The year 2021 proved to be a milestone for data protection and cybersecurity in China. Most notably, the Personal Information Protection Law (“PIPL”) and the Data Security Law (“DSL”) came into force in September and November respectively. The PIPL, the DSL and the Cyber Security Law (“CSL”) together represent the “troika” of the Chinese data protection and cybersecurity regulatory framework. Beyond the troika, implementing rules have sprung up, and the gloves are coming off in enforcement. As we are heading into 2022, what are the new challenges for businesses? Let’s take a closer look at these developments and what we can expect from them in the year 2022.
In this second article, we will set out highlights of the year and 2022 predictions in terms of data security, cybersecurity as well as sectoral development. Click here if you missed our first article where we gave an overview of the overarching data protection and cybersecurity regulatory framework in China and development in personal information protection.
Part III. Data Security
1. Regulatory developments
We saw further developments in identification and protection of important data, multi-level data classification system, and data security review regime and its impact on overseas listings, which all have been prompted by the DSL coming into force.
1) The PRC Data Security Law
The DSL was officially adopted by the National People’s Congress Standing Committee on 10 June 2021 and took effect on 1 September 2021. Key highlights of the DSL include
(i) enhancing protection of important data, e.g. risk assessment, data security officer appointment, multi-level classified data protection regime, important data export rules, and creating a new category of data that will be afforded protection of even higher level compared with important data, namely core data;
(ii) proposing to establish a data classification system;
(iii) strengthening data security protection obligations of data processors, e.g. risk monitoring and data security incident report system;
(iv) imposing measures affecting foreign-related persons, e.g. national security review, export control, countermeasures against unfair treatment, approval on data request by foreign judicial or law enforcement bodies; and
(v) encouraging publication and use of government data. Companies doing business in China should take active and prompt actions to assess whether and how the DSL applies to their data processing activities within and outside China, and what data security governing measures they should further put in place. (click here for our views on the DSL)
2) Enhanced protection of important data
The term “important data” along with restrictions on its processing was first introduced into law by the CSL effective in 2017, whereby operators of critical information infrastructures operators (“CII”) are required to localise important data and go through a governmental assessment before exporting any important data. The CSL is followed by draft regulations and guidelines attempting to define and regulate important data.
The DSL imposes a series of protection obligations on all data processors processing important data but fails to define important data. However, the DSL provides that the state will coordinate the regional and sectoral regulators to issue catalogues of important data, which are applicable to relevant sectors and industries.
Notably, a draft non-mandatory guidance for identifying important was officially released by the National Information Security Standardisation Technical Committee (“TC260”) on 13 Jan2022 for public consultation. The draft defines important data as electronically-recorded data that if destructed, altered without authorisation, leaked, illegally obtained or used may harm nationally security and public interest, and sets out the factors that should be considered in identifying important data.
The Ministry of Industry and Information Technology (“MIIT”) published the draft Administrative Measures of Data Security in Industry and Information Technology (“MIIT Data Measures”) on 30 September 2021, which is the first draft implementing rules of the DSL released by sectoral regulators. The draft MIIT Data Measures set out the criteria for identifying important data and core data and purport to establish a filing system for processors important data and core data. The MIIT and its local branches will publish catalogues of important data and core data in the sector at central and local levels respectively.
3) Multilevel data classification system
The DSL proposes to establish a multi-level classification data protection system but goes no further than indicating that the level of a particular type of data will be determined by the “harm that an unauthorized alteration, destruction, leak or illegal use or acquisition will inflict upon national security, public interest or the legal interest of individuals or organisations”.
It also appears under the DSL that important data will be one of the levels in the system. This is later confirmed by the draft MIIT Data Measures, which states that industrial and telecom data will be divided into three levels, namely ordinary data, important data and core data. The draft also provides that data should be classified by the needs of the industry, operation, and data source and uses. As such, the draft divides data into the following classes, including without limitation research data, production and operation data, management data, maintenance data, business service data and personal information. The draft MIIT Data Measures have provided us with a valuable insight into the data multi-level classification data protection system to be established under the DSL and may set a precedent for regulators that are obliged to establish the system in their respective sector.
