Following an eventful year, Shi Taige of Jingtian & Gongcheng reviews the significant developments in China's data protection landscape for 2022, and ponders its further evolution in 2023:

  • 2022 was a year in which China's data protection legislation was further refined.
  • While focusing on ensuring data security, the Chinese government also began to recognize and emphasize the value and utility of data.
  • A cross-border data transfer mechanism has finally been created.
  • Sector-specific rules will provide essential guidance to operators.

In 2022, China's data protection legislation entered a phase of refinement. The regulatory authorities developed and issued implementing rules to enforce the data protection regimes established by the Data Security Law (DSL) (《数据安全法》) and the Personal Information Protection Law (PIPL) (《个人信息保护法》). A number of developments are worth noting in particular. 

China's cross-border data transfer mechanism takes shape

With the promulgation and implementation of a series of rules (including certain rules in draft form), such as the Measures for the Security Assessment of Overseas Transfer of Data (《数据出境安全评估办法》) in 2022, China's cross-border data transfer mechanism has now come into being. It has been 5 years since the Cybersecurity Law (《网络安全法》) first introduced the concept of security assessment of cross-border data transfer.

In the Measures for the Security Assessment of Overseas Transfer of Data, the Cyberspace Administration of China (CAC) clarified the applicable scope of the security assessment for transferring data outside of China. The CAC also, and for the first time, officially defined what kind of activities may constitute the “cross-border transfer of data” in the guidelines it published for security assessment. Since September 1, companies whose data processing activities fall into the scope of the security assessment have begun to prepare to apply for the security assessment for their cross-border transfers of data.

In addition, the rules supporting the two other mechanisms for transferring personal information overseas under Article 38 of the PIPL were also promulgated in 2022.

On June 30, the CAC published the Provisions on Standard Contracts for Overseas Transfer of Personal Information (Draft for Comments) (《个人信息出境标准合同规定(征求意见稿)》), together with a template of the Standard Contract for Overseas Transfer of Personal Information (《个人信息出境标准合同》) for public comment. Although such provisions and the template of standard contract have not been finalized, the requirements of what amounts to China's version of “Standard Contractual Clauses” have been referenced by companies which want to rely on the standard contracting mechanism as the legitimate basis for their transfer of personal information out of China.

In addition, the CAC and the State Administration for Market Regulation (SAMR) released the Implementing Rules for the Certification of Personal Information Protection (《个人信息保护认证实施规则》) on November 4, which were deemed to establish the procedural rules for the implementation of personal information protection certification mechanism, followed by the second version of the Practical Guidelines for Cybersecurity Standards: Technical Specifications for the Certification of Cross-Border Personal Information Processing Activities (《网络安全标准实践指南—个人信息跨境处理活动认证技术规范》), published on December 16. With those two documents, once the qualified certification firms are announced, multinational companies will be able to apply for certification as the basis for transferring personal information out of China. 

Data security management (“DSM”) certification is implemented

In June, the CAC and the SAMR jointly released the Implementing Rules for the Certification of Data Security Management (《数据安全管理认证实施规则》), setting out the procedural requirements for network operators to apply for certification of their data security management and the certification firms' carrying out of certification. The certification will be carried out in accordance with the national standard Network Data Processing Security Requirements (GB/T 41479-2022) (《网络数据处理安全要求》) published by the SAMR on April 15, These provide detailed security requirements for the network operators to process data collected and processed through the network. Network operators are encouraged to improve their data security management capabilities and protection levels through voluntary certification. In particular, obtaining DSM certification can, to a certain extent, be used as proof of the network operator's compliance with security requirements for data processing activities and will be helpful to demonstrate their compliance during regulatory procedures such as security assessment of overseas transfer of data.

Data security requirements are strengthened

The revised Provisions on the Administration of Mobile Internet Application Information Services (《移动互联网应用程序信息服务管理规定》) published by the CAC on June 14, require mobile app operators to fulfill data security protection obligations, establish and improve the data security management system, and take technical measures to ensure data security.

In the Provisions for the Administration of Deep Synthesis in Connection with Internet Information Services (《互联网信息服务深度合成管理规定》) jointly released by the CAC, the Ministry of Industry and Information Technology (MIIT), and the Ministry of Public Security (MPS) on November 25, deep synthesis (deepfake) service providers and their technical supporters are required to establish and implement data management systems and to ensure the security of the training data used in the application of deepfake technologies.

Industry regulators promulgate sector-specific data security rules

Based on the statutory requirements set forth by the DSL and PIPL and the general rules enforced by the CAC, in 2022, industry regulators issued data security rules and standards to provide detailed guidance on the security of data processing for the operators in their respective sectors.

Financial Sector

The General Office of China Banking and Insurance Regulatory Commission published the Guiding Opinions on the Digital Transformation of Banking and Insurance Industries (《关于银行业保险业数字化转型的指导意见》) on January 10, under which banks and insurance institutions are required to build data governance systems and improve their data management capabilities. Furthermore, relevant data security and privacy protection requirements are also emphasized, including the requirement for stringent data access controls and the security assessment and risks control for data-related third-party cooperation.

On November 14, the China Securities Regulatory Commission released the securities industrial standard Guidelines for Data Security Management and Protection of the Securities and Futures Industry (JR/T 0250-2022) (《证券期货业数据安全管理与保护指引》). This industry standard not only sets forth data security requirements in terms of basic principles, organizational structure, and management systems, but also specifies methods for the protection of different levels of data in the securities and futures industry with respect to the collection, display, transfer, processing and storage of such data.

