CS代考 EBU6007 Cybersecurity Law

EBU6007 Cybersecurity Law
Chinese Data Privacy Law: An Introduction
LL.B., LL.M.
Technology, Media & Telecommunications Law Institute

Copyright By PowCoder代写 加微信 powcoder

Centre for Commercial Law Studies Queen Mary, University of London
Personal Information Protection Law 2021
Introduction
 China: traditionally a sectoral approach to information privacy
 2009 Tort Law developments
 Significant developments in data privacy, especially from 2012
– Ecommerce as a driver
 2021: Introduction of new Personal Information
Protection Law (PIPL)

Context & Other Laws
Root of information privacy in China:
 Article 40 of the PRC Constitution
– “The freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law. No organization or individual may, on any ground, infringe upon the freedom and privacy of citizens‘ correspondence except in cases where, to meet the needs of state security or of investigation into criminal offences, public security or prosecutorial organs are permitted to censor correspondence in accordance with procedures prescribed by law.”
Context & Other Laws
 Prior to PIPL coming into force…
– General (National) Data Protection Law in China:
 Decision on strengthening online information protection (2012)
 National Standard of Information Security Technology Guideline for Personal Information Protection within Information Systems for Public and Commercial Services (2013)
Context & Other Laws
 Prior to PIPL coming into force…
 Various other laws which affect Data protection in China, including:
– Criminal Law
– Measures for Security Protection Administration of the International Networking of Computer Information Networks
– Provisions of the Supreme People’s Court on Several Issues Concerning the Application of the Rules regarding Cases of the Infringement of Personal Rights over Information Networks (2014)
– Provisions on Telecommunication and Internet User Personal Information Protection (2013)
– Guidelines for the supervision of IT Outsourcing risks of Banking Financial Institutions (2014)
– PRC Consumer Rights Protection Law
 Measures for the Administration of Online Transactions 2013
 Updated by Consumer Protection Measures 2015
– Personal Information Security Specification 2020 (Replace 2018 version)
 Connected to CyberSecurity Law which came into force on 1 June 2017

The Personal Information Privacy Law 2021
 Data protection under Chinese law
– Protection of Chinese Citizens
– Stimulation of (e)commerce
– Balance of important public interests
 Privacy, cybersecurity, national security
Personal Information Protection Law 2021
 PIPL 2021
– China’s first omnibus information privacy law  Core rules
 Does not replace all prior laws!
Personal Information Protection Law 2021
 So what’s new?
– Over-arching approach
– Expansion of newer concepts such as sensitive personal information
– Extra-territorial reach
– Clarification of role of information handlers / processors & enhanced data security obligations
– Enhanced rules on consent and data subject’s rights
– Cross-border rules data transfer rules enhanced & clarified

Personal Information
Protection Law 2021
 Why does this matter to business?
– Operating within the law!
– Avoiding reputational damage – Penalties:
 A66: Correction, confiscation of “unlawful income”
– Failure to correct: fine for company of up to RMB 1 million
– Individuals directly responsible can be fined RMB10k-100k
– In “grave” circumstances – RMB 50 million /5% annual turnover,
suspension or termination of business licence
– In “grave” circumstances – individuals can be fined RMB100k- RMB1 million
Personal Information Protection Law 2021
 Why does this matter to business?
– Penalties:
 A67 – a ‘name and shame’ approach
 A69 – where cannot prove lack of liability for infringements:
• requirements to compensate loss
• Based on loss to individual and/or unjust enrichment  A70 – potential prosecution for breach
Personal Information Protection Law 2021
 Oversight Bodies (A60-65)
– At National & Regional Level
– State Cybersecurity & Information Department at top level – Responsible for:
 Guidance on law & compliance
 Enforcement
 Dealing with complaints from individuals
 Creation of clear rules & standards for applying the PIPL  Support for R&D and adoption of privacy protection tech  Support for industry certification schemes

