China legal update: Safeguarding Data Security by Newly-Drafted Measures

China legal update: Safeguarding Data Security by Newly-Drafted Measures

I. Legal News

With the implementation of Cyber Security Law on June 1, 2017, cyber security and data protection have become the focuses of concerns for lawyers and investors in China. Relevant clarifications on Cyber Security Law are released gradually, and we hereby highlight the following newest drafts to provide an outlook for the future of legislation trend.

1. Safeguarding Data Security by Newly-Drafted Measures

The Cyberspace Administration of China (“CAC”) has recently enacted the Draft for Comment of Administrative Measures for Data Security (the “Measures”) and is consulting for the public opinion by June 28, 2019.

It is common nowadays that the operators of websites and applications collect personal information by forcing or misleading users to agree to the collection of personal information. Unfair competition cases caused by the commercialized using of data also occur from time to time. Some regulations in the Measures further strengthen the protection of users:

(1) If the network operators are to gather the personal information of a juvenile under 14, they shall obtain consent from his guardians.

(2) Rules of personal information collection and usage should be enacted and publicized by network operators through websites and applications. Furthermore, those rules should be specific, simple, easy for the users to access.  In addition, personal information can only be collected by the operators when the users are aware of the collection and explicitly agree on the collection.

(3) The network operators cannot, on the grounds such as improving the service quality and/or enhancing the user experience etc., force or mislead the users to accept the collection of information (e.g. through default authorization without indicating clear authorization instructions).

(4) For “directional push”, which refers to network operators using data and algorithms to push news and advertisements to the users, the users shall be provided with clear indication of the wording as well as the choice to stop receiving such information.

(5) While publishing market forecasts, statistical information, personal or enterprise’ credit information through analyzing and utilizing the data resources, network operators shall not affect national security, economic operation or social stability, and shall not harm the legitimate rights and interests of others.

In this big data era, the Measures aim to better protect data from disclosure, theft, tampering, damage, illegal use etc. and to punish illegal activities endangering data security in accordance with the law.1


2. New Draft on Measures about Cybersecurity Censorship for Public Comment

The CAC also plans to launch measures about cybersecurity censorship. It has recently drawn up the Measures for Cybersecurity Review (Draft for Comment) (the “Draft for Comment”) to solicit public opinions by June 24, 2019. The Draft for Comment stipulates that upon promulgation, it will replace the previous trial version of the Measures for the Security Review of Network Products and Services2 which came into force in June 1, 2017.

Pursuant to article 35 and 65 of PRC Cyber Security Law, when purchasing network products and services, business operators of Key Information Infrastructure (“KII”)3 shall go through a security review if such network products or service may influence national security, otherwise, a fine equivalent to up to 10 times of the purchase price will be imposed, and the person in charge will be fined amounting up to RMB 100,000.00. The Draft for Comment only regulates the activities of KII operators in purchasing network products and services. Specifically, when purchasing products and services, the Draft for Comment stipulates that the KII operators shall:

(1) foresee the potential safety risks that may arise after the launching of certain network products or services;

(2) notify the cybersecurity review office when the launch is likely to result in the complete shutdown of KII of major functions.

In addition, the Draft for Comment expressly states the documentary and procedural steps of security review to be filed by the KII operators, which were not mentioned in the previous regulations.

It is stipulated that the KII operators shall submit a notification statement, a safety risk report and other relevant materials. And then the cybersecurity review office shall complete the preliminary review within 30 working days from accepting the cybersecurity review, and the time limit could be extended by 15 working days if the situation is complicated. Furthermore, the Draft for Comment states that the review may end up with three results, including “pass”, “pass with condition”, and “failed”.

Regulations on KII have raised great concerns among foreign investors since they may need to disclose sensitive information within the frame of the relevant review procedures. Details are yet to be further issued.


3. Chinese Lawmakers Deliberate to Further Secure Personal Information in the Civil Code Draft

Not only the cyber law area is facing improvement, the Civil Code is also undergoing a significant change of further protection on personal information. In April 20, 2019, the Standing Committee of the National People’s Congress released the Second Draft for Review of the Part on Real Right and on Personality Right of Civil Code (“Draft for Review”) for public consultation. A highlight has been on setting up a separate part of personality right in the Civil Code in order to protect citizens’ rights in the basic law.

(1) “Changing faces through AI technology”

It concerns a technology based on artificial intelligence that uses a combination of existing and videos/photos to create a false video/photo. Such video/photo will normally mislead public as the individual in such false video/photo performs activities that never occurred in reality. More severely, the false video/photo can be used to commit online frauds. The Draft for Review adds strict prohibitions on “changing faces through AI” in which article 799 clarifies that no individual or entity can infringe upon others’ portrait rights by defaming, fouling, or faking through means of information technology.4 In addition, the Draft for Review also stipulates that portraits shall not be produced, used, or made public without the portrait owner’s consent, unless otherwise provided for by law (e.g. ordered to be published by police).

(2) Strengthening protection of personal information of juveniles

In addition, protection of personal information of juveniles is strengthened in the Draft for Review. For example, when collecting and using personal information of persons without or with limited civil capacity, the individual or entity shall seek the consent of their guardians first, unless otherwise stipulated by law. This new regulation especially protects the juveniles who are mentally immature and whose privacy and personal information are very vulnerable to be used and infringed.

(3) Strengthening confidentiality obligations of government department and its officials

Additionally, the Draft for Review emphasizes the obligation of confidentiality for the state organs and their officials.

If personal privacy and information have to be used while performing duties, the government department or its officials shall not reveal such personal information, nor illegally disclose it to others.

These amendments are in line with the relevant provisions of the General Principles of Civil Law, while also providing the legal basis for the next step of enacting the law on personal information protection. Along with the two drafts on cyber security, it can be seen that China has been putting efforts to safeguard citizens’ personal information and also to secure data security.




3. KII is introduced in article 31 of Cyber Security Law which stipulates that “the State shall carry out important protection of the important industries and fields, such as public communication and information service, energy, transportation, irrigation, finance, public services and e-government affairs, and the key information infrastructures that may endanger national security and public interest in case of damage, data leakage, etc. The specific scope and measures for security protection for KII shall be formulated by the State Council.




Feel free to contact for more information.