We have been questioned about how to deal with personal information ("PI") legitimately for years, but only the past year has seen the concern becoming so obvious, extended to a broader perspective, involving more stakeholders. As the campaign of PI protection swept the world, the anxiety of multinational enterprises operating in China came not only from the alleged most stringent data protection law - General Data Protection Regulation ("GDPR"), but also from the frequent legislative activities and an increased scrutiny from multiple Chinese authorities. Inconsistent standards and practices between jurisdictions gave rise to confusions as well as costs in compliance. This article aims to give our readers a clue on the protection of PI in PRC, grasping the key issues among the complex and complicated provisions from the perspective of cost-efficiency compliance. I will first introduce the legal framework of PI protection to clarify the hierarchy of the rules; then, review the latest supervisory and legislative activities before analyzing the tendencies revealed by the growing PRC PI protection regime through two latest released instruments. Take-away points for companies on PI security compliance vis-à-vis three types of stakeholders will be given at the end of the article.
Not yet has a harmonized and overarching code been carried out to govern PI in PRC jurisdiction. Instead, the PI protection regime is hidden in a hierarchy of rules established by laws, national standards and normative documents, in the context of cybersecurity.
On the top of the hierarchy, Article 253A of the Criminal Law prescribes the Crime of Infringing on Citizen's Personal Information, of which the sentence can be up to 7 years in addition to a fine. Especially, it emphasizes the circumstance when a person who illegally sells or provides citizen's personal information obtained in the course of performing duties or providing services, under which the sentencing should be heavier. Nevertheless, to convict the person, "serious circumstance" is of a prerequisite. Nine "serious circumstances" are enumerated under Article 5 of the Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Information. Among them, 500 pieces of information related to personal and property safety will meet the minimum standard of conviction; And, if such information is acquired through performing duties or providing services as was mentioned above, the number shall be halved.
Despite that the Criminal Law laid down the severest punishments, the current legal framework governing PI is centered on Cybersecurity Law ("CL"). It not only defines the term "personal information" , but also manifests the subjects of obligation (e.g. network operator) and types of liabilities. Article 41 to 44 of the CL specify the individuals' rights to request the network operators to erase or correct the information and obligations network operators should burden to protect PI, in respects of collection, process, storage, etc..
However, given that the definitions of key terms remain ambiguous and the obligations are provided in a general sense, it tends to leave considerable uncertainties in the CL's enforcement, and thus supporting measures have been given in succession in various forms of documents.
Article 7 of the CL laid down the state's mission to formulate national standards. So far, the most important national standard concerning PI is the Personal Information Security Specification ("PISS"). The version currently effective (GB/T 35273 - 2017) came into application on 1 May 2018, issued by National Information Security Standardization Technical Committee. PISS is a recommendatory standard (vis-à-vis compulsory national standard) in nature, i.e. non-binding to target companies. Yet, once invoked by binding legal documents, it would achieve a compulsory effect.
PISS is considered of essential importance to address compliance with the CL for companies operating in China. It laid down rules regarding PI on the operational level, specifying inter alia key terminologies and definitions, collection, storage, use and process of PI, contingency plan against PI security incidents and PI management requirements. Comparison has been made between the PISS and GDPR, since they show similarities in both fundamental principles and concrete measures. For instance, the principle of accountability, the principle of data minimization and the principle of lawfulness, fairness and transparency; both PISS and GDPR provided exemptions from purpose limitation/specification, such as for the sake of public interests.
Given its primary position in refining the CL prescribed obligations, two revised drafts of PISS have been promulgated to solicit public opinions this year in February and June, respectively. I will track the latest amendments and analyze how it improves the PI protection regime later.
The public security organ ("PSO") plays a dual role as both supervisory authority and enforcement authority in the PI protection regime. Article 22 of the Provisions on Internet Security Supervision and Inspection by Public Security Organs (Order No. 151 of the Ministry of Public Security, effective date 1 November 2018) entitles PSO to impose penalties upon online service providers and entity users of the Internet, provided that they violate Paragraph 2 of the Article 64 of the CL but such violation has not constituted a crime, yet. Firstly, the supervisory targets are further clarified to include any entity who has access to the Internet; Secondly, PSO has the power to give administrative penalties over the non-compliance entities; Last but not least, as long as the violation has not reached the conviction level, it is at PSO's discretion to determine the degree of punishment.