Healthcare Sector

On August 8, the National Health Commission released the Measures for the Administration of Cybersecurity of Healthcare Institutions (《医疗卫生机构网络安全管理办法》), which includes a chapter dedicated to detailed requirements relating to the data security obligations of health care institutions. Those health sector-specific rules include that: (i) health care institutions are required to conduct their data processing activities within the territory of mainland and the overseas transfer of relevant data should be subject to applicable reviews and assessments; (ii) special risks should be assessed when health care institutions use cloud services to store their business data; and (iii) face recognition data can only be used to identify specific individuals and special protection measures must be taken to store and transfer such data, etc. 

Automotive Sector

On August 30, the Ministry of Natural Resources published the Circular on Promoting the Development of Intelligent Connected Vehicles and Safeguarding the Security of Mapping and Geographic Information (《关于促进智能网联汽车发展维护测绘地理信息安全的通知》), clarifying that the collecting, storing, transferring and processing of the vehicle's and the surrounding road facilities' spatial coordinates, images, point clouds and information about their characteristics, and other mapping and geographic information data by intelligent networked vehicles during their operation, service provision and road testing, constitute surveying and mapping activities regulated by the Surveying and Mapping Law (《测绘法》) and thus can only be conducted by companies which have obtained the applicable surveying and mapping license. This circular also emphasizes that the provision of such mapping and geographic information to overseas recipients must be subject to prior approval by the authorities.

In addition, the national standard Security Requirements for the Processing of Motor Vehicle Data (GB/T 41871-2022) (《汽车数据处理安全要求》) published on October 12 (to become effective on May 1, 2023), provides detailed and practical guidance on the implementation of the requirements set forth by the Several Provisions for the Administration of the Security of Automotive Data (Trial Implementation) (《汽车数据安全管理若干规定 (试行)》).

Power and Energy Sector

In relation to the power industry, the National Energy Administration released the updated Measures for the Administration of Cybersecurity of the Power Industry (《电力行业网络安全管理办法》) on November 16, under which power companies are required to (i) establish and improve the entire process of data security management and personal information protection, determine their own specific important data catalogues and provide special protection for important data; and (ii) include the data security status in the annual cybersecurity report submitted to the sector regulators.

Industrial and Information Technology Sector

On December 8, the MIIT also released the long-awaited Measures for the Administration of Data Security in the Industry and Information Technology Sector (Trial Implementation) (《工业和信息化领域数据安全管理办法(试行)》), to regulate security matters during the processing of industrial data, telecommunication data and wireless data. Following the data classification rules set forth by the DSL, MIIT classifies the data in its sector into three levels: core data, important data and general data, and defines the scope of each of them. The data handlers in this sector are required to file records of the catalogues of core data and important data possessed by them with the regional industrial regulators and update the filing if there are major changes. In addition, these Measures also require the data handlers to establish and implement “full lifecycle” data security management systems and set forth detailed requirements, for example, special organizational and technical measures for handlers of core data and important data, data destruction requirements, and special approval procedures for the provision, transfer, or entrusted processing of core data.

Top decision-makers issue a national data strategy highlighting the value and utility of data 

On December 19, the Communist Party of China Central Committee and the State Council jointly published a national data strategy policy named Opinions on the Establishment of Basic Systems for Data to Better Play Its Role as Elements (《关于构建数据基础制度更好发挥数据要素作用的意见》). This policy calls for establishing basic systems of data, and also emphasizes data's value as an important national resource, aiming to activate the potentials of data and strengthen the digital economy.

The key points of the policy include: (i) a system of categorization, classification and authorization of public data, enterprise data and personal data will be established; (ii) it is encouraged to explore an appropriate mechanism to distribute rights of data (the right to possess data, the right to use data and the right to market data, etc.) among different participants in the course of generation, circulating and use of data; (iii) data handlers will be allowed to exploit and utilize raw data in accordance with applicable laws, and the government will promote the reuse and full utilization of data value, as well as the exchange of data use rights; (iv) the government will promote to establish and improve data trading rules, and to develop a series of unified national standards regarding data trading and data security to reduce data transaction costs; (v) it is encouraged to establish mutually-beneficial international rules for cross-border data flows, and to explore safe and standardized methods of cross-border data transfer for typical and regular transfer scenarios; and (vi) there are calls to build a fair, efficient, incentive and standardized data value distribution mechanism and it is encouraged to explore different ways to share the value and benefits of personal data, enterprise data and public data.

However, it should be noted that the realization of the vision embodied in this policy still depends on the formulation and implementation of data-related rules and measures by the relevant ministries. In 2023, it is expected that legislation relating to certain important data-related regulations will be completed, including the long waited Measures for the Administration of Network Data Security (《网络数据安全管理办法》), the rules on identification of important data. In addition, more sector-specific data regulations, and rules (including the important catalogues in corresponding sectors) will also be promulgated and companies will be guided by clearer instructions when processing data in their businesses.

注释

1 First published at China Law & Practice, https://www.chinalawandpractice.com/2023/01/30/data-protection-in-2022-from-regulatory-refinement-to-exploitation-of-data-value/.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.