EBU6007 Cybersecurity Law
Chinese Data Privacy Law: An Introduction
LL.B., LL.M.
Technology, Media & Telecommunications Law Institute
Copyright By PowCoder代写 加微信 powcoder
Centre for Commercial Law Studies Queen Mary, University of London
Personal Information Protection Law 2021
Introduction
China: traditionally a sectoral approach to information privacy
2009 Tort Law developments
Significant developments in data privacy, especially from 2012
– Ecommerce as a driver
2021: Introduction of new Personal Information
Protection Law (PIPL)
Context & Other Laws
Root of information privacy in China:
Article 40 of the PRC Constitution
– “The freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law. No organization or individual may, on any ground, infringe upon the freedom and privacy of citizens‘ correspondence except in cases where, to meet the needs of state security or of investigation into criminal offences, public security or prosecutorial organs are permitted to censor correspondence in accordance with procedures prescribed by law.”
Context & Other Laws
Prior to PIPL coming into force…
– General (National) Data Protection Law in China:
Decision on strengthening online information protection (2012)
National Standard of Information Security Technology Guideline for Personal Information Protection within Information Systems for Public and Commercial Services (2013)
Context & Other Laws
Prior to PIPL coming into force…
Various other laws which affect Data protection in China, including:
– Criminal Law
– Measures for Security Protection Administration of the International Networking of Computer Information Networks
– Provisions of the Supreme People’s Court on Several Issues Concerning the Application of the Rules regarding Cases of the Infringement of Personal Rights over Information Networks (2014)
– Provisions on Telecommunication and Internet User Personal Information Protection (2013)
– Guidelines for the supervision of IT Outsourcing risks of Banking Financial Institutions (2014)
– PRC Consumer Rights Protection Law
Measures for the Administration of Online Transactions 2013
Updated by Consumer Protection Measures 2015
– Personal Information Security Specification 2020 (Replace 2018 version)
Connected to CyberSecurity Law which came into force on 1 June 2017
The Personal Information Privacy Law 2021
Data protection under Chinese law
– Protection of Chinese Citizens
– Stimulation of (e)commerce
– Balance of important public interests
Privacy, cybersecurity, national security
Personal Information Protection Law 2021
PIPL 2021
– China’s first omnibus information privacy law Core rules
Does not replace all prior laws!
Personal Information Protection Law 2021
So what’s new?
– Over-arching approach
– Expansion of newer concepts such as sensitive personal information
– Extra-territorial reach
– Clarification of role of information handlers / processors & enhanced data security obligations
– Enhanced rules on consent and data subject’s rights
– Cross-border rules data transfer rules enhanced & clarified
Personal Information
Protection Law 2021
Why does this matter to business?
– Operating within the law!
– Avoiding reputational damage – Penalties:
A66: Correction, confiscation of “unlawful income”
– Failure to correct: fine for company of up to RMB 1 million
– Individuals directly responsible can be fined RMB10k-100k
– In “grave” circumstances – RMB 50 million /5% annual turnover,
suspension or termination of business licence
– In “grave” circumstances – individuals can be fined RMB100k- RMB1 million
Personal Information Protection Law 2021
Why does this matter to business?
– Penalties:
A67 – a ‘name and shame’ approach
A69 – where cannot prove lack of liability for infringements:
• requirements to compensate loss
• Based on loss to individual and/or unjust enrichment A70 – potential prosecution for breach
Personal Information Protection Law 2021
Oversight Bodies (A60-65)
– At National & Regional Level
– State Cybersecurity & Information Department at top level – Responsible for:
Guidance on law & compliance
Enforcement
Dealing with complaints from individuals
Creation of clear rules & standards for applying the PIPL Support for R&D and adoption of privacy protection tech Support for industry certification schemes
Personal Information
Protection Law 2021
PIPL: into force 1 November 2021
Scope of the PIPL:
– Within PRC borders (A3)
– Outside PRC (A3) borders where:
Purpose is to provide products or service into China
Analysis / Assessment of Chinese citizens’ activities within PRC (e.g. market research, targeted advertising)
Personal Information Protection Law 2021
Scope of the PIPL:
– “natural persons” (A3) Living people
– (But special arrangements for sensitive handling of the deceased’s information – A49)
– Personal Information (A4)
“all kinds of information recorded by electronic or other means”
“related to identified or identifiable natural persons…”
Personal Information
Protection Law 2021
Scope of the PIPL:
– “identified or identifiable natural persons…”
Identifying from the information
Identifying from that information plus other information
– Exceptions?
