While the world was rushing to meet the EU’s General Data Protection Regulation (GDPR) 2018 deadline, China released the Cybersecurity Law (CSL) in June of 2017. This law laid out broad principles regarding China’s cyber governance but left key issues regarding implementation and scope rather vague. Over the past two years, China has issued follow-up measures and standards to address these inadequacies.
Most notably, in February 2019, China’s National Information Security Standardization Technical Committee (TC260) released a set of amendments to the Information Technology – Personal Information Security Specification (“Specification”) portion of the CSL. While the Specification is not legally binding, it is a respected national standard and used across the country to benchmark data protection efforts. In late May, the Cyberspace Administration of China also released draft Measures for Data Security Management, which are open for comment until the end of June 2019. If passed, these measures will share similar requirements with the Specification.
Companies with operations both inside and outside China are facing significant challenges, as they seek to implement processes, policies, and technologies that align with regulations like the GDPR but also meet the requirements of China’s data protection framework. In this post, we’ll take a closer look at China’s Specification, its recently proposed amendments, and how China’s Specification aligns with the new data protection gold standard: the GDPR.
A Look at China's Cybersecurity Law (CSL)
Before the Cybersecurity Law (CSL), China did not have a single data protection framework; rather, rules relating to personal information protection and data security were scattered across various laws and regulations. When the CSL went into effect, it became one of the most authoritative national laws protecting personal information.
The CSL was announced just 6 months after the GDPR in 2016 and shares a number of similarities with it: 1) it aims to consolidate and govern the country’s data-related regulations under one inclusive act; 2) it has strict controls around online activities; and 3) it institutes mandatory requirements on breach notifications, the appointment of a head of cybersecurity, and enforcement procedures.
However, while the GDPR applies to all companies that handle the data of EU residents, regardless of where they are located, the CSL only applies to companies providing services or operating business through a computer network in China.
The CSL is comprised of six systems, which work together to create a framework that governs information and communication technology. This framework regulates how organizations handle digital information and outlines methods for safeguarding Internet systems, products, and services against cyberattacks.
China's National Standard: The Specification
The Specification can be found in the Cybersecurity Law’s fourth system, China’s best practices for the collection, storage, processing, and sharing of sensitive information. This 35-page standard was issued by the National Information Security Standardization Technical Committee under the leadership of the Cyberspace Administration of China in May of 2018. The Specification provides clarity on what is expected for personal information protection and compliance programs in China.
While it is not mandatory, Chinese authorities have relied on it to assess whether a company has met the requirements found under the CSL. The Chinese government also refers to the Specification when conducting reviews and approvals, creating a strong incentive for companies to adopt its standards.
New Amendments to China's Specification
Just months after the Specification was implemented, amendments were issued to supplement and refine the existing guidelines for protecting personal information. These new draft amendments reflect Chinese regulators’ thoughts on important topics like consent, third-party access, and the personalized display of content (e.g., targeted advertisements and search results). Several of the newly proposed amendments include:
- Companies are required to record the lifecycle of all data, including processing activities, categories, and sources, and each organization and individual involved.
- Companies must disclose their collection practices, security controls, and any information on cross-border data transfers.
- Companies are prohibited from repeatedly asking for consent, suspending functions, or lowering their service level in order to encourage consent from users who have previously refused or opted out.
- Companies must inform individuals about the differing levels of consent required for “basic” vs. “extended/additional” business functions via an interface (e.g., pop-up window, notification bar, written description, etc.).
- Companies can collect personal information through the company’s service or product, but the company must supervise and manage the third party’s access.
- Individuals must be allowed the option to opt-out of a given function just as easily as if they were opting in.
Complications with China's Specification
Although the Specification is a part of the Cybersecurity Law, many contradictions and ambiguities can be found between the two. First, the concept of “consent” differs to some degree in the CSL and the Specification. While the Specification requires explicit consent to collect sensitive personal information, the CSL does not clearly define consent. Therefore, if a company collects sensitive personal information without explicit consent, it is unclear whether this would be grounds for enforcement.
In addition, the Specification instructs organizations to obtain consent and delete user data upon request, but the CSL requires them to retain such data in order for government agencies to avoid complicated investigations, if needed. This inconsistency leaves room for selective and arbitrary enforcement based on interpretation and potentially varying political circumstances. With penalties ranging from monetary fines to imprisonment, companies need a clear understanding of how to align with these conflicting guidelines.
