The final countdown is on. The PRC Cybersecurity Law comes into force on 1 June 2017. This date marks a significant evolution in both the legal and enforcement environment for data protection in China, and organisations can no longer afford to ignore it.
Indeed, there have been important new developments in the last few weeks and days:
- If you breach or ignore data protection laws: new criminal sanctions have been introduced. In early May, the Chinese authorities made clear that unauthorised collection, disclosure and receipt of "citizen's personal information" now constitutes a criminal offence under the PRC Criminal Law, with a range of sanctions taking into account (amongst other things) the degree of harm, amount of illegal gains and repeat offences, including fines of up to five times the amount of any illegal gains. This is according to the Interpretations of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens' Personal Information. This should act as a further incentive to organisations to get their house in order prior to 1 June 2017.
- If your organisation provides "important network products and services" to KIIOs or other networks and information systems that relate to national security in China: the new supervisory assessment regime will also come into force on 1 June 2017. It was confirmed earlier this month that the new security and controllability assessments scheme for network products and services purchased by KIIOs that may impact national security or other networks and information systems that relate to national security will come into force on the same date as the PRC Cybersecurity Law. For further information, see our update: New Cybersecurity watchdog suggests greater compliance challenges ahead for overseas companies in China. It has also been suggested that products and services that fail these assessments will be blacklisted from future procurement by KIIOs. Therefore, it is important for suppliers of such products/services to be addressing compliance issues now, and factoring in potential delays in procurement processes in the coming months. If your organisation is a KIIO, you need to plan ahead and consider how to source replacements if any of your existing products/services fail the assessments.
- If your organisation is regulated by the securities regulator: you may have keep certain data within China. The CSRC has recently published for public consultation the draft Measures for the Information Technology Management of Securities and Funds Operators (Draft Measures) which, if implemented propose introducing data localisation rules for securities and funds operators (Operators) as regards:
- "Important Information Systems" (i.e. systems that support an Operator's key business functions which, if breached, would have a significant impact on the securities market and investors, such as trading systems, sales and account opening systems/sites and clearing and audit systems);
- "important data" (currently undefined); and
- "Customer Information" (which includes customer's name, ID number, bank account number, contact information, transaction password, transaction history, commission and inquiry records, transaction terminal information and transaction-related customer behaviour information),
in each case collected and generated from business activities of securities and funds, subject to certain exemptions (including transactions with foreign counterparties or on foreign trading platforms (where permitted) and currency exchange transactions). These are wider restrictions than the existing data localisation rules imposed on the banking industry in China by the CBRC. The Draft Measures also propose (amongst other measures): specific data protection and data security obligations on Customer Information, including apparent restrictions on data sharing "to other organisations and individuals"; and regular (at least annual, and in some cases quarterly) IT management internal audits.
- If your organisation uses or provides encrypted products and encryption-related services in China: a proposed new encryption law may impose additional obligations. A new Draft Encryption Law was published for public consultation by the Chinese authorities in April 2017, proposing a more standardised approach to encryption and IT security, with different national standards applying to "core encryption" and "common encryption" (for state secrets) and "commercial encryption". While use of encryption would now be mandatory for some networks and data, it appears encryption will remain a heavily regulated area in China and the requirement for licences for encryption technologies will remain. A likely source of concern to some international businesses operating in China is the requirement for decryption support: for national security reasons or for criminal investigations, certain Government bodies would be legally entitled to require telecommunication operators and internet service providers to provide "decryption technology support". In practice, if passed this will increase the compliance obligations on those providing and using encryption technologies in China.
What should I do?
For those organisations who have not yet done anything about updating their China data protection compliance programme, now is the time to do it. Our overview of the key requirements under the PRC Cybersecurity Law is here: see Significant changes to data and cybersecurity practices in China and China Data Protection Update (January 2017)
For those who have started work on complying with the PRC Cybersecurity Law, you are strongly advised to monitor and act on the latest developments mentioned above as well.
Don't forget that other draft regulations are still under consideration by the Chinese Government, so yet more changes may be on the way. These include: the Draft E-Commerce Law and proposed changes to consumer protection laws, both of which would impose additional data protection obligations; draft regulations regarding the handling of minors' data; and proposed changes to guidance in China on the definition of "sensitive personal information"
What about overseas data transfers?
Finally, we recently reported on the draft measures proposing conditions, restrictions and, in some cases, absolute prohibitions on transfers of certain data outside of China: see China's new cyber security law is only 6 weeks away. We see this as being one of the most potentially disruptive and involved aspects of the new China data protection/security environment, particularly on international organisations operating in China. The consultation period has now closed, and early indications are that the authorities propose to bring the measures into force on 1 June as well, but are now considering an 18 month grace period. We understand a revised draft of the measures are now under consideration, with some amendments proposed as a result of feedback during the consultation, including some more practical guidance on what organisations may have to do, particularly regarding the scope and form of security assessments and how to obtain consent, and as regards the thresholds for regulatory assessments. We will provide another update on progress of the draft measures as details further unfold.