In the past ten days, the Cyberspace Administration of China (“CAC”) released two important draft rules, the Measures of Cybersecurity Review (网络安全审查办法(征求意见稿)) and the Measures of Data Security Management (数据安全管理办法(征求意见稿)), seeking public comments. (DigiChina of New America has translated both of them into English: here and here.) Within China’s law hierarchy, a title with “Measures” generally indicates a legally binding effect. These two draft rules continue to fill in the gaps left by China’s Cybersecurity Law regarding the security review for the Critical Information Infrastructure operators (“CII operators”) and personal information handling, though vagueness and uncertainties still remain in many critical areas.
In this post, I am highlighting some points I think interesting and also signaling certain trends.
Cybersecurity Review (for CII operators and beyond)
The draft Measures of Cybersecurity Review (“CR Measures”) were released on May 21, primarily targeting CII operators, which in China are subject to a set of more stringent legal obligations. For example, according to the Cybersecurity Law Article 35, CII operators are required to go through a security review before any purchase of cyber-related products and services which may impact national security. Without more details provided by the Cybersecurity Law, these new draft CR Measures elaborate on what this review process would look like.
While CII operators are subject to heightened legal requirements under the Chinese cyber governance regime, the definition and scope of CII is yet to be clarified by the regulatory authority. In July, 2017, the CAC published a draft of CII-focused regulation attempting to clarify the scope of CII operators, but at the time of writing, this regulation is still pending. The new draft CR Measures tactfully avoid to tackle this problem, describing in Article 18 that the CII operators would be those operators so identified by the government department in charge of the work related to CII protections.
It is worth noting that the CR Measures will not only apply to CII operators. Article 19 grants the government authority discretion to enforce security review for any cyber-related product/service purchases or information technology service activities which can or may impact national security, which can be interpreted very broadly, particularly in light of the extremely broad scope of China’s National Security Law.
A dozen government agencies in charge of various industries would participate in the review process, under the leadership of the Central Cyberspace Affairs Commission (中央网络安全和信息化委员会), which leads the CAC. Article 5 lists all the participating agencies, covering areas of national security, industrial development, internet governance, public security (police), commerce, finance, market administration, and telecommunications. A separate organ – the Cybersecurity Review Office (网络安全审查办公室) – set up within the CAC will be the primary lead to implement the review system and handle the initial review, followed by a secondary review conducted by other participating agencies. The whole review process normally is set to be completed within 45 workdays, but can be extended by another 45-60 workdays or even longer for “complicated situations.”
A highlight comes in Article 10, which stipulates that the review will be focused on national security risks. Digging deeper into the listed factors which would be considered, it reveals that the review will not be limited to technical check – political elements will also play a significant role. The listed factors are:
- the impact to CII operations;
- the possibility of leakage, loss, destruction, or outbound transfer of a large amount of personal information and important data;
- the controllability, transparency and supply chain security related to products and services (such as whether the supply may be interrupted due to political, diplomatic or trade factors);
- the impact to techniques and industries related to national defense and CII;
- the law compliance performance of service/product providers;
- whether foreign governments sponsor or control the service/product providers; and
- other elements which may endanger CII security and national security.
Data Security Management
The draft Measures of Data Security Management (“DS Measures”) were released one week later, on May 28. They provide intensive requirements across the whole life cycle of data, with a few addition on content regulations.
Subject to China’s Cybersecurity Law which hinges the legitimacy of data collection entirely on consent (more detailed analysis in my earlier post), the draft DS Measures allow network operators to collect personal information only after obtaining a well-informed, expressed consent. In a sea of detailed requirements, I want to highlight Article 11, which distinguishes “core business function” from others. The provision requires companies must provide the services of a “core business function” as long as the data subject has given consent to the collection of their data that is necessary for the operation of such services, and cannot deny such services if the user does not give or withdraws consent relating to the data collection for other functions.
Actually, this is not the debut of “core business function” in China’s privacy law regime. The concept appears in China’s Personal Information Security Specification (个人信息保护规范) (“Specification”), a soft law without legally-binding effect but exerting a strong impact on companies operating in China, as a contextual element for sensitive information collection. Then it gets strengthened – but under a different name “basic business function” – in the latest proposed amendment of the Specification (the Chinese version is here). Both the Specification amendment proposal and the draft DS Measures seek to apply different levels of consent requirements on data collection, asking “is the data collection for a core/basic business function service, or not?” In addition, both exclude service improvement, user experience enhancement, and R&D from the core/basic business category, which means that companies may find it more limited to collect and use personal information for these needs.
Another point to highlight is that a heightened set of legal obligations would be triggered if a company collects “important data or personal sensitive information.” Under the draft DS Measures, to collect these data, the company should register to a local cyberspace administration department with a disclosure of related data practices (Article 15). The company also needs to appoint a data security officer – a role similar to the DPO under the GDPR – to establish and implement a data protection system, conduct risk assessments, report to regulatory authorities, and handle user complaints (Articles 17, 18).
The draft DS Measures define “important data” as the data that, if leaked, may directly influence national security, economic security, social stability, or public health and security, such as non-published government information, [information related to] a large scale population, genetic and health data, geographic data, and [information related to] mineral resources; the definition generally excludes operational and internal administrative data of companies, and personal information.
But it does not define “personal sensitive information.” Considering the implicated significance of this concept, a relevant definition is expected to occur in the final version. Meanwhile, the currently implemented Specification defines this term, which may provide a useful reference:
“personal sensitive information” refers to “the personal information that once leaked, illegally provided, or abused, can threaten personal and property security, and/or extremely easily cause reputational damage, physical and mental health damage, or discrimination,” including “identity card numbers, biometric information, bank account numbers, communication records and contents, property information, credit information, location data, accommodation information, health and physiological information, transaction data, and the personal information of children (14 years of age or under).”
The DS Measures also seek to restrict the delivery of personalized news feeds and targeted advertising (Article 23) that are generated by algorithms and user data. Network operators are required to display an obvious label “定推” (targeted push) on the content to indicate the feature of personalization, allow users to opt out, and delete relevant data including device identifier code immediately after users opt out. Interestingly, the next provision (Article 24) addresses a novel issue – AI-generated content. Similarly, a label marked with “合成” (synthesis) is required to be displayed with the content disclosing that this information is synthetic. And the content synthesis cannot be made with the purpose of seeking profits or damaging others’ interests.
I will do more analysis when the final rules are settled. Stay tuned.