Personal Information
Protection Law 2021
 PIPL: into force 1 November 2021
 Scope of the PIPL:
– Within PRC borders (A3)
– Outside PRC (A3) borders where:
 Purpose is to provide products or service into China
 Analysis / Assessment of Chinese citizens’ activities within PRC (e.g. market research, targeted advertising)
Personal Information Protection Law 2021
 Scope of the PIPL:
– “natural persons” (A3)  Living people
– (But special arrangements for sensitive handling of the deceased’s information – A49)
– Personal Information (A4)
 “all kinds of information recorded by electronic or other means”
 “related to identified or identifiable natural persons…”
Personal Information
Protection Law 2021
 Scope of the PIPL:
– “identified or identifiable natural persons…”
 Identifying from the information
 Identifying from that information plus other information
– Exceptions?
 “…not including information after anonymization handling.”
– De-identification (the information alone) (A73)
– Anonymisation (impossible to id and restore) (A73)
 The Profiling problem..
– If in doubt, treat as personal information

Personal Information
Protection Law 2021
 Scope of the PIPL:
– Sensitive Personal Information (A28)
 “…once leaked or illegally used, may easily cause harm to..”
– personal dignity / privacy
– Serious harm to personal or property security (e.g. use for fraud) – Includes:
• Biometrics, religious belief, health records, finances, location tracking…
• Personal information of minors under 14 years of age • Non-exhaustive list
– Additional safeguards; Necessity.
Personal Information
Protection Law 2021
 Who has responsibilities?
– Public & Private Sector application – Personal Information Handlers
 Organisations/ Individuals who “autonomously decide handling processes”
– Data Controllers
– Also responsible for activities of processors
 Any business collecting & using personal information is affected by this law
Personal Information Protection Law 2021
 Key principles affecting businesses:
– Collection of personal information must be:
 Legal, necessary & honest
 Only collect information necessary for intended use  Clarity (for data subject)
– Obligations to ensure:
 Data integrity & security
 Treatment and use in line with the law

Personal Information  Key issues: Protection Law 2021
– Consent (A13-18):
 Required for collection and use of individual data
 must be informed
 Must be voluntary and explicit
 Only applies to purposes for specified which information
collected (including entrusting information to sub-
contractors)
 May be withdrawn
 If declined, service may only be refused if information is
 Exceptions where provided by law, e.g. police investigation
 Compliance
Personal Information Protection Law 2021
– By management and design  E.g. website design:
– Clear privacy policy with ‘tick box’ (opt-in) type requirement to progress  E.g. recorded message (telephone sign-up)
 “using clear and easily understood language.”
 Key information must be provided, including:
– Name and details of information collector
– Purpose and duration of collection and use
– Information about exercise of data subject rights
 Children’s consent (A31)
– For U14, Parent or Guardian must consent (Age verification, service limitations)
Personal Information  Compliance Protection Law 2021
– Consent (A13-18):
 Requires careful management:
– Not to exceed clear purpose for which collected
– Time limitation – not to be kept longer than needed for that purpose  Consent can be withdrawn:
– Need to provide clear information on process
• E.g account settings on website, dedicated email address, telephone
– Best practice: regular checks
• E.g requirement to re-confirm consent every few months or after period of non-use of service / not logging in
 The business model and ‘necessity’ (incl, onward data sale)

Personal Information
Protection Law 2021
 Key issues:
– Alternative to Consent: Necessity  Legal compliance
– E.g. tax laws, criminal investigations – Fulfilment of contracts
• Payment details, addresses (for distance selling)  Emergencies
– E.g. health emergency, employee collapse at work  Public interest
– Including “news reporting”
– Information already put in the public domain
Personal Information Protection Law 2021
 Further Obligations for Personal Information Handlers:
– A22 Mergers, sale, company dissolution, bankruptcy et cetera:
 Notification requirements re pi to be transferred
 New holder bound by original conditions absent further
– A23 transfer of personal information to another
 Only with full, informed & voluntary consent
Personal Information
Protection Law 2021
 Automated decision-making (A24)
– E.g. considering credit card applications
– Must be transparent and fair
– “unreasonable differential treatment of individuals in
trading conditions” forbidden
 E.g. offering different prices on ecommerce site based on profiling of individual
– Must be “convenient method to refuse” targeted advertising / offers
– Individuals have a right to challenge & refuse automated decision making

