Special obligations for processors of important data

In addition to the above protection scheme, the draft Regulations require processors of important data (including those processing personal data of more than 1 million individuals) to comply with the following special obligations:

• Designating a DPO with an appropriate background and level of experience, and establishing a data security management team led by the DPO.
• Filing with the local CAC at the city level within 15 business days after they determine that data is important data (in other words, they are processor of important data), which will include the DPO’s basic information such as the DPO’s contact information, the purpose of processing as well as the scale, the type of data processed, the retention period, and where the data is stored (and if there is a major change in the information on file, the processor must update the record on file).
• Arranging trainings on data security for all personnel annually and any technical or management personnel working on data security must receive training for at least 20 hours a year.
• Conducting an annual security assessment, either through a self-assessment, or by a qualified third party, and submitting the annual assessment report to the local CAC by 31 January of the following year.
• Obtaining consent from the local supervising authority (if any) for the industry concerned or the local CAC before engaging in the sharing, trading, or processing through third parties of important data.

It remains to be seen whether the final version of the draft Regulations will keep all of the above obligations, but if it does, it would impose a higher standard of compliance on processors of important data.

Special obligations for online platform operators

Under the draft Regulations, an online platform operator is defined as a platform that provides information publishing, social network, online transaction, online payment and online audio/video services.  Online platform operators are subject to stricter data protection responsibilities. In particular:

• They must disclose their terms and privacy policies and the algorithms they use.  Where there are any changes that would cause significant impact to the users’ rights and interests, they must seek public comments for at least 30 business days and publish how the public comments have been considered and incorporated into the final versions and why other comments were rejected.  For online platforms with more than 100 million daily active users, the provisions of, and any such material amendments to, their terms and privacy policies must also be reviewed and assessed by a third-party institution designated by the CAC and approved by the local counterparts of the CAC and Ministry of Information and Technology (MIIT) at the provincial level.
• They are responsible for any third-party products and services appearing on their platforms (such as application programming interfaces (APIs) and software development kits (SDKs)) and users may directly request compensation from the online platform operator for any damage caused by such third-party products or services.
• Large-scale online platform² operators must engage third parties to conduct annual security audits and publish the audit results.
• They must not take advantage of data to discriminate among different classes of users (e.g., providing products under different prices or transaction terms without valid reasons), or to mislead, defraud or coerce users and process their data against their true intention and will, or to prevent mid or small scale companies from legitimately obtaining their data.

Prohibited activities

The draft Regulations set out certain compliance “red lines” by listing the following as prohibited data processing activities and further clarify that any support for such prohibited activities by providing technologies, tools, programs, advertisement or marketing, and/or payment/settlement services for these is also prohibited:

(i) data processing activities that cause detriment to the state’s national security, honour and interest or would divulge state secrets and/or work secrets;

(ii) data processing activities that infringe others’ reputation, privacy, copyright and other legitimate rights and interests;

(iii) obtaining data by theft or other illegal means;

(iv) selling or providing data to others in an illegal manner;

(v) producing, publishing, replicating and/or broadcasting illegal information; and

(vi) other acts that are prohibited by national laws and administrative regulations.

Data incident reports

Although the CSL and DSL already require the data processor to report data breach incidents, it is unclear when and how to perform such reporting obligations.  The draft Regulations provide more detailed procedures and timelines for notifying and reporting data breach incidents under the following scenarios:

Network security assessments

The draft Regulations create a new type of regulatory approval required by the CAC (‘network security assessment’) in case of the following:

• any merger, restructuring or divestiture of an online platform operator that holds significant data resources concerning national security, or the nation’s economic development or public interests where this affects or could affect national security;
• offshore listing by personal data processors that process the data of more than 1 million individuals;
• listing in HK by the data processor, where this affects or could affect national security; and
• other data processing activities that affect or could affect national security.

The CAC has the discretion to determine whether any of the relevant activities could affect national security.

Companies that conduct business through networks should pay special attention to the new network security assessment requirement and we strongly recommend that they prepare for this early on, so as not to delay or hinder any plans for corporate restructuring, financing or listing.

As regards the merger, acquisition or restructuring of a data processor that processes important data, or the personal data of more than 1 million individuals, a report to the local supervising authority or the local CAC must be made.

Takeaways

The draft Regulations demonstrate the resolve and commitment of the CAC in maintaining data and network security of important systems in China, by further strengthening the supervision and control over important data processors and online platform operators, in addition to personal data processors.  As part of gearing up for this law, it is recommended that:

• Companies conduct internal reviews and analyses of the data that they process to identify whether any data might be considered important, or whether they process personal data of more than 1 million individuals.
• Companies operating online platforms conduct security audits on third party services and products on their platforms, and review all applicable terms, privacy policies and algorithms to ensure that their services and products do not raise concerns relating to discrimination or unfair competition.
• Companies consider setting up a local data protection team to deal with the upcoming legal requirements (and in particular the annual reports and security assessments as outlined above).

1. Both definitions refer to data concerning state security, lifelines of state economy, critical livelihood of the public and significant public interest.
2. On 29 October 2021, the State Administration for Market Regulation issued the draft classification guidelines for online platforms, which provide for super, large and mid/small scale online platforms. A “large-scale online platform” is defined as (i) having a large volume of users (i.e., no less than 50 million active users in China in the preceding year); (ii) having a major business sector with outstanding performance; (iii) having a market value of no less than RMB 100 billion as of the end of the preceding year; and (iv) being in a relatively strong position to prevent merchants on the platform from gaining direct access to end consumers.

Client Alert: 2021-3030