In 2021 China has enacted two additional laws on data: the Data Security Law and the Personal Information Protection Law. The latter, being focused on protecting individuals, is expected to deeply shape China-related business management.
The Data Security Law, applicable on 1st September 2021, relates to previous rules on security standards, such as the Multi-Level Protection Scheme.
This Multi-Level Protection Scheme (also known as Classified Protection of Information System) goes back as far as 2007, and was last updated in 2019. Network operators are required to conduct a self-assessment of each of their information systems on a scale from 1 to 5. Depending on the protection level so assessed, they have to meet protection requirements accordingly. Level 3 and above trigger much-increased scrutiny. Applicable rules on the subject can go into great detail in terms of IT infrastructure, which is specific to Chinese laws and regulations, as compared with the EU General Data Protection Regulation.
The Personal Information Protection Law, applicable on 1st November 2021, is a more comprehensive text, mainly on protecting individuals. It partly relates to previous rules, such as the 2015 Advertising Law (on withdrawal of consent), and the 2017 Cybersecurity Law (principles on processing personal information), not to mention the Civil Code, applicable on 1st January 2021, which includes one chapter on the subject, addressing the lawful basis for processing, right to be informed, right of access, right to rectification, right to erasure.
In addition to that topic-based approach, industry-based rules also apply, and might prevail: mobile apps were, and still are, subject to stricter specific rules (the 2016 Rules on the Management of Mobile App Information Services). Another example: banks have been subject to multiple rules on personal financial information for years.
That said, the Personal Information Protection Law provides for new approaches on the subject in China, such as extra-territorial reach, whenever individuals located in Mainland China are targeted. It is worthy to note that this very extra-territorial reach can be found in the EU as well (see the General Data Protection Regulation), and other jurisdictions like Japan.
The same goes for:
– designating one representative (or Data Protection Officer), in case the personal information processor exceeds a given threshold as to the quantity of personal information handled, or in case those are located outside Mainland China;
– obtaining separate consent from individuals, in case personal information is handed over to other processors; personal information is disclosed; sensitive personal information is processed; and personal information is provided outside China; and
– providing the means for portability, in case some individuals request to transfer personal information from one processor to another.
The main control authority is formally named for the first time, even though the Cybersecurity Law had left little doubt as to the Cyberspace Administration of China supervising operations.
Cross-border data transfers are subject to approvals from the relevant authorities and will represent the main challenges for international groups using integrated IT systems and cloud-based systems. Details remain to be determined though.
The sanctions set forth in the Personal Information Protection Law, ranging from mere warnings to fines up to 5% of turnover, might provide extra incentives for data compliance. In that respect, from time to time the Cyberspace Administration of China and other government bodies publish on their websites decisions showing company names and corresponding violations, in a similar fashion to the USA Federal Trade Commission.
Those rules will most likely impact business models from foreign tech companies taking hold in China, from a regulatory standpoint and on the IT structure side as well. For example, for activities requiring information storage within China, the business model may be significantly impacted in terms of financial flows, to include local partners holding all relevant licenses and authorizations. As to business plans, compliance costs could be adjusted for example to take qualified staff and/or service providers into consideration regarding data protection governance in China.
The Data Security Law and the Personal Information Protection Law both participate in raising the level of data protection and legal certainty in China. The impacts of the Chinese regulatory and technical ecosystems on your PRC business model and business plan to operate on the Chinese market will have to be checked.
Written with the cooperation of Séverin Mélès (IP/IT Counsel).