Reed Smith Client Alerts

On April 10, 2019, the Chinese Ministry of Public Security (MPS) published, on the official website of the MPS Cyber Security Protection Bureau, the finalized Guideline for Internet Personal Information Security Protection (Guideline) after soliciting public comments since last November. The Guideline is voluntary and marks the latest in a series of implementations of China’s Cybersecurity Law (CSL) since its June 1, 2017, effective date. It follows the national standards governing the protection of personal information (Standards) (effective May 1, 2018) issued by the Standardization Administration of China (SAC) in January 2018. See our previous client alerts on the Standards and amendments. While largely similar to the Standards, the Guideline focuses on the technical and organizational cybersecurity controls for businesses providing services over the Internet. As China’s primary cybersecurity regulator under the CSL, MPS previously issued regulations specific to network operators’ multi-level protection scheme, as well as procedures for China’s Public Security Bureaus (PSB) to inspect Internet service providers. The Guideline sets forth MPS-recommended best practices to “protect cybersecurity and individuals’ legitimate interests” that will likely inform PSB cybersecurity inspections. 

Auteurs: Xiaoyan Zhang Amy Yin Vincent James (Jim) Barbuto Catherine Jing

Applicability

The Guideline applies to Personal Information Holders, defined as entities or individuals that “control and process personal information” through their provision of services using the Internet, private networks, or offline. This definition appears to combine the concepts of both data controllers and processors under the General Data Protection Regulation (GDPR); however, the mandatory CSL does not endorse either concept. 

Administrative controls

Personal Information Holders are required, inter alia, to establish a personal information administrative control system, implement, audit, and improve the system, appoint competent administrative staff, conduct background checks, training, and periodic qualification certification of such staff.