal information is necessary to conclude or perform a contract with the personal information subject or necessary to protect individual’s health and properties:

 prior security assessment organized by CAC; or
 certification of data processor and data recipient by qualified professional institutions of data protection; or
 execution of contracts, based on a standard contract clause enacted by CAC, with overseas recipient specifying their respective rights and obligations; or
 other conditions as required by the applicable laws and regulations or CAC.

5.2 Security assessment of cross-border data transmission

The Measures for the Security Assessment of Cross-border Data Transmission (draft released for seeking public opinion by CAC on October 29, 2021) lists five circumstances that require a CAC-led security assessment. The Draft Cyber-data Security Regulation, however, lists only three circumstances which should be subject to such security assessment, including:

(1) A data processor transmits important data;
(2) A critical information infrastructure operator (as defined in the CSL) or a personal information processor who processes over one million individuals’ personal information transmits personal information abroad;
(3) Other circumstances to be specified by CAC.

It is widely believed that the five circumstances as set forth in the Measures for the Security Assessment of Cross-border Data Transmission, a lower-level legislation, are actually supplementary to those which require the security assessment under the Draft Cyber-data Security Regulation.

5.3 Annual reporting for cross-border transmission of important data and personal information

Data processors will need to do annual reporting when transmitting important data and personal information abroad, in addition to those general measures for cross-border transmission of data.

Specifically, data processors should prepare and submit cross-border data transmission security report to municipal cyberspace administration authority before January 31 of each year, reporting the cross-border data transmission of the preceding year.

5.4 Other general obligations of a data processor in terms of cross-border data transmission

A data processor shall perform the following obligations when transmitting data abroad:

(1) Not to transmit personal information abroad beyond the purposes, scopes, means, types and scales of personal information of the cross-border transmission as stated in the personal information protection impact assessment report submitted to the cyberspace administration authority;
(2) Not to transmit personal information or important data beyond the purposes, scopes, means, types and scales of data of the cross-border transmission as approved by the CAC-led security assessment;
(3) To adopt contract and other effective measures to monitor whether data recipients use data pursuant to the mutually agreed purposes, scales, means, and to perform data security protection obligations and ensure the security of data;
(4) To accept and deal with complaints from users in connection with the cross-border data transmission;
(5) To undertake liability according to applicable laws for the damages to the legitimate interests of individuals or organizations or the public interests arising from the cross-border data transmission;
(6) To retain relevant logs and governmental approvals of cross-border data transmission for a period of no less than 3 years;
(7) To present, in an explicit, written and readable way, the types and scopes of personal information and data transmitted abroad in the event of inspection by CAC together with other governmental authorities;
(8) To cease data transmission immediately and adopt effective remedial measures to protect the security of the data which has been transmitted abroad once CAC determines not to transmit data abroad;
(9) To reach agreement on re-transmission with individuals concerned and specify security protection obligations that data recipients should perform, in the event of re-transmission of personal information after transmission;
(10) Not to provide any data stored within China to any foreign judicial or enforcement agencies without prior approval from Chinese government; and
(11) To establish technical and organizational measures in accordance with the regulatory requirements of cross-border data security.

6. Internet platforms will face closer scrutiny

The PIPL has imposed special obligations on internet platforms who provide important platform services, have huge quantity of users and operate complex business types. However, it fails to define what such internet platforms really mean. The Draft Cyber-data Security Regulation introduced internet platforms and large-scale internet platforms and underscored heavy obligations to be performed by their operators.

7. Processing personal information

7.1 Processing based on individuals’ consents should comply with more requirements

The Draft Cyber-data Security Regulation provides more requirements on individual-consent based personal information processing which include:

(1) Personal information to be processed is necessary for providing services or performing statutory obligations;
(2) Personal information is processed to the shortest extent of period and lowest extent of frequency necessary for the processing purposes and in a way having minimum impact on individuals’ interests;
(3) Data processor shall not refuse to provide services to an individual or interrupt an individual’s normal use of services, simply due to his/her refusal to provide other personal information beyond that necessary for providing services.

7.2 Detailed requirements on personal Information processing rules

The PIPL provides high-level requirements on personal information processing rules: (1) personal information processing rules must be made public for easy enquiry and retention; (2) processing personal information of the minors under the age of 14 must have special processing rules; (3) individuals have the right to request personal information processor to explain its personal information processing rules.

The Draft Cyber-data Security Regulation clarifies the above-mentioned high-level requirements as follows:

 Firstly, any data processor must formulate personal information processing rules for its processing;
 Secondly, personal information processing rules must be publicly displayed, easy to access and put in a noticeable place;
 Thirdly, personal information processing rules must be explicit, specific, simple and plain, explaining to individuals the personal information processing in a systematic and comprehensive way.

Moreover, the Draft Cyber-data Security Regulation highlights the must-have contents of the personal information processing rules.

7.3 Consent and separate consent

A data processor is required to comply with more requirements under the Draft Cyber-Data Security Regulation, when it obtains informed consents from individuals. The additional requirements include without limitation:

(1) It shall obtain an individual’s consent separately based on each type of services rather than using a general clause;
(2) It shall not coerce an individual into consenting process of his/her personal information in the name of improving service quality or users’ experience or developing new products;
(3) It shall not solicit an individual from or coerce an individual into, giving one-off consent to process personal information through bundling different types of services, applying for one-off consent or other ways;
(4) It shall not continuously demand consent from an individual or disturb his/her normal use of services after he/she has explicitly refused to give his/her consent.

The data processor has the burden of proof in the event that it has dispute over informed consents with the individuals.

The Draft Cyber-data Security Regulation for the first time clarifies that “separate consent” means that data processor shall obtain individual’s informed consent for each item of personal information rather than one-off informed consents for multiple items of personal information or multiple processing activities.

7.4 Obligations in response to exercising individuals’ rights

Data processors have obligations to provide convenience when individuals exercise their rights to access, copy, correct, supplement, restrict processing, or delete personal information, More specifically, a data processor should:

(1) provide convenient means and routes for access and not restrict individuals’ reasonable requests in terms of time, location or other factors;
(2) provide convenient support functions for individuals to copy, correct, supplement, restrict processing, or delete personal information, or to withdraw their consents or deregister their accounts, without unreasonable conditions;
(3) accept and deal with individuals’ reasonable requests within 15 working days.

7.5 Detailed conditions of data portability

If all the conditions listed as follows are satisfied, a data processor shall provide transmission service to enable other data processors designated by an individual to access and acquire his/her personal information free of charge (the data processor may charge a reasonable fee if the request for data portability is clearly excessive):

(1) Personal information to be transmitted is collected based on the individual’s consent or necessary for concluding and performing contracts with the individual;
(2) Personal information to be transmitted is his/her own personal information or other individual’s personal information that the requestor has lawfully acquired without violating the other individual’s will; and
(3) The requestor’s identify can be verified.