China’s cybersecurity and data privacy frameworks are facing yet more significant changes, as the Chinese Government recently announced two further initiatives. These are in addition to the significant legal developments that were announced in July 2016, including the (i) Draft PRC Cybersecurity Law, (ii) “Provisions on Administration of Information Services of Mobile Internet Application Programs” released by the Cyberspace Administration of China, (iii) new rules for online searches and advertising, and (iv) proposals in draft rules to accompany a draft Civil Code, which include data as a type of intellectual property.
Strengthening the Standardisation of National Cyber Security
The Cyberspace Administration of China (“CAC”), the General Administration of Quality Supervision, Inspection and Quarantine of China and the Standardization Administration of China collectively issued an official comment, namely the Several Opinions on Strengthening the Standardization of National Cyber Security, on 22 August 2016, which demonstrates an intention towards standardising cybersecurity regulations and practices in China.
This is an interesting move away from the current patchwork of different cyber security (and data privacy) rules in China – with variations in standards applying as between different industries and regulators – towards a more comprehensive national framework. It appears that there is an intention towards mandatory national and industry standards in relation to network security, equipment and communications, but details have not yet been published.
The statement also indicates that there will be more of an alignment with international cybersecurity standards, perhaps demonstrating that China is keen to build influence over the development of international rules and standards for the Internet, and also that it is responsive to foreign concerns that have been expressed in recent months and years regarding China’s national focus on cyber security. Indeed, earlier this year, CAC for the first time opened up its Technical Committee 260, which was originally mainly composed of Chinese officials and domestic technology companies, to selected foreign companies including Microsoft and Cisco. International businesses will no doubt be hoping that harmonisation between national and international cybersecurity standards might afford them greater opportunities in the Chinese market.
Enhancements to Data Privacy Laws Applicable to Personal Data of Consumers
The State Administration of Industry and Commerce published for public consultation the Draft Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers (the “Draft Regulations”). The Draft Regulations propose strengthening the existing regime protecting personal data of consumers under the PRC Consumer Protection Law and associated measures. Proposed amendments in the Draft Regulations include:
- expanding the definition of personal data to include “identifying biological characteristics”;
- imposing a requirement for business operators to follow the principle of necessity when collecting and using consumers’ personal information, such that the information collected needs to be related to their business operations;
- requiring business operators to retain for at least five years supporting documents that can prove that they have fulfilled their obligations to inform and obtain consent from consumers regarding the collection and use of consumers’ personal information; and
- requiring business operators to notify consumers in a timely manner of, and take remedial measures in case of, any actual or anticipated loss or disclosure of consumers’ personal information.
In light of these and other recent developments, international organisations doing business in China are strongly advised to keep the rapidly evolving Chinese compliance environment under review.