China Releases Regulation on Protecting Security of Critical Information Infrastructure
On 17 August 2021, the State Council of the People's Republic of China published the Regulation on the Protection of the Security of Critical Information Infrastructure (关键信息基础设施安全保护条例, the "CII Regulation"). The CII Regulation came into force on 1 September 2021, providing more clarity on the CII protection regime which was first introduced in China under the 2017 Cybersecurity Law.
Critical Information Infrastructure ("CII") is defined under the CII Regulation as important network facilities and information systems in important industries and sectors, and those whose destruction, loss of function or data leakage could seriously harm national security, the national economy, people's livelihoods, and the public interest. The CII Regulation highlights a few "important industries and sectors" where CIIs will be identified, including public communications and information services, energy, transportation, water conservancy, finance, public services, e-government, and the national defence technology industry. For the purpose of identifying CII, the competent regulators of the important industries and sectors are required to develop rules for identifying CII in their industries and sectors ("CII Identification Rules"), determine the CII according to such rules, notify each CII operator of such decisions, and provide a copy of the CII list to the Ministry of Public Security.
Once an operator is identified as an operator of CII ("CIIO"), it should perform a number of specific obligations, including, amongst others, (i) planning, building and using security protection measures; (ii) establishing a cybersecurity protection system and responsibility system; (iii) setting up a special security management organisation; (iv) conducting cybersecurity inspections and risk assessments of its CII at least once a year; (v) reporting major cyber incidents or threats to the relevant authorities (with the particularly significant ones to be reported to the Cyberspace Administration of China and the Ministry of Public Security); and (vi) performing other obligations regarding the procurement of network products or services. CIIOs violating the CII Regulation may be punished by an order for rectification, a warning, and in serious cases a fine of up to RMB 1 million for entities. The responsible personnel of an errant CIIO will also face a monetary fine of up to RMB 100,000 in addition to other penalties including detention, criminal prosecution, and a prohibition from holding key positions in CIIOs in future.
It is especially noteworthy that the head of a CIIO (e.g. the CEO or General Manager of a CIIO) shall assume overall responsibility for the CII security protection. According to the press release on the CII Regulation, the purpose of such provision is to ensure that CIIOs will invest necessary personnel, capital, equipment and facilities, and other resources to protect the security of CII.
Companies, especially those in the important industries and sectors, should keep a close eye on the CII Identification Rules to be released by the competent industry regulators. It is also advisable for the companies to conduct a self-assessment of the possibility of their network facilities and information system being considered as CII.
Back to Top Print
China Publishes Regulations on Management of Automobile Data Security
On 16 August 2021, Several Regulations on the Management of Automobile Data Security (for Trial Implementation) (汽车数据安全管理若干规定(试行), "Automobile Data Regulations") were jointly promulgated by five departments / ministries of China (including the Cyberspace Administration of China and the PRC Ministry of Industry and Information Technology). The Automobile Data Regulations took effect on 1 October 2021. We list down below the key highlights of the Automobile Data Regulations.
Key Features of the Automobile Data Regulations
Definition of Important Data
Article 3 of the Automobile Data Regulations provides for the definition of Personal Information, Sensitive Personal Information, and Important Data. It is notable that the Automobile Data Regulations explicitly define the scope of important data for the automotive industry ("Important Data") as the "data which once tampered with, damaged, leaked or illegally obtained or utilized, may endanger national security, public interests or the legitimate rights and interests of individuals and organizations". Important Data includes:
- Data on the geographic information, flow of people and vehicles in important sensitive areas such as military management zones, national defence science and engineering units and governmental authorities at or above the county level;
- Vehicle flow, logistics and other data reflecting economic operating status;
- Operating data of vehicle-charging networks;
- Audio and video data outside a vehicle, such as face information and licence plate information;
- Personal information involving more than 100,000 individuals;
- Other data that may endanger national security, public interests or the legitimate rights and interests of individuals or organisations as specified by the State Cyberspace Administration and relevant departments of the State Council, such as development and reform, industry and information technology, public security, and transportation.
Key Principles for Handling Information
Article 6 of the Automobile Data Regulations provides four key principles for handling personal information and Important Data, comprising the following:
- the Principle of processing data inside vehicles (车内处理原则);
- the Principle of non-collection by default (默认不收集原则);
- the Principle of applying the appropriate range of accuracy (精度范围适用原则); and
- the Principle of processing with de-sensitisation (脱敏处理原则).