Given the broad power of PSO and the uncertainties left by the current laws, under the concept of "display inspection rules to promote compliance" ("依检查，促保护"), the Ministry of Public Security ("MPS") issued a guideline in April this year, invoking the CL and three national standards (including PISS), in order to establish a benchmark for supervision, from the authority side, and for compliance, from the supervisory target side. Despite that the guideline is simply a normative document and not legally binding, it services as a model answer for enterprises to avoid compliance risks to the largest extent.
One of the guideline's drafters from MPS especially pointed out a prevalent stereotype that technical measures overweigh management in PI protection. Nevertheless, constant PI leakage scandals (e.g. the large-scale membership information leakage of Huazhu Hotels Group in 2018) have proven the opposite. In most cases, it is not insufficient investment in technologies but the negligence of personnel management that led to the disaster. This concern gave rise to Article 4.3.2 of the guideline that the first-line operators such as database operator shall not take a dual role as audit administrator or security administrator.
To conclude, understanding the legal framework protecting PI in Chinese jurisdiction, one should neither turn a blind eye to the recommendatory rules which are taken by supervisory authorities as benchmarks to examine enterprises' PI protection compliance, nor overstress technical measures while overlooking personnel management - the real Pandora's box.
Three latest events concerning the PI protection are noteworthy. Initiated by four authorities including MPS and the Office of the Central Cyberspace Affairs Commission in March, special action against illegal collection and use of PI, by virtue of whistleblowers, revealed substantial violations on citizen's right of privacy and right to know by APPs of multiple industries including finance, e-commerce, social networking, instant messaging, etc. Outstanding problems are, for instances, compulsory licensing, excessive entitlement acquiring and collecting PI beyond purposes. By the beginning of April, 30 APPs with high market share which were found to have serious PI security problems were ordered to make rectification within a time limit.
In June, MPS published the report of "Clean Cyberspace Action 2019" aiming at crimes committed through the Internet. Among the typical cases, "the 4th payment platform" was addressed, which set up several illegal payment platforms, for the sake of cross-border money laundering by collecting citizens' information of bank card, SIM card, ID card and cipher to register Internet payment account on Ali-pay, Tenpay, etc..
At the same time, 8 authorities including the MPS and Cyberspace Administration of China issued the Action Plan on 2019 Internet Market Supervision. Despite that the action was taken to enhance the enforcement of E-commerce Law which entered in to effect on 1 January 2019, it especially emphasized promoting PI protection from all aspects, well designing the standard term concerning PI in contracts, serious punishing unauthorized collection and use of information, etc.
-OCCAC - Office of the Central Cyberspace Affairs Commission
-MIIT - Ministry of Industry and Information Technology
-MPS - Ministry of Public Security
-GAMS - General Administration of Market Supervision
-NDRC - National Development and Reform Commission
-MC - Ministry of Commerce
-GAC - General Administration of Customs
-CAC - Cyberspace Administration of China
-SPB - State Post Bureau
The year of 2019 is meant to be a "PI protection year" of China. In the first half of the year, more than 4 opinion-soliciting drafts governing different aspects of the PI protection have become known to the public, in addition to official documents which entered into application. Remarkably, the draft of PISS was even updated twice in February and June, respectively.
The rapid pace of legislative activities indicates that, on the one hand, legislature and supervisory authorities have attached unprecedentedly importance to PI protection - more subdivided regulations are predicted; On the other hand, the authorities are deliberating upon all mechanisms and measures that have been introduced, since the two-edged sword may also hinder the data-dependent economic development.
Whether to the EU regime or PRC regime, PI security and the commercial value of data stand on the two ends of the PI-protection balance. As was mentioned above, the active legislative activities deliver the message that the authorities are striving for the balance. To further reveal this tendency, I will make comparisons on the two revised drafts published in June: i) Measures for Assessment of Personal Information Exit Security, the latest draft ("2019 MAPIES") v. the 2017 draft ("2017 MAPIES"); ii) PISS, the June draft ("2019 PISS") v. the currently applied version ("2017 PISS").
3.1.2019 MAPIES v. 2017 MAPIES
a)Data mobility is more valued.
First of all, the purpose of the legislation is specified to protect the PI security in the course of cross-border data mobility in the 2019 version compared to the 2017 version. Correspondingly, the attitude expressed by the regulation has converted from prioritizing domestic storage to cross-border mobility.
b)Safety assessment is more detailed.
Compared with the 2017 version, 2019 MAPIES added more details on how to do the PI exit safety assessment, in order to promote the operability. Provincial level CAC is designated to receive entities' safety assessment reports. The frequency of conducting the assessment every 2 years is also specified. The new version even listed down the documents that entities are required to prepare for the safety assessment report.
c)Contract between data exporter and receiver is under stronger supervision.
