Guidance on who is a "key information infrastructure operator" under the PRC Cybersecurity Law, and draft regulations on handling minors' data
In the rapidly evolving environment of data protection compliance in the People's Republic of China, this month has seen some helpful clarification around two areas of uncertainty - namely:
- Some further indications as to whom will be deemed a "KIIO" (and so subject to the data localisation rules under the PRC Cybersecurity Law)
- Additional safeguards required when handling personal data of minors
but unfortunately, in both regards significant uncertainties remain.
New Cybersecurity Strategy gives first guidance on application of PRC Cybersecurity Law
Following the recent enactment of the PRC Cybersecurity Law, China's internet regulator published the country's first National Cyberspace Security Strategy (the "Strategy") on 27 December 2016. The Strategy offers few fresh initiatives, but summarizes goals within the PRC Cybersecurity Law and other regulations passed over the past year. A guiding concept is “Internet sovereignty”, which the Strategy defines as China’s right to police the internet within its borders and participate in managing international cyberspace. In particular, the strategy emphasises the need to safeguard key information infrastructure operators (KIIOs).
Most importantly, the strategy seeks to clarify the definition of a KIIO by providing guidance on the industries that the Chinese Government will prioritise with respect to cybersecurity.
A KIIO is defined in the strategy as an operator of "information facilities that have an immediate bearing on national security, the national economy or people's livelihoods such that, in the event of a data leakage, damage, or loss of functionality, national security and public interest would be jeopardized". This aligns with the definition in the PRC Cybersecurity Law, and indicates that the potential impact of a security breach is a key factor in determining who will be considered a KIIO.
In addition, the expanded definition put forward in the strategy includes clarification on the industries that the Chinese authorities consider to be operating key information infrastructure. The PRC Cybersecurity Law listed "public communications and information services, energy, transportation, hydropower, finance, public services, e-government and other critical information infrastructure", and the strategy clarifies this by:
- Listing "basic telecommunications networks that provide public communications, radio and television transmissions and other such services" to expand on the definition of "public communications" operators
- Noting that important information systems in sectors and state bodies in the additional fields of "education", "scientific research", "industry and manufacturing", "medicine and health" and "social security" will also be caught
- Identifying that "important internet application systems" will also be deemed to be KIIOs. Unofficial reports suggest that this is intended to catch popular apps such as Taobao and WeChat, which have millions of daily users in China who would be affected by a security breach
Organisations within these newly-highlighted sectors are now also advised to pay attention to the additional cybersecurity and data protection obligations imposed on KIIOs in the PRC Cybersecurity Law and consider updating their compliance programmes accordingly. Read our summary of the key features of the PRC Cybersecurity Law.
Unfortunately, this additional guidance is far from definitive in that it remains unclear whether all organisations within the specified industries that are encompassed by the definition of a KIIO will automatically be KIIOs if they operate any networks (and potentially even just a website) in the People's Republic of China. Furthermore, other key uncertainties under the PRC Cybersecurity Law - including the definition of "network operator" and "important business data" - remain. The ongoing uncertainty is extremely unhelpful for local and international organisations trying to identify whether they need to update their China compliance programmes in advance of 1 June 2017 when the PRC Cybersecurity Law becomes effective, and we hope that further guidance will be published shortly.
Draft Regulations on the protection of the use of internet by minors published for comments
The State Council published for public consultation the draft Regulations on the Protection of the Use of Internet by Minors (the "Draft Regulations") on 7 January 2017 to provide additional protection to minors (ie Chinese citizens under the age of eighteen) when they are online. In particular, the draft regulations propose additional data protection obligations, with which "network information service providers" (ie organisations and individuals using networks to provide users with information technology, information services, information products, including online platform service providers, and providers of online content and products) would need to comply. The definition of a "network information service provider" appears to catch any individual or business that operates websites or processes online data in China.
Some of the key provisions of the Draft Regulations include:
- Network information service providers must conduct reviews of the information published on their platform. If any content is deemed unsuitable for minors, a warning must be placed prominently before the content is displayed. The draft regulations recognise the need for relevant authorities to publish policies to offer guidance to organisations on how to manage information unsuitable for minors.
- "Minors' personal information" is given a wide definition, and would capture all kinds of information, whether recorded electronically or through other means, that when alone or taken together with other information is sufficient to identify a minor's identity, including but not limited to a minor's full name, location, residential address, date of birth, contact information, account name, identification number, personal biometric information, and photographs.
- Network information service providers that offer search functions on their platforms would not be allowed to display search results that comprise minors' personal information. If a minor or his/her parent/guardian requests a network information service provider to delete or block the minor's personal information that is available online, the network information service provider would also be required to do so.
Consultation on the draft regulations closes on 6 February 2017. It is hoped that some of the uncertainties in the draft regulations will be clarified before they are finalised and come into force. In the meantime, organisations - particularly those whose websites are aimed at young people - are warned that, if passed, the draft regulations would require a proactive review and update of their Chinese websites and privacy policies, and data collection/retention policies and procedures, to address these new safeguards.