Personal Information
Protection Law 2021
 Additional rights for individuals (A44-46):
– Right of control over their information  Includes right to limit/refuse (ref: consent)
– Right of access and to be given a copy  Exceptions where provided by law
 Must be provided “in a timely manner”
– Information portability
 PI handler must facilitate transfer, e.g. to new service provider
– Right to ensure information held about them is accurate  Includes right to have inaccuracy corrected
Personal Information
Protection Law 2021
 Additional rights for individuals (A47):
– “Right to be forgotten”: information deletion
 Where purpose collected for achieved, is impossible, or information no longer necessary
 Service or product no longer available
 Consent withdrawn
 Legally required retention period ended
– If not ended but consent withdrawn, must cease use and only store & ensure secure (same rule if deletion is “technically hard to realise”
 Personal Information handlers found to have breached the rules
Personal Information
Protection Law 2021
 Additional rights for individuals (A48-49):
– Right to request clear explanation of rules on handling of personal information (to ensure legal compliance)
 Need for clarity: relevant to specific audiences, e.g. Children, visually impaired…
– Posthumous treatment of information
 PIPL designed to protect living individuals
 BUT (unless prior arrangements made by individual) rights
on death can be exercised by next of kin
– “for the sake of their own lawful, legitimate interests” – E.g. dealing with assets, closing accounts

Personal Information
Protection Law 2021
 Obligations for Personal Information Handlers (A50): – To establish mechanisms & processes to deal with
individual requests re data rights
– Must provide explanation if refuse a request
 Individuals entitled to file a lawsuit to challenge such refusal
Personal Information Protection Law 2021
 Obligations for Personal Information Handlers (A51- 53):
– Data Security requirements
 Clear information available on how information is stored, potential risks, and protections
– Includes requirements of use of technological protections, regular staff training, clear operational limits [codes of conduct], incident response plans ready in advance
– Dedicated protection staff (where company dealing with certain quotas set by State Cybersecurity & Informatisation Department)
– Contact details for protection staff to be provided (inc specific individuals)
– International companies to whom PIPL applies must appoint rep. in PRC
Personal Information Protection Law 2021
 Obligations for Personal Information Handlers (A54-56):
– Regular review and audits of pi handling & compliance, including security provisions (e.g. encryption up to date)
– In some circumstances must be impact assessment before information collected
 Sensitive pi, automated decision making, using subcontractor, sending pi outside China, or otherwise “major impact” on data subject

Personal Information
Protection Law 2021
 Obligations for Personal Information Handlers (A57):
– Response to data leak
 Immediate remedial measures (based on existing processes)  Notification requirements
– Government departments dealing with pi protection – Must include:
• Information category, cause, potential harm • Measures taken to mitigate harm
• Contact details
– No need to notify individuals if can be sure harm avoided by action taken – If believe harm may have been caused, must notify affected individuals
Personal Information Protection Law 2021
 Obligations for Personal Information Handlers (A58):
– Providers of “important internet platform services. That have a large number of users and whose business models are complex…”
 E.g. social media; scale/quantity of personal information  Additional requirements
– Oversight bodies “composed mainly of outside members” – Public social responsibility reports
Personal Information Protection Law 2021
 Obligations for Personal Information Handlers:
 Working with others – Co-handlers
– Subcontractors
– Cross-border transfers

Personal Information Protection Law 2021
 Working with other companies
– Obligations for Personal Information Handlers (A59):
 Third party subcontractors processing personal information? must ensure data security
– More than one pi handler working together (A20)
 Clear agreement required on division of rights and responsibilities
 Individuals can still demand action re rights from any one pi handler
Personal Information
Protection Law 2021
 Working with other companies
– Subcontractors (A21):
 Can only be done with data subject consent
 Must be an agreement setting out key issues, including:
– Time limitations
– Handling method
– Types of personal information to be collected – Protection measures
– Rights and Duties of each side
 Achievable by contractual agreement, binding corporate rules, etc.  Legal responsibility for oversight remains with the PI handler
Personal Information
Protection Law 2021
 Working with other companies
– Cross-border operations: transferring data out of China for processing and use elsewhere (A38)
 Data localization
– May only export data where “truly necessary”
 Must fulfill one of following:
– Pass State Cybersecurity & Informatisation Dept security assessment – Certification by a specialised body recognized by C&I Dept
– Standard contractual terms provided by C&I Dept
– Other conditions set out in law / regulation / by C&I Dept
 OR – data export to company in country China recognizes law