“…not including information after anonymization handling.”
– De-identification (the information alone) (A73)
– Anonymisation (impossible to id and restore) (A73)
The Profiling problem..
– If in doubt, treat as personal information
Personal Information
Protection Law 2021
Scope of the PIPL:
– Sensitive Personal Information (A28)
“…once leaked or illegally used, may easily cause harm to..”
– personal dignity / privacy
– Serious harm to personal or property security (e.g. use for fraud) – Includes:
• Biometrics, religious belief, health records, finances, location tracking…
• Personal information of minors under 14 years of age • Non-exhaustive list
– Additional safeguards; Necessity.
Personal Information
Protection Law 2021
Who has responsibilities?
– Public & Private Sector application – Personal Information Handlers
Organisations/ Individuals who “autonomously decide handling processes”
– Data Controllers
– Also responsible for activities of processors
Any business collecting & using personal information is affected by this law
Personal Information Protection Law 2021
Key principles affecting businesses:
– Collection of personal information must be:
Legal, necessary & honest
Only collect information necessary for intended use Clarity (for data subject)
– Obligations to ensure:
Data integrity & security
Treatment and use in line with the law
Personal Information Key issues: Protection Law 2021
– Consent (A13-18):
Required for collection and use of individual data
must be informed
Must be voluntary and explicit
Only applies to purposes for specified which information
collected (including entrusting information to sub-
contractors)
May be withdrawn
If declined, service may only be refused if information is
Exceptions where provided by law, e.g. police investigation
Compliance
Personal Information Protection Law 2021
– By management and design E.g. website design:
– Clear privacy policy with ‘tick box’ (opt-in) type requirement to progress E.g. recorded message (telephone sign-up)
“using clear and easily understood language.”
Key information must be provided, including:
– Name and details of information collector
– Purpose and duration of collection and use
– Information about exercise of data subject rights
Children’s consent (A31)
– For U14, Parent or Guardian must consent (Age verification, service limitations)
Personal Information Compliance Protection Law 2021
– Consent (A13-18):
Requires careful management:
– Not to exceed clear purpose for which collected
– Time limitation – not to be kept longer than needed for that purpose Consent can be withdrawn:
– Need to provide clear information on process
• E.g account settings on website, dedicated email address, telephone
– Best practice: regular checks
• E.g requirement to re-confirm consent every few months or after period of non-use of service / not logging in
The business model and ‘necessity’ (incl, onward data sale)
Personal Information
Protection Law 2021
Key issues:
– Alternative to Consent: Necessity Legal compliance
– E.g. tax laws, criminal investigations – Fulfilment of contracts
• Payment details, addresses (for distance selling) Emergencies
– E.g. health emergency, employee collapse at work Public interest
– Including “news reporting”
– Information already put in the public domain
Personal Information Protection Law 2021
Further Obligations for Personal Information Handlers:
– A22 Mergers, sale, company dissolution, bankruptcy et cetera:
Notification requirements re pi to be transferred
New holder bound by original conditions absent further
– A23 transfer of personal information to another
Only with full, informed & voluntary consent
Personal Information
Protection Law 2021
Automated decision-making (A24)
– E.g. considering credit card applications
– Must be transparent and fair
– “unreasonable differential treatment of individuals in
trading conditions” forbidden
E.g. offering different prices on ecommerce site based on profiling of individual
– Must be “convenient method to refuse” targeted advertising / offers
– Individuals have a right to challenge & refuse automated decision making
Personal Information
Protection Law 2021
Additional rights for individuals (A44-46):
– Right of control over their information Includes right to limit/refuse (ref: consent)
– Right of access and to be given a copy Exceptions where provided by law
Must be provided “in a timely manner”
– Information portability
PI handler must facilitate transfer, e.g. to new service provider
– Right to ensure information held about them is accurate Includes right to have inaccuracy corrected
Personal Information
Protection Law 2021
Additional rights for individuals (A47):
– “Right to be forgotten”: information deletion
Where purpose collected for achieved, is impossible, or information no longer necessary
Service or product no longer available
Consent withdrawn
Legally required retention period ended
– If not ended but consent withdrawn, must cease use and only store & ensure secure (same rule if deletion is “technically hard to realise”
Personal Information handlers found to have breached the rules
Personal Information
Protection Law 2021
Additional rights for individuals (A48-49):
– Right to request clear explanation of rules on handling of personal information (to ensure legal compliance)
Need for clarity: relevant to specific audiences, e.g. Children, visually impaired…
