Overview and Compliance Highlights on «Data Security Law» and «Personal Information Protection Law»russonxiao
In recent years, there has been a proliferation of legal provisions on cyber and data security. Particularly during this year, there has been an explosion in the introduction of provisions relating to the protection of data and personal information. The Data Security Law of the People’s Republic of China (the “Data Security Law”) was published on 10 June 2021 and will come into force on 1st September 2021. The Personal Information Protection Law of the People’s Republic of China (the “Personal Information Protection Law”) was promulgated several days ago, on 21 August 2021, and will also come into force on 1st November 2021.
The introduction of the above two laws officially marks the core era of cyber security in China, which is protected by the Cybersecurity Law, the Data Security Law and the Personal Information Protection Law. At the same time, the three laws have constructed an important cornerstone of China’s network security, data security and personal information protection, which will have a significant and far-reaching impact on the development of China’s digital economy, personal information protection and corporate data compliance practices. Accordingly, the compliance highlights of the Data Security Law and the Personal Information Protection Law that enterprises should focus on are as follows.
- Five Key Highlights of the Data Security Law
- Data classification and classification protection
Enterprises should implement a classification and grading protection policy for their data in accordance with the regulations on data classification and grading management in the industries and regions to which they belong and the requirements of national standards. According to the important data catalogue formulated by the competent industry department and the region to which it belongs, it shall identify important data of the unit and carry out key protection of important data; for national core data, it shall implement relevant strict protection obligations and measures in accordance with the national core data management regulations.
- Data security protection obligations
For general data, enterprises should fulfill the corresponding security protection obligations, including but not limited to establishing a strict whole-process data security management system; organizing data security education and training; taking corresponding technical security precautions; taking immediate emergency and remedial measures in case of data security defects, vulnerabilities, other risks and fulfilling the obligation to inform, etc.
In addition to the above security protection obligations, companies should, for important data, specify the person in charge of data security and the management organization; conduct regular risk assessments and submit risk assessment reports to the relevant competent authorities.
- Data exit
Regarding the outbound security management of critical data collected and generated during operations in the People’s Republic of China, enterprises should distinguish whether they are operators of critical information infrastructures and fulfil different security assessment obligations.
- Increased penalties
A fine of not less than 2 million yuan and not more than 10 million yuan shall be imposed for violation of the national core data management system, and the relevant business shall be ordered to be suspended for rectification, or the business license revoked.
Penalties for data exit violations are fines of up to 10 million yuan, and may order the suspension of the relevant business until rectification, revocation of the relevant business license and a fine of up to one million yuan for the person responsible.
- Data activities prohibit exclusion and restriction of competition
It has been clarified that data processing activities should not exclude or restrict competition. Enterprises that steal or otherwise illegally obtain data, conduct data processing activities that exclude or restrict competition, or harm the legitimate rights and interests of individuals or organizations shall be punished in accordance with laws and regulations such as the Civil Code, the Anti-Unfair Competition Law, the Anti-Monopoly Law, and others.
- Five Key Highlights of the Personal Information Protection Law
- High penalties
In the case of serious violations of the obligation to protect personal information, the company may be fined up to RMB 50 million or up to 5% of the previous year’s turnover; and may be ordered to suspend the relevant business or to cease operation until rectification..
Fines for directly responsible supervisors and other persons directly responsible may be up to a substantial fine of RMB 1 million; also they may be banned from serving as directors, supervisors, senior managers, and persons in charge of personal information protection of the enterprise for a certain period.
- Determining the “inform-consent” principle
The principle of “notification + consent” remains the core legal basis for the processing of personal information by enterprises. The processing of personal information shall be subject to the consent of the individual with adequate prior notification, and shall not be misleading, fraudulent, coercive, etc. The general matters that enterprises should inform include, but are not limited to, the name of the processor of personal information, contact information, the purpose of processing, the manner of processing, the type of personal information to be processed, the retention period, the manner and procedure for exercising the individual’s legal rights.
A company may not refuse to provide a product or service on the grounds that an individual does not consent to the processing of his or her personal information or withdraws consent; except where the processing of personal information is necessary for the provision of the product or service.
Where personal information is processed based on the individual’s consent, the individual has the right to withdraw his or her consent. Enterprises should focus on protecting their rights and interests and are obliged to provide a convenient way to withdraw consent. The withdrawal of consent by an individual shall not affect the validity of the personal information processing activities already carried out based on the individual’s consent before the withdrawal.
- Identifying the “3 BEST” principles
When handling personal information, enterprises must comply with the “3 BEST” principles as follows: first, personal information should be handled in a manner that has the least impact on the rights and interests of individuals; second, the scope of collection should be limited to the minimum extent necessary to achieve the purpose of processing; and third, the retention period should be the minimum time necessary to achieve the purpose of processing.
- Stricter restrictions on handling sensitive personal information
When handling sensitive personal information, companies need to pay strict attention to and implement the following obligations: first, stricter purpose limitation: the handling of sensitive personal information should be limited to a specific purpose and sufficient necessity. Second, more information: In addition to the general information, the necessity of the processing and the impact on the individual should be informed. Third, specific consent mechanisms: individual consent should be obtained from the individual or written consent should be obtained as required by law or regulation.
- Regulating excessive collection of personal information and rejecting big data killing
When enterprises use personal information for automated decision-making, they shall ensure transparency in the process as well as fair and equitable results and shall not apply unreasonable differential treatment to individuals in terms of transaction prices and other transaction conditions.
Businesses that push information and commercial marketing to individuals through automated decision-making methods should either also provide options that are not specific to their personal characteristics or provide individuals with a convenient way to decline.
Companies conduct impact assessments of personal information protection beforehand and keep records of the handling of the situation.
For any further inquiry, please do not hesitate to contact us.