China's Specification and the EU's GDPR
Predicated on the EU’s General Data Protection Regulation (GDPR), China’s Cybersecurity Law and its Specification attempt to set the standard for a more government-regulated, formal approach to data protection.
Data Protection Authority
Unlike the GDPR, there is no Chinese Data Protection Authority. The Chinese government has not indicated who will act as a formal authority for data protection.
Ownership and Control of Personal Information
Under the GDPR, individuals are able to hold companies accountable for how they gather, store, and manage their personal information. However, the CSL gives ownership and control of an individual’s data to the government. So, while consumers must be informed on what organizations are collecting, processing, and sharing, their control over their personal information is more limited than the GDPR. Businesses operating in China must also understand that the data they’re collecting can be searched and seized by a government body as the data is under the government's purview.
When it comes to consent, the Specification can be interpreted as less restrictive than the GDPR. The GDPR states that consent must be explicit with a clear statement or other affirmative action; implied consent is not acceptable. The Specification is the same in this matter. However, although the Specification only uses the term “explicit consent,” it is only used in certain circumstances, which can be broadly interpreted as “implied or silent” consent in other instances.
The Specification has more specific requirements for information that must be included in privacy notices (e.g., the security risks that may exist after providing personal information and the obligations of each party) than the GDPR. Information cannot be left out of a notice even if the individual has access to it from other sources, unlike the GDPR, which allows for this exception should an individual already have such information. Privacy notices must be delivered to individuals independently or by public announcement if the costs become too high.
Definition of Sensitive Information
Sensitive personal information under the Specification is broader than the GDPR. Rather than applying to only specific types of data like the GDPR, the Specification considers any personal information that would cause harm to persons, property, reputation, and mental and physical health if lost or abused to be sensitive.
Data Breach Notifications
Under the Specification, a company is not required to notify an individual of all data breach incidents, whereas the GDPR encourages transparency and has detailed breach notification requirements. Only if a breach would substantially impact an individual (e.g., if sensitive personal information was disclosed) would a company need to release a notification under the Specification.
Cross-Border Data Transfers
Both the GDPR and the Specification require consent to be obtained for cross-border data transfers, but China adds an additional step before data can be transmitted outside of the country. A two-tiered security risk assessment performed by the company transmitting the personal information outside China must be completed. This security assessment is an internal self-certification process that is documented in a written report. It ensures that the transfer of data is lawful, legitimate, necessary, and protected.
Vendors and Third Parties
Similar to the GDPR, the Specification requires companies to conduct risk assessments to ensure a third party has adequate security before providing personal information to a third party. Companies must also supervise these third-parties by performing comprehensive audits. Although quite similar to the GDPR’s regulations, the Specification adds broader obligations for third parties, requiring them to notify companies when they are unable to offer an adequate level of security. Third parties have to notify companies after a security incident or breach under both the GDPR and the Specification.
For the GDPR, it is recommended that collected data be stored in GDPR-compliant locations, but it is not a strict requirement. The opposite is true in China. Under the CSL, personal information or important data collected in China must be stored solely in China.
Companies that violate the CSL can face fines of between 50,000 and 500,000 RMB (7,500 – 75,000 USD) and the required termination of company website and revocation of business licenses or permits. Personnel that were directly in charge can receive individual fines of between 10,000 and 100,000 RMB (1,500 – 15,000 USD). Network operators are subject to imprisonment of 5 to 15 days for violating certain provisions. These monetary fines are significantly smaller than those of the GDPR, though the GDPR does not invoke imprisonment or penalties on individuals.
The Specification has been an important guide in understanding privacy and data protection in China. Although the Specification is not mandatory, it is valued by companies and enforcement authorities alike. With the concern for data protection increasing, this regulation will likely set a precedent for shaping internal legislation, motivating other countries to consider a national standard in order to encourage better data protection for their residents. While it is unclear which of the new amendments will be passed, or how many new ones will be issued to address the ambiguities, China’s Specification has the potential to rank alongside the CCPA and the GDPR in the near future.
Get more insights into the latest privacy news.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.