TC260 published a non-mandatory technical guidance on how to identify the level and class of data on in December 2021. This guidance confirms that data will be divided into three levels, i.e. ordinary data, important data and core data. Notably, it further divides ordinary data into 4 different levels and provides more details on the process of identifying the level of particular types of data. On classifications, the guidance also provides for the considerations and process for classification and sets out the classes of particular types of data. The technical guidance will serve as a useful reference for data processors implementing the system.
4) Update of data security and cybersecurity review regime
On 28 December 2021, the Cyberspace Administration of China (“CAC”), jointly with 12 other ministries, issued the revised Measures of Cybersecurity Review (“Cybersecurity Review Measures”), which was made public on 4 January 2022 and will take effect on 15 February 2022. The Cybersecurity Review Measures extend the scope of cybersecurity review from procurement of network products and service by CII operators to also include data processing activities by network platform operators that impact or may impact national security. In particular, network platform operators that intend to list outside of China will now need to apply for cybersecurity review over their listings if they process personal information of over one million users. (click here for our views)
The cybersecurity review on data processing should be regarded as part of the data security review regime under the DSL which authorises authorities to conduct national security review over data processing activities that impact or may impact national security. DSL proposes to establish a data security review regime. However, the authorities may publish further regulations on the data security review regime.
2. Enforcement developments
Enforcement on data security had remained relatively inactive in the past until early July 2021 when the Cybersecurity Review Office of the CAC issued announcements to initiate cybersecurity reviews on three internet companies that just launched their IPO in the United States in the previous month, namely Didi, Manbang and Boss Zhipin. Outcomes of these cybersecurity reviews were yet to be published. During the review period, Didi’s mobile apps were removed from app stores and suspended from new user registration.
The main issue with the decision is that at the time when the CAC initiated cybersecurity review foreign listings of network platform operators were not in the scope of cybersecurity review yet. This has given rise to the speculation that the revised Cybersecurity Review Measures are a retrospective attempt to provide a legal ground for the decision issued earlier to initiate cybersecurity review.
3. Outlook for 2022
More sectoral regulators to publish regulations to implement the DSL, in particular, the multi-level data classification systems in their respective sectors together with catalogues of important data to be released in certain sectors. Despite that the scopes of CII, core data and important data are yet to be specified under the current laws and regulations, the CAC may still elect to enforce some the DSL and the Cybersecurity Review Measures where they consider that national security or interest is harmed. Once the implementing regulations come into force, we expect to see increased enforcement actions.
Part IV. Cybersecurity
1. Regulatory developments
1) Strengthened CII protection
The Regulation on Critical Information Infrastructure (CII) Security Protection (“CII Regulation”) took effect on 1 September 2021. The regulation authorises sectoral regulators to formulate the rules for identifying CII and identify CII within their respective sectors. The CII Regulation highlights a few “important industries and sectors” where CII will be identified, including public communications and information services, energy, transport, hydraulic engineering, finance, public services, e-government, and defence technology industry.
In making the rules, the Protection Departments will take into account the following factors, including:
(i) the importance of the network infrastructure and information systems to the key or core operation of the relevant industry or sector;
(ii) the level of harm on the network infrastructure and information systems in the event of destruction, loss of function or data leakage; and
(iii) any consequential impact on other industries or sectors.
Once the CII is identified, the sectoral regulators must notify the operators and the Ministry of Public Security. However, as of the date of this report, there is very little public information regarding whether any CII operators have been identified and, if so, who they are. (click here for our views)
2) Network product security vulnerability management
The Regulation on Network Product Security Vulnerability Management was released by the MIIT, CAC and MPS joint on 12 July and took effect on 1 September 2021. The regulation requires network product and network operators, network operators and platforms collecting security vulnerability information to establish channels to receive information about security vulnerability, verify vulnerabilities and take necessary remediation measures in a timely manner. The operators are also required to report vulnerabilities to the MIIT within 2 days and provide technical support to users.
The regulation also sets out requirements for platforms engaged in the business of collecting and publishing network vulnerability information. In particular, the platforms are prohibited from disclosing technical details of vulnerabilities in specified circumstances and are required to make a filing with the MIIT.
2. Enforcement developments
Enforcement actions against violations of cybersecurity regulatory requirements in 2021 were active. Compared with the actions taken in the previous years, the focus had gradually been shifted from fighting against cybercrimes and illegal trading of personal information to the failure of implementing cybersecurity compliance obligations.
