ARTICLES
Quick View-Administrative Measures for Data Security (Draft for Comment)
Quick View-Administrative Measures for Data Security (Draft for Comment)
Background
On 28 May 2019, the China Administration of Cyber (“CAC") issued the Administrative Measures for Data Security (Draft for Comment) (“Measures"). Previously, the Cybersecurity Law of the People's Republic of China (“Cybersecurity Law") has become effective on 1 June 2017. However, the Cybersecurity Law consists mainly of general principles and lacks practicality. As one of the complementary measures of the Cybersecurity Law, the Information Security Technology-Personal Information Security Specification (“Specification"), which is issued by the TC260, has become effective on 1 May 2018. From a technical perspective, the Specification which is perceived as the China version of the General Data Protection Regulation (“GDPR") has strong practicality. However, the Specification is merely a recommended national standard without legal force. Therefore, it does not have as much deterrence as the GDPR. Under this background, the Measures, as one of the important implementing legal norms of the Cybersecurity Law, provides technical specifications and best practices in the field of data security with legal force.
1.The Measures puts forward the concept of “data security" in contrast to “cyber security" and certain industry practices are adopted as legal norms.
The Cybersecurity Law puts forward two concepts: “cyber operation security" and “cyber information security". The Measures specifically puts forward the concept of “data security" to emphasize the independence of “data security" from “cyber security". One of the goals to do so is to “protect the security of personal information and important data". [1] The definition of “data security" includes “protecting data from being divulged, stolen, falsified, damaged, or illegally used". [2] Due to the broadness of the concept of “data security", the Measures is supposed to be at a higher place of hierarchy. Currently, it appears more likely to be a departmental rule.
The Measures adopts certain industry practices as legal norms. It provides that network operators must not collect personal information by using implied authorization, functions bundling or similar methods to force or mislead the subject of personal information. [3] Network operators should clearly mark “targeted push" when doing so, [4] and specify data security requirements and responsibilities with third-party applications that connect to their platforms. [5] As the Measures’ coming into effect, those recommended standards and industry practices will have legal force. With that said, the Measures did not adopt all industrial practices. For example, it adopts the right of access, correction and deletion of the subject of personal information which are mentioned in the Specification, [6] but similar to the E-Commerce Law of the People's Republic of China (“E-Commerce Law"), the Measures does not adopt the right to data portability. [7]
2.Network operators who collect important data or sensitive personal information for the purpose of business operation shall file with the cyberspace administrative departments. The content of filing is the rules of data collection and use, rather than the data itself.
The Measures requires that network operators who collect important data or sensitive personal information for business operation purpose shall file with the local cyberspace administrative departments. [8] We understand that only collection activities that are for the purpose of business operation shall be subject to such filing obligation. However, how to define “for the purpose of business operation" remains unclarified. In practice, for example, whether colleting employees’ sensitive personal information shall be regarded as the enterprise’s activities “for the purpose of business operation" is unclear. We understand that if the scope of sensitive personal information stipulated in the Measures is consistent with that in the Specification, such sensitive personal information would include personal telephone number, sexual orientation, marriage history, religious beliefs, unpublicized criminal records, communication records and contents, tracks, web browsing records, accommodation information, precise positioning information, etc. [9] With this scope, the range of network operators who need to fulfill the filing obligations will be quite broad.
3.The Measures puts forward clear requirements for corporate governance structure: network operators who collect important data or sensitive personal information for the purpose of business operation should set up a “responsible person for data security."
For network operators who collect important data or sensitive personal information for the purpose of business operation, the Measures requires them to set up a “responsible person for data security" to “participate in important decisionmaking regarding data activities and report directly to the main person in charge of the network operators." [10] The “responsible person for data security" is a position that is in contrast to the “person in charge of cybersecurity" under the Cybersecurity Law, [11] and corresponds to the “person in charge of personal information protection" under the Specification. [12] The Measures further sets up requirements for the qualification of the “responsible person for data security". Specifically, such person shall have “relevant management experiences and professional knowledge of data security." [13]
4.Without exceptions, network operators should obtain users’ consent when collecting users’ information, which strengthens the protection of the subject of personal information.
The Measures stipulates that network operators should first formulate and publicize the rules of collection and use before collecting and using personal information. [14] Such rules shall be clear, specific, simple and easy to access. [15] Moreover, the Measures provides that network operators are not allowed to collect users’ personal information unless users are aware of these rules and explicitly consent to them. [16] The Measures does not allow network operators to collect personal information without explicit consent of users. However, the Specification allows controllers of personal information to collect personal information without authorized consent in certain circumstances. [17] This shows that comparing with the Specification, the Measures provides stronger protection for the subject of personal information.
5.The Measures narrows down the scope of situations in which network operators do not need to obtain the consent of the subject of personal information when providing his/her information to others, which further strengthens the protection of the subject of personal information.
