China Data Protection Update

In the rapidly evolving data protection environment in China, there has been some helpful (but unfortunately still limited) clarification around two areas of uncertainty.

New Cybersecurity Strategy Gives First Guidance on Application of PRC Cybersecurity Law

Following the recent enactment of the PRC Cybersecurity Law (“Cybersecurity Law”), China’s Internet regulator published the country’s first National Cyberspace Security Strategy (“Strategy”) on 27 December 2016. The Strategy offers few fresh initiatives but summarises goals within the Cybersecurity Law and other recent regulations. In particular, the Strategy emphasises the strategic need to safeguard key information infrastructure operators (“KIIOs”).

A KIIO is defined in the Strategy as an operator of “information facilities that have an immediate bearing on national security, the national economy or people’s livelihoods such that, in the event of a data leakage, damage, or loss of functionality, national security and public interest would be jeopardized”. This aligns with the definition in the Cybersecurity Law, and indicates the potential impact of a security breach is a key factor in determining who will be considered a KIIO.

Further, while the Cybersecurity Law listed “public communications and information service, energy, transportation, hydropower, finance, public service, e-government and other critical information infrastructure”, the Strategy clarifies this by:

  • listing “basic telecommunications networks that provide public communications, radio and television transmission and other such services” to expand on the definition of “public communications” operators;
  • noting that important information systems in sectors and State bodies in the additional fields of “education”, “scientific research”, “industry and manufacturing”, “medicine and health” and “social security” will also be caught; and
  • identifying that “important Internet application systems” will also be deemed to be KIIOs. Unofficial reports suggest that this is intended to catch popular apps such as Taobao and WeChat, which have millions of daily users potentially affected by a security breach.

Unfortunately it remains unclear whether all organisations within these specified industries will automatically be KIIOs if they operate networks (and potentially even just a website) in China. Further, other key uncertainties under the Cybersecurity Law (including the definition of “network operator” and “important business data”) remain.

Draft Regulations Protecting Minors Online

The State Council has published for public consultation draft Regulations on the Protection of the Use of Internet by Minors (the “Draft Regulations”). “Minors” means Chinese citizens under the age of eighteen. In particular, the Draft Regulations propose additional data protection obligations, with which “network information service providers” (which appears to catch anyone operating websites or processing online data in China) would need to comply.

Some of the key provisions include:

  • Proactively reviewing sites/platforms and, if any content is deemed unsuitable for minors, placing prominent warnings before displaying the content. The authorities are encouraged to offer further guidance on how to manage such content.
  • When collecting and using minors’ personal information (ie, information, whether recorded electronically or through other means, that when alone or taken together with other information is sufficient to identify a minor’s identity online), clear data protection notices should be given and the minor’s or their parent/guardian’s consent obtained. This would require “specific privacy policies”, although it is unclear whether this would need to be separate to the general website privacy policy.
  • Online search functions must not display search results that comprise minors’ personal information; and there would be rights to request deletion or blocking of minor’s personal information available online.

So what does this mean in practice?

While some significant uncertainties remain, the Chinese authorities are helpfully seeking to provide some more practical guidance and to highlight some more concrete steps that organisations need to take when updating their China data protection compliance programmes in anticipation of the Cybersecurity Law coming into force on 1 June 2017. Organisations operating networks and/or doing business online in China should take note and update their policies and practices accordingly, and continue to monitor developments as further guidance is published over the coming weeks and months.


Partner, DLA Piper