Increasingly Complex Legal Regime

Two years after the enactment of the Cybersecurity Law of China ("CSL"), various implementing regulations and standards continued to roll out throughout 2019. In the area of personal data protection, in mid 2019 a draft regulation on data localization requirement was released – the Measures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comments). While the CSL stipulates a general requirement of conducting security assessment for cross-border transfer of personal data collected by critical information infrastructure operators ("CIIOs"), the draft regulation provides in detail how the assessment should be carried out. It updates an older draft published in 2017 in which cross-border transfer of both personal data and important data were addressed. This draft regulation implies that personal data export will be handled separately from important data.

In the area of cybersecurity, the year 2019 marked the beginning of the so-called "Classified Protection 2.0" era. Classified Protection 2.0 refers to the cybersecurity protection baseline for network operators and a universal compliance framework under the CSL and is an upgrade of the previous information security system protection (commonly known as "Classified Protection 1.0") with broader application and further requirements on security level and compliance steps. A set of standards related to Classified 2.0 came into force in 2019.

Other important updates include a regulation specifically on children's personal data protection, or known as the Chinese version of "COPPA", that came into force on 1 October 2019; and the promulgation of the Encryption Law of China, which became effective on 1 January 2020 and will have a bearing on CIIO's use of commercial encryption.

More Active Public Enforcement

Without a single data protection authority in China, the public enforcement of data security in 2019 still presented a polycentric landscape and is great in number. Among the massive enforcement activities, quite a number of them are about personal data protection and directed at mobile Apps. The four central agencies – the Cyberspace Administration of China ("CAC"), the Ministry of Industry and Information Technology ("MIIT"), the Ministry of Public Security ("MPS"), and the State Administration for Market Regulation ("SAMR") – jointly launched a nationwide crackdown against the illicit collection and use of personal data by Apps, which lasted throughout 2019. Beyond this, each of the four agencies carried out additional enforcement activities also against personal data infringement. Most of the time, Apps that were found infringing person data would be ordered by the authorities to rectify without a penalty. In extreme circumstances, some Apps were pulled from its app store for a fixed period of time.

Non-negligible Criminal Enforcement

In 2019, the MPS has been cracking down on illegal sale of personal data, which led to huge amount of criminal prosecutions in this regard. Personal data infringement would give rise to criminal consequences of up to seven years' imprisonment in China. The liability could be imposed on individuals, or where an entity commits infringement, on the person in charge. On the other hand, illegal hacking was another significant aspect of criminal enforcement, usually when causing severe damages to information system or relevant database.

Private Litigation concerning Data

As in the past few years, private litigation remains a powerful weapon for big companies to gain legitimate access to customers' data, the most famous being the dispute between ByteDance and Tencent in 2019. The issue was about whether Tencent's permission to link its users accounts for one app developed by ByteDance could be shared with another ByteDance app. The court held that ByteDance was not allowed to do so without Tencent's authorization under the Anti-Unfair Competition Law of China.

As to personal data infringement, it is still a very common type of civil disputes. Some interesting developments have been made in 2019. For example, a private action was brought by a professor who claimed that a system upgrade involving collecting facial data violated the Consumer Rights Protection Law. The civil dispute on face recognition is the first one of its kind in China. Also ByteDance was involved in another civil dispute litigating whether phone contacts are personal data, the upload of which requires informed consent.

Sectoral Regime of Data Protection & Cybersecurity

This report compiles updates of 2019 in different sectors, notably life science, finance, retail, transportation and IoT. As said, without a single data protection authority in China, sector-specific authorities and their rules are very important for players in this industry. And each sector may have very different focuses for data security. For example, following the high-profile case in 2018 of illegal export of genetic data, life science industry is exceptionally featured by the categorization of data involved, such as genetic data, healthcare big data, population data, which are all likely to be identified as important data and to entail stricter CIIO duties. On the other hand, for finance and retail industries, in 2019 the emphasis was still placed on personal data protection, though probably in different ways. For example, with the evolvement of the "new retail model", retailers pay more attention to obtaining informed consent from consumers to satisfy their marketing needs. When it comes to transportation or IoT, in 2019 cybersecurity was the central concern as indicated by various government policies.

Handling Regulatory Hurdles and Ensuring Compliance

This report also introduces typical business scenarios related to data security and corresponding compliance issues. Some scenarios are common across different sectors or different jurisdictions, such as privacy policy, employee privacy, data localization requirement, data breach incidents, but could be better tailored to China's CSL framework. Some scenarios are unique in China, for example, Classified Protection 2.0 and the use of VPN, which really requires an in-depth understanding of relevant rules and enforcement practices. The others are often strategic business considerations but fresh new from a legal standpoint, e.g. privacy by design, data crawling, data aggregation, and intersection between big data and competition law. Similar to the rest of the world, Chinese laws are relatively lagging behind digital transformation, but we try to provide a big picture of how these issues are treated in China so far.

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.