Articles 7 through 10 of the Automobile Data Regulations further elaborate on different detailed requirements for handling Personal Information, Sensitive Personal Information, and Important Data.
Restrictions and Requirements on Cross-Border Transfer and Reporting Obligations on the Operators
According to Article 11, Important Data shall be stored within the territory of China in accordance with the law, and if it is necessary to transfer the Important Data to a country or place outside PRC due to business needs, such transfer will be subject to security assessment by relevant governmental authorities. The storage and cross-border transfer of Personal Information which is not Important Data shall be handled in accordance with relevant provisions of laws and administrative regulations. You may refer to our Legal Update on the PRC Personal Information Protection Law for more information here.
Article 12 further provides that automobile data processors shall not transfer the Important Data to a country or place outside the territory of the PRC beyond the purpose, scope, method, data type, and scale specified during the cross-border transfer security assessment.
According to Article 13, automobile data processors who process Important Data are required to report their annual data security management status to the relevant authorities prior to 15 December of each year. Article 14 further stipulates that automobile data processors who carry out cross-border transfers of Important Data shall report more information regarding such cross-border transfer.
What Businesses Need to Do
China has continuously strengthened the legislation and regulation of cybersecurity, data security and protection of personal information protection in recent years. The Automobile Data Regulations are the regulatory responses to the growing concerns regarding data security as smart cars continue to evolve and prosper in China. It is advisable for companies in the automotive industry to conduct a systematic review and assessment of the current status of their internal procedures and policies of collection, processing, localised storage, and cross-border transfer of Personal Information and Important Data.
Back to Top Print
China's Personal Information Protection Law Comes Into Effect on 1 November 2021
On 20 August 2021, the 13th National People's Congress of the People's Republic of China ("PRC") passed the Personal Information Protection Law (中华人民共和国个人信息保护法) ("PIPL"), which will take effect on 1 November 2021. The PIPL is the first dedicated national law on regulation and protection of the personal data in China, introducing several important new rules that will have a significant impact on how personal information processors ("PIPs") may handle and process "Personal Information", defined in the PIPL as all kinds of information related to identified or identifiable natural persons that are electronically or otherwise recorded, but excluding information which has been anonymised. For a detailed analysis on the PIPL, please see our client update here.
Extension of Bases for Data Processing
In the past, the data subject's consent is the sole basis for collection and processing of the personal data. For the first time, the PIPL extends this to include other lawful bases, such as when it is necessary to:
- conclude and perform a contract;
- perform lawful duties or obligations;
- respond to public health incidents; or
- protect the lives, health, and property of natural persons in an emergency.
Expansion of Extraterritoriality
The extraterritorial power of the PIPL has been expanded to be greater than that of the PRC Data Security Law, which targets data processing activities outside China which harms China's national security or public interest or the lawful rights of its citizens and organisations. The PIPL is applicable to Personal Information processing activities outside the territory of the PRC, if such activities relate to (i) the provision of goods or services to natural persons within the territory of the PRC; or (ii) the analysis and evaluation of the behaviour of natural persons within the territory of the PRC. It also contains a catch-all provision that permits the Chinese government to include other situations provided for by other PRC laws or administrative regulations.
Requirements for Cross-border Transfer of Personal Information
The PIPL imposes some conditions on the cross-border transfer of Personal Information. PIPs will need to fulfil at least one of the following conditions before transferring the Personal Information out of China:
- Passing a safety assessment by the national cyberspace authority;
- Obtaining personal information protection accreditation from a professional agency appointed by the national cyberspace authority; or
- Entering into a contract with the overseas recipient in a standard form formulated by the national cyberspace authority.
The PIPL contains a catch-all provision to permit the Chinese government to impose other conditions provided for under laws and regulations, or those set by the national cyberspace administration authority.
Appointment of a Person in Charge of Personal Information Protection ("DPOs") by Overseas PIPs
Overseas PIPs who are subject to the PIPL must establish a special institution or appoint representatives within the PRC for handling matters relating to the protection of personal information and report the name and contact details of such institution or representative to the relevant authorities. As the PIPL has not come into effect and this requirement is new, stakeholders await further clarifications from the authority as to the detailed requirements and procedures in this respect.
Back to Top Print
Please note that whilst the information in this Update is correct to the best of our knowledge and belief at the time of writing, it is only
intended to provide a general guide to the subject matter and should not be treated as a substitute for specific professional advice.