China’s legal framework around data protection and security is governed broadly by three key pieces of legislation: the Cybersecurity Law, which came into effect in 2017, and the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), both of which came into effect in 2021.
Navigating the laws that operate in this space can be complex and there is significant overlap. For example, the Cybersecurity Law covers both hardware equipment and online tools, including internet technologies, and essentially anything that can impact cybersecurity. The DSL is concerned with data that is online, but also other data that is offline in paper or hard copy or any other form. It is also broadly defined to cover data processing activities like collection and storage. The PIPL is principally focused on personal data that could also be in any form, whether physical or not.
Furthermore, some industry regulators in China, such as those governing banking and the life sciences sector, provide specific rules on data use within those industries. With this myriad of considerations, we examine some key takeaways from recent legislation and actions to consider when navigating data protection in China.
Under the DSL and PIPL, an organization may be subject to the security assessment measures for cross-border data transfers out of China. Data localization requirements, whereby data that is collected should be processed, and stored within China, can also be triggered in a broad range of circumstances, including whether you are a critical information infrastructure operator (CIIO) or non-CIIO or if you are subject to sectorial requirements (e.g., in the automotive industry). It is possible in select cases that data localization is not required; for example, if you are a non-CIIO handling personal information that does not meet the threshold specified by the Cyberspace Administration of China (CAC).
Generally for cross border transfers, a mandatory CAC-led security assessment is triggered under a recent draft regulation if you are a CIIO or operator that possesses the personal information of over a million users; the data to be transferred includes “important data”; there is an accumulative cross-border transfer of the personal information of over 100,000 individuals or the sensitive personal information of over 10,000 individuals; and additional other scenarios that may be determined by the CAC. Whether the data transfer by a data handler (a concept similar to data controller under the General Data Protection Regulation) triggers a CAC-led security assessment, the data handler is still required to conduct a security self-assessment on its data export and determine against principles that they are justified and necessary before transferring any data outside of thePeople’s Republic of China.
China’s Multi-Level Protection Scheme (MLPS) has seen a series of regulatory updates and changes in recent years. It is in place to identify the nature of systems deployed and data handled in China, and whether and to what extent it could raise cybersecurity concerns. For data, this could depend on the sensitivity of what it relates to—for example, if it is personal health data or the volume of the data that is being handled. The MLPS itself is a tiered certification process, starting with an internal investigation to determine whether the scheme threshold applies and at what level it applies, followed by steps to file this with a local Public Security Bureau (PSB), leading to an official MLPS certificate.
From a compliance perspective, it is important to have a robust internal data mapping process in place to evaluate what systems you have in China and what kind of data that system is going to handle and process. This will lead to a greater understanding of the level of certification required so potential compliance obligations and any associated costs can be taken into account.
Under the PIPL, companies should conduct a personal information protection impact assessment (PIPIA) before performing the following range of data processing activities: processing sensitive personal information; using personal information to conduct automated decision-making; entrusting third parties to process personal information; providing personal information to third parties or publishing personal information; providing personal information abroad; and other personal information processing activities that will impose a major influence on individuals.
Again, a key theme is the internal review process to ensure that the potential risk and exposure to what might be triggered when conducting certain data processing activities is analyzed.
If you are interested in New Data Privacy and Data Security Laws in China, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.