The Cyberspace Administration of China ("CAC") has released a series of draft measures and regulations pertaining to cybersecurity and data protection in China for public comments. The measures and regulations will impose higher standards of cybersecurity and data protection, and strengthen China's cybersecurity and data protection regime across various sectors and fields of application.
Cybersecurity Review Measures
The draft Cybersecurity Review Measures seek to "improve the degree of security and controllability of Critical Information Infrastructures (CII)" and "maintain national security". To achieve this, CAC will establish a national cybersecurity review unit in conjunction with other regulatory bodies and entities. A cybersecurity review office will also be established to, among other things, develop cybersecurity review-related regulations and procedures.
Data Security Management Measures
The draft Data Security Management Measures ("DSM Measures") set out obligations and actions aimed at "safeguarding national security, public interest, protecting the lawful rights and interests of citizens, legal entities and other organizations in cyberspace". The proposed measures cover the collection, storage, transfer, processing, use of data as well as other activities relating to data carried out on the internet within China.
The DSM Measures would also introduce the concept of a person responsible for data protection, akin to the role of a Data Protection Officer ("DPO") under the Singapore Personal Data Protection Act (PDPA) and the EU General Data Protection Regulation (GDPR).
Regulations on the Protection of Children’s Personal Information Online
The draft Regulations on the Protection of Children's Personal Information Online ("Regulations") are developed for the purposes of "protecting children's personal information security and promoting the healthy development of children." "Children" refers to minors under the age of 14.
Given that children are vulnerable, the Regulations require Network Operators, which include network owners, network managers and internet service providers ("Network Operators"), to have in place dedicated policies and user agreements for the protection of children’s personal information. They must also appoint dedicated DPOs within their organisations to oversee the collection and use of personal data relating to children.
Measures on Security Assessment of the Cross-border Transfer of Personal Information
The draft Measures on Security Assessment of Cross Border Transfer of Personal Information ("PI Measures") require Network Operators to first conduct security assessment prior to transferring personal data collected within the territory of China to another country ("cross-border transfer of personal data"). The PI Measures further stipulate that Network Operators should not carry out cross-border transfer of personal data if the security assessment reveals that such a transfer may endanger national security and compromise public interest. They should not also carry out cross-border transfer of personal data if the security assessment reveals that the transfer does not provide adequate protection for personal data.
Click here to read our Legal Update.