China releases draft data security management measures

17 June 2019 Reed Smith Client Alerts

Home Publikationen China releases draft data security management measures

On May 28, 2019, the Cyberspace Administration of China (CAC) released the draft Data Security Management Measures (draft measures) for public comments. The comment period ends on June 28, 2019. The draft measures implement and expand the data protection provisions of China’s Cybersecurity Law (CSL, effective June 1, 2017). While the draft measures enhance some choice-and-consent provisions, suggesting a continued trend toward conforming to a global standard, the new registration and platform provider’s third-party liability requirements will pose significant burdens to businesses. Once finalized, the measures will become mandatory law in contrast to two voluntary personal information standards and guidelines currently in effect. See our previous alerts on China’s National Personal Information Standards and its amendment (the Standards, effective May 1, 2018) issued by the Standardization Administration of China and the Guideline for the Protection of Internet Personal Information (effective April 10, 2019) issued by the Chinese Ministry of Public Security.

Autoren: Amy Yin Fred Ji

The scope

The draft measures apply to network operators, defined the same as that in the CSL, as “owners and administrators of networks and network service providers.” Despite the use of the word “security” in the title, the draft measures broadly impose data protection requirements, including privacy and security, on the collection, storage, transfer, processing, and use of personal information using Chinese networks.

The draft measures implement and expand the data protection requirements imposed by the CSL. For example, Article 41 of the CSL requires that network operators provide proper notice to individuals and obtain their consent before collecting or using their personal information. Articles 42 and 43 mandate that (i) network operators must not disclose personal information without an individual’s consent; (ii) individuals have the right to request network operators to modify or delete their personal information; (iii) network operators must adopt adequate measures to protect the security of personal information; and (iv) network operators must take remedial measures immediately upon a security breach and promptly notify the affected individuals and relevant authorities. Also, Article 37 requires that network operators conduct a security assessment prior to transferring personal information and important data collected or generated in China overseas.

Notice and consent

The draft measures impose specific and granular requirements for providing notice and obtaining consent pursuant to Article 41 of the CSL. However, the draft measures go beyond the original scope of the CSL in the following ways.

First, in providing notice to individuals of its personal data collection and processing practice, a network operator must provide the names and contacts of the individuals who are responsible for data security and in charge of the company, along with other details such as the purpose, method, scope of data collection typically required by the data protection statutes in the other jurisdictions.

Second, to use personal information for personalized and targeted advertisement, a network operator must inform an individual by expressly displaying the words “personalized/targeted advertisement” on the site and provide the opportunity to opt out. Once the individual opts out, the network operator must cease targeting the individual with other personalized or targeted advertisements and delete all data collected concerning the individual.

Third, network operators are prohibited from obtaining an individual’s consent by coercion or inducement through methods such as bundled consent. Further, network operators must not refuse to provide core functions of their services to those who have consented to the collection of personal information that is essential for such core functions but have not consented to the collection of other personal information.

Finally, when a network operator uses artificial intelligence (AI) to synthesize contents, blogs, tweets, or comments, they must inform individual users by marking the generated materials “AI generated.” China debuted its first ever AI news anchor in 2018, when the news anchor’s appearance and voice, together with the news content, were generated using AI. Relevantly, Article 16 of the draft measures limits the collection of personal information via automated means. A network operator must stop automated collection of personal information if the daily traffic from automated means exceeds one-third of the total daily site traffic.

New registration requirement

Prior to the draft measures, China did not require registration with the authority for the collection of personal information. Article 15 of the draft measures requires that network operators register with the local CAC if they collect sensitive personal information or important data “for business purposes.” Filing submissions must include the purpose, scope, and method of data collection, the types of data being collected, and how long the data will be retained. However, neither “sensitive personal information” nor “for business purposes” is defined in the draft measures. Although the voluntary standards define sensitive personal information, the CSL does not entertain such concept.

Network operators are further required to report to its sector regulator if they distribute, share, trade, or transfer overseas important data (Article 28). Notably, The CSL merely requires a security assessment for transferring overseas important data. The draft measures adopt the CSL’s definition of important data, i.e., data closely related to national security, economic development, and public interest, and clarify that important data excludes data concerning an organization’s production and operation, internal business administrative information, and personal information.

Platform provider’s third-party liability

One of the most controversial requirements of the draft measures is the platform provider’s liability caused by its third-party apps imposed by Article 30. If a network operator operates a platform to host various third-party applications, it must delineate each party’s obligations and responsibilities for data security. In the event that a security incident occurs within the third-party application causing damages to the users, the platform provider must be partially or completely liable for the damages unless it can prove that it has not contributed to the incident. This presumption of fault casts significant burdens on platform providers considering the technical complexity of monitoring the security practice of third-party apps and in proving no fault in the event of a security breach.

Implications

The new registration and the platform provider’s third-party liability requirements are likely two most teething provisions of the draft measures. To comply with the registration requirement, companies need to have a clear grasp of the definitions and scopes of various terms such as important data, sensitive personal information, and business purposes as well as the detailed procedure for filing, which are currently missing. It is also unclear whether a platform provider can contract out of its statutory third-party liability by requesting a third-party app provider for indemnification of damages caused by a data breach. Finally, with respect to the enhanced choice-and-consent approach, some commentators would question its efficacy as consumers may not fully understand the privacy implications of targeted advertisement and AI-generated content.

Client Alert 2019-158

Cheng, Cue named among top lawyers for DeSPAC transactions

Branchen

Beratungsschwerpunkte

Business Teams

PitchBook: Reed Smith leads on PE transactions in healthcare

Daran könnten Sie interessiert sein

Cheng, Cue named among top lawyers for DeSPAC transactions

PitchBook: Reed Smith leads on PE transactions in healthcare

Tools teilen