The draft measures apply to network operators, defined the same as that in the CSL, as “owners and administrators of networks and network service providers.” Despite the use of the word “security” in the title, the draft measures broadly impose data protection requirements, including privacy and security, on the collection, storage, transfer, processing, and use of personal information using Chinese networks.
The draft measures implement and expand the data protection requirements imposed by the CSL. For example, Article 41 of the CSL requires that network operators provide proper notice to individuals and obtain their consent before collecting or using their personal information. Articles 42 and 43 mandate that (i) network operators must not disclose personal information without an individual’s consent; (ii) individuals have the right to request network operators to modify or delete their personal information; (iii) network operators must adopt adequate measures to protect the security of personal information; and (iv) network operators must take remedial measures immediately upon a security breach and promptly notify the affected individuals and relevant authorities. Also, Article 37 requires that network operators conduct a security assessment prior to transferring personal information and important data collected or generated in China overseas.
Notice and consent
The draft measures impose specific and granular requirements for providing notice and obtaining consent pursuant to Article 41 of the CSL. However, the draft measures go beyond the original scope of the CSL in the following ways.
First, in providing notice to individuals of its personal data collection and processing practice, a network operator must provide the names and contacts of the individuals who are responsible for data security and in charge of the company, along with other details such as the purpose, method, scope of data collection typically required by the data protection statutes in the other jurisdictions.
Second, to use personal information for personalized and targeted advertisement, a network operator must inform an individual by expressly displaying the words “personalized/targeted advertisement” on the site and provide the opportunity to opt out. Once the individual opts out, the network operator must cease targeting the individual with other personalized or targeted advertisements and delete all data collected concerning the individual.
Third, network operators are prohibited from obtaining an individual’s consent by coercion or inducement through methods such as bundled consent. Further, network operators must not refuse to provide core functions of their services to those who have consented to the collection of personal information that is essential for such core functions but have not consented to the collection of other personal information.
Finally, when a network operator uses artificial intelligence (AI) to synthesize contents, blogs, tweets, or comments, they must inform individual users by marking the generated materials “AI generated.” China debuted its first ever AI news anchor in 2018, when the news anchor’s appearance and voice, together with the news content, were generated using AI. Relevantly, Article 16 of the draft measures limits the collection of personal information via automated means. A network operator must stop automated collection of personal information if the daily traffic from automated means exceeds one-third of the total daily site traffic.