Personal Information Protection Law 2021
 Working with other companies
– Cross-border operations: transferring data out of China for processing and use elsewhere (A38)
 NB: Exporter liable to ensure compliance  Compliance strategies:
– Training
– Oversight (legal advice)
– Contract: get everything in writing!
– Pay close attention to C&I Dept advice
Personal Information
Protection Law 2021
 Working with other companies
– Cross-border operations: transferring data out of China for processing and use elsewhere
 Consent of the data subject is required (A39)
– All standard consent requirements apply (fully informed, et cetera)
– All details must be provided to permit full exercise of data subject rights
 “Critical information infrastructure operators and pi handlers [who meet set data quotas]” must store information within PRC (A40)
– State C&I Dept to oversee
– Unless a standard arrangement in place with destination country, must be specific security assessment
Personal Information
Protection Law 2021
 Working with other companies
– Cross-border operations: transferring data out of China for processing and use elsewhere
 National Security issues (A41)
– Personal information stored in PRC may only be provided to foreign
judicial or LEAs where PRC authorities have granted permission  Blacklist Provision (A42)
– If foreign organisations or individuals violate PRC law on information protection or harm national security, State C&I Dept can add to list requiring their access to Chinese PI be limited or prohibited

Personal Information
Protection Law 2021
Key practical advice for compliance:
 If in doubt, treat it as personal information – The profiling question (especially online)
 Informed Consent is King
– Invest in ensuring consent properly acquired
 Web design, training of telephone staff
 Clearly explained privacy policies with appropriate attention
 Recording for telephone (or a script)
– Consent trumps necessity!
Personal Information
Protection Law 2021
Key practical advice for compliance:
 Sensitive Personal Data
– Easier to avoid where possible
– Extra care, only process where strictly necessary
 If children are target market or among it:
– Remember *all* U14’s data is sensitive
 Parental consent requirements
 age verification – citizenship number, credit card…
 Need extra flagging – website design, telephone procedure.
Personal Information
Protection Law 2021
Key practical advice for compliance:
 Consent is an ongoing process, and can be withdrawn – Need for regular dialogue with user (e.g. cooking
warnings and regular reminders)  Facilitating User rights
– Key contact details available, specialist staff where appropriate
– Proper internal organization & processes – Website design and access

Personal Information
Protection Law 2021
Key practical advice for compliance:
 Facilitating User rights
– Procedure in place for posthumous dealing with data, deletion
whenever appropriate
 Data Security
– Comply with all guidance per regulatory authorities
– Ensure encryption, firewalls et cetera are kept up to date
– Procedures in place for handling a data leak should one arise – Prevention better than cure!
Personal Information
Protection Law 2021
Key practical advice for compliance:
 Working with others
– Individual consent
– The liability rules and importance of trusted partners
 Oversight responsibilities
 Importance of clear (written) rules
Personal Information
Protection Law 2021
Key practical advice for compliance:
 Working with others
– Transfer of personal information outside China  Ensure compliance with data localization rules
 Necessity: not just convenience or cost-saving
 Informed Consent
 Clear contractual agreements
– May help with liability questions even where law recognized by PRC

Personal Information Protection Law 2021
Key practical advice for compliance:
 Clear record keeping!
– Information sent to customers, security procedures, actions in event of breach, audit requirements, dealing with individuals, showing followed all the rules…
– Evidence Matters!
Other, General Provisions on Data Protection in Chinese Law
Communications Privacy in China
 December 28 2012
– Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection
 Forbidden: Collection of digital personal data by “network service providers and other en

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com