The Measures sets out certain situations in which network operators do not need to obtain consent when providing information to others. [18] Unlike the Specification, the Measures narrows down the scope of situations in which consent is not required. For example, under the Measures, when personal information is “collected from legal and public channels", the consent of the subject of personal information is not required, provided that such collection is “not obviously contradictive to the will of the subject of personal information". [19] In addition, the Measures provides that there is no need to obtain the consent of the subject of personal information when “it is necessary to maintain the life safety of the subject of personal information." However, it shall be noted that the scope of the exceptions set out in the Specification of “protecting the life, property and other important and legitimate rights and interests of the subject of personal information or other individuals whereas consent is difficult to obtain" is much broader than the scope as stipulated in the Measures. [20]
6.When the relevant competent departments under the State Council, for the purpose of performing their duties, require a network operator to provide relevant data it has pursuant to laws and regulations, the network operator shall provide the data.[21]
7.The collection of personal information from minors under the age of 14 shall be subject to the consent of their custodians.
If a network operator collects personal information of minors under the age of 14, it shall obtain the consent of the minor’s custodian pursuant to the Measures. [22] This is basically in line with the relevant requirements in the Specification. However, the word “express" mentioned in the Specification is omitted, [23] which relatively alleviates the burden of network operators.
8.Cross-border transfer of important data conducted by network operators shall be subjected to data security risk assessment and shall be reported to the relevant departments for consent before such transfer.
According to the Measures, before releasing, sharing, trading and exporting important data, network operators shall conduct the security risk assessment and report to the competent regulatory departments of the industry for consent. If the competent regulatory departments of the industry is unclear, such data transfer shall be approved by the cyberspace administrative departments at provincial level. [24] This means that, regardless of the amount of data to be transferred or the industry involved, all cross-border transfer of important data shall be reported to the relevant departments for consent. This strengthens the supervision and regulation of cross-border data transfer.
9.The enforcement and punishment measures stipulated in the Measures do not act as much of a deterrent.
The enforcement measures stipulated in the Measures include interviews, public exposure, confiscation of illegal gains, suspension of relevant businesses, suspension of business for rectification, shutdown of websites, revocation of relevant business permits or licenses.[25] Unlike the Cybersecurity Law, the Measures does not mention fines. Compared with “warning" and “being included in the list of dishonesty", “interview" and “public exposure" are flexible and lenient enforcement measures. Unlike GDPR which stipulates enormous amount of fines, the measures do not act as much of a deterrent to enterprises.
10.The Measures does not refer to “critical information infrastructure operators".
The Measures regulates the activities of “network operators" regarding data collection, processing and use as well as data security protection. However, it does not mention the obligations of “critical information infrastructure operators" (“CIIO") in terms of data security. Despite that the concept of “network operators" may cover CIIO, the data security of CIIO shall be different from that of “network operators".
【注]
[1] See Art. 1 of Administrative Measures for Data Security (Draft for Comments).
[2] See Art. 4 of Administrative Measures for Data Security (Draft for Comments).
[3] See Art. 11(1) of Administrative Measures for Data Security (Draft for Comments).
[4] See Art. 23 of Administrative Measures for Data Security (Draft for Comments).
[5] See Art. 30 of Administrative Measures for Data Security (Draft for Comments).
[6] See Art. 21 of Administrative Measures for Data Security (Draft for Comments).
[7] See Art. 24 of E-Commerce Law.
[8] See Art. 15 of Administrative Measures for Data Security (Draft for Comments).
[9] See Appendix B of Information Security Technology-Personal Information Security Specification.
[10] See Art. 17 of Administrative Measures for Data Security (Draft for Comments).
[11] See Art. 21(1) of Cybersecurity Law.
[12] See Art. 10.1 of Information Security Technology-Personal Information Security Specification.
[13] See Art. 17 of Administrative Measures for Data Security (Draft for Comments).
[14] See Art. 7 of Administrative Measures for Data Security (Draft for Comments).
[15] See Art. 8 of Administrative Measures for Data Security (Draft for Comments).
[16] See Art. 9 of Administrative Measures for Data Security (Draft for Comments).
[17] See Art. 5.4 of Information Security Technology-Personal Information Security Specification.
[18] See Art. 27 of Administrative Measures for Data Security (Draft for Comments).
[19] See Art. 27(1) of Administrative Measures for Data Security (Draft for Comments).
[20] See Art. 27(5) of Administrative Measures for Data Security (Draft for Comments), Art. 8.5 of Information Security Technology-Personal Information Security Specification.
[21] See Art. 36(1) of Administrative Measures for Data Security (Draft for Comments).
[22] See Art. 12 of Administrative Measures for Data Security (Draft for Comments).
[23] See Art. 5.5 of Information Security Technology-Personal Information Security Specification.
[24] See Art. 28 of Administrative Measures for Data Security (Draft for Comments).
[25] See Arts. 33, 37 of Administrative Measures for Data Security (Draft for Comments).
特别声明:
以上所刊登的文章仅代表作者本人观点,不代表北京市中伦律师事务所或其律师出具的任何形式之法律意见或建议。
如需转载或引用该等文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源于公众号“中伦视界"及作者姓名。未经本所书面授权,不得转载或使用该等文章中的任何内容,含图片、影像等视听资料。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。