We have seen network operators being penalized for failure to formulate internal cybersecurity management rules and protocols, implement data backup and encryption measures, monitor information distributed on platforms, appoint personnel responsible for cybersecurity matters, implement applicable technical standards, make corrections in time after receiving warnings from the authorities, or monitor the online traffic or taking effective measures to remediate network vulnerabilities may all attract the enforcement attention of the authorities.
We set out below several examples of enforcement actions in 2021.
3. Outlook for 2022
Sectoral regulators are expected to formulate rules for identifying CII in their respective sectors and notify the operators whose information infrastructure is identified as CII. and Moreover, the CAC and sectoral regulators lay down more detailed requirements and obligations for CII operators, which will pave the way for enforcement.
The core regulation governing the MLPS regime under the CSL, i.e., the Regulation on the Cybersecurity Multi-level Protection Scheme, is still in a draft form since its public consultation in June 2018. At present, the implementation and enforcement of the MLPS scheme is still based on the obsolete regulations published in 2007 supported by recommended technical standards published since 2017. We hope that the new regulation will be published in 2022 set out the procedures and requirements for MLPS under the CSL.
Part V. Sectoral Developments
China took a series of moves to regulate intelligent and connected vehicles (“ICV”) in 2021. As the first sectoral regulation targeted at data security after the DSL, six ministries, amongst which CAC, MIIT and MPS, published the Interim Provisions on Automotive Data Security Management (“Auto Data Regulation”), effective on 1 October 2021, covers a wide range of players processing vehicle-related data and has begun to show its far-reaching impact on the industry. (See our view here). For example, to implement the annual report requirement under the Auto Data Regulation, local CACs in Shanghai, Guangdong, Tianjin, and Hebei CACs released notices in December 2021 requiring auto data processors to submit their annual reports concerning auto data security management.
Cybersecurity and data protection have become top of MIIT’s agenda in regulating ICV. In June 2021, the MIIT published a guidance for establishing a framework of cybersecurity standards for ICVs. In an official opinion published on 30 July 2021, the MIIT made data and cybersecurity one of the market entry requirements for ICV manufacturers and products and issued a notice requiring ICV manufacturer to conduct self-evaluation for data and cybersecurity. One month after the publication of the Auto Data Regulation, the MIIT issued a notice to urge local telecom regulators, telecom carriers, ICV manufacturers and service providers and standardisation organisations to strengthen data and cyber security.
TC260 also issued a number of national standards in 2021, such as the Security Guidelines for Processing Vehicle Collected Data , addressing auto data transmission, storage, export and other requirements.
We expect to see more enforcement and inspection of MIIT over ICV manufacturers and those that process automotive-related data in China in 2022.
2. Financial industry
As a highly regulated industry, the finance industry also saw some interesting developments in respect of data protection and data security in 2021. For instance, further to the personal information protection impact assessment under the PIPL and data security assessment regime under the DSL, TC260 issued the Financial Data Security – Data Security Assessment Specification in December 2021 for public consultation, aiming to provide guidance on assessment on financial data from the perspectives of security management, security protection and security operation and maintenance. The Credit Reporting Business Administrative Measures was released in September 2021 and came into force on 1 January 2022. The measures focus on the protection of personal information and set out guidance on the collection, storage, processing, provision and use of credit information.
In terms of enforcement, we have seen a number of banks and their personnel being penalized by the CBIRC and People’s Bank of China for various violations relevant to personal information and expect to see more enforcement actions in 2022.
With the enhanced promotion of “healthcare big data” and “internet+ medical health” initiatives in China, data protection and security has attracted increasing attention in the healthcare sector. In the context of massive health data being used for commercial purposes, the Guide for Health Data Security issued by TC260 took effect on 1 July 2021, which details the recommended guidance on data classification, data governance and data security measures through the whole healthcare data lifecycle.
During the COVID-19 pandemic, increasing penalties were imposed on physicians or other hospital staff who intentionally disclosed personal information of infected persons and their close contacts without authorisation. These penalties include not only warning orders and monetary fines but also administrative detention of the relevant persons who violated the law.
While the health and drug authorities have not been very active in the past, they may step up their legislative and enforcement efforts in 2022 to implement the PIPL and DSL in their sector.