The contract signed between the network operator and the receiver is on the document list of the aforementioned assessment report for CAC's review. Furthermore, performance of the concerned contract should be reported regularly on 31 December every year, to the provincial CAC where the reporter is located. And Article 10 of the 2019 MAPIES especially required the authority to focus on contract performance inspection.
The major change that the 2019 version added to the 2017 version is the 4 articles governing the contract between network operators and receivers. Obviously, the contract is becoming an essential basis for supervisory authorities to inspect entities' PI security compliance in cross-border data mobility, and thus needs to be carefully designed.
3.2.2019 PISS v. 2017 PISS
a)The protection on the free will of PI subjects is further enhanced.
2019 PISS alternated the Appendix C "Methods to Protect PI Subjects' Right of Choice and Agreement" in 2017 PISS with "Methods to Realize PI Subjects' Free Will", defining two aspects of PI subjects' free will: i) do not compel PI subjects to receive multiple service function; ii) protect users' right to know and right of authorization in terms of PI collection and use.
Similarly, to minimize the term keeping PI, the new version defines the shortest term as "necessary to realize the purpose of use as authorized by the PI subjects", whereas the 2017 version simply mentioned "necessary to realize the purpose".
Meanwhile, it also improves the exceptions to acquire authorization, increasing "performing the relevant obligations prescribed by laws and regulations" as an exemption not to acquire the authorization and agreement to use PI.
b)Obligation sharing between PI security stakeholders are further refined.
An obvious trend in the latest version of PISS is to ensure the third party (either the trustee to process PI or the co-controller of PI) is qualified in PI security and distribution of obligations between parties is clarified via contract.
More precisely, Article 8.1 (b) requests the trustee processing PI should meet the equivalent standards as PI controller as laid down in Article 10.4 of the 2019 PISS, which changed the vague phrasing "enough" data security capacity by the 2017 version. Another example is a new article governing the third party products/services, which, by inserting, will collect the PI. It proposes 8 requirements for the PI controller to satisfy involving this stakeholder, including inter alia to manifest both parties' security liabilities and PI protective measures.
c)The limitation on the use of PI is restructured.
Another remarkable change is that the original Article 7.3 "Limitation on the use of PI" is separated into two parts (purpose limitation and user profiling limitation ) and further elaborated. User profiling has long been a controversial technique worldwide, multiplying the commercial value of PI while risking it at the same time. 2019 PISS deliberately establishes the baselines by providing the negative ranges - to put it simply, citizens' legitimate rights, public interests and national security.
d)Personnel management is called for establishment of the internal system.
In the section "Personnel management and training", the new draft added "establish internal system and policies to provide guidelines and requirements for employees on PI protection" upon the original 5 requirements. As aforementioned, personnel management is companies' Achilles's heel in general. Integrating the PI protection national standards into companies' rules and regulations is most likely a short-cut to avoid the non-compliance risks.
In general, the PI protection regime in Chinese jurisdiction is an indispensable part of the cybersecurity regime. The laws, regulations and standards governing PI constitute a clear hierarchy, containing both binding and non-binding instruments. Despite that the majority of the rules are optional, they actually play a pivotal role in supervisory authorities' inspection and law enforcement activities, and thus should not be overlooked.
It is worth mentioning that the Personal Information Protection Law has been listed on the 13th National People's Congress Standing Committee Legislative Plan, for deliberation during the term from 2018 to 2023. The frequency of PI-related legislative activities may overwhelm enterprises operating in China, given the uncertainties left by the disperse regulations and gaps between requirements and enforcement. However, through the above review on the recent supervisory actions and analyses on the latest changes in instruments, the trend does deliver positive messages. Open attitude has been shown to cross-border data mobility; the authority imposes limitations on high commercial value techniques with a prudential attitude.
More importantly, the trend also enlightens companies on the essential directions to improve the PI protection compliance. Here are some take-away points for companies regarding:
Employees - carefully designate the PI security management personnel, avoid dual role of management and operators; upgrade rules and regulations to match the PI protection laws and deliver corresponding trainings on it.
Clients - timely update authorization and classify the business sectors requesting authorization; timely erase PI of which the purpose of use has been realized.
Third party stakeholders - pay due diligence on co-controller/processor/service insertor's qualification tackling PI risks; contract management is of vital importance.