– Posthumous treatment of information
PIPL designed to protect living individuals
BUT (unless prior arrangements made by individual) rights
on death can be exercised by next of kin
– “for the sake of their own lawful, legitimate interests” – E.g. dealing with assets, closing accounts
Personal Information
Protection Law 2021
Obligations for Personal Information Handlers (A50): – To establish mechanisms & processes to deal with
individual requests re data rights
– Must provide explanation if refuse a request
Individuals entitled to file a lawsuit to challenge such refusal
Personal Information Protection Law 2021
Obligations for Personal Information Handlers (A51- 53):
– Data Security requirements
Clear information available on how information is stored, potential risks, and protections
– Includes requirements of use of technological protections, regular staff training, clear operational limits [codes of conduct], incident response plans ready in advance
– Dedicated protection staff (where company dealing with certain quotas set by State Cybersecurity & Informatisation Department)
– Contact details for protection staff to be provided (inc specific individuals)
– International companies to whom PIPL applies must appoint rep. in PRC
Personal Information Protection Law 2021
Obligations for Personal Information Handlers (A54-56):
– Regular review and audits of pi handling & compliance, including security provisions (e.g. encryption up to date)
– In some circumstances must be impact assessment before information collected
Sensitive pi, automated decision making, using subcontractor, sending pi outside China, or otherwise “major impact” on data subject
Personal Information
Protection Law 2021
Obligations for Personal Information Handlers (A57):
– Response to data leak
Immediate remedial measures (based on existing processes) Notification requirements
– Government departments dealing with pi protection – Must include:
• Information category, cause, potential harm • Measures taken to mitigate harm
• Contact details
– No need to notify individuals if can be sure harm avoided by action taken – If believe harm may have been caused, must notify affected individuals
Personal Information Protection Law 2021
Obligations for Personal Information Handlers (A58):
– Providers of “important internet platform services. That have a large number of users and whose business models are complex…”
E.g. social media; scale/quantity of personal information Additional requirements
– Oversight bodies “composed mainly of outside members” – Public social responsibility reports
Personal Information Protection Law 2021
Obligations for Personal Information Handlers:
Working with others – Co-handlers
– Subcontractors
– Cross-border transfers
Personal Information Protection Law 2021
Working with other companies
– Obligations for Personal Information Handlers (A59):
Third party subcontractors processing personal information? must ensure data security
– More than one pi handler working together (A20)
Clear agreement required on division of rights and responsibilities
Individuals can still demand action re rights from any one pi handler
Personal Information
Protection Law 2021
Working with other companies
– Subcontractors (A21):
Can only be done with data subject consent
Must be an agreement setting out key issues, including:
– Time limitations
– Handling method
– Types of personal information to be collected – Protection measures
– Rights and Duties of each side
Achievable by contractual agreement, binding corporate rules, etc. Legal responsibility for oversight remains with the PI handler
Personal Information
Protection Law 2021
Working with other companies
– Cross-border operations: transferring data out of China for processing and use elsewhere (A38)
Data localization
– May only export data where “truly necessary”
Must fulfill one of following:
– Pass State Cybersecurity & Informatisation Dept security assessment – Certification by a specialised body recognized by C&I Dept
– Standard contractual terms provided by C&I Dept
– Other conditions set out in law / regulation / by C&I Dept
OR – data export to company in country China recognizes law
Personal Information Protection Law 2021
Working with other companies
– Cross-border operations: transferring data out of China for processing and use elsewhere (A38)
NB: Exporter liable to ensure compliance Compliance strategies:
– Training
– Oversight (legal advice)
– Contract: get everything in writing!
– Pay close attention to C&I Dept advice
Personal Information
Protection Law 2021
Working with other companies
– Cross-border operations: transferring data out of China for processing and use elsewhere
Consent of the data subject is required (A39)
– All standard consent requirements apply (fully informed, et cetera)
– All details must be provided to permit full exercise of data subject rights
“Critical information infrastructure operators and pi handlers [who meet set data quotas]” must store information within PRC (A40)
– State C&I Dept to oversee
– Unless a standard arrangement in place with destination country, must be specific security assessment
Personal Information
Protection Law 2021
Working with other companies
– Cross-border operations: transferring data out of China for processing and use elsewhere
National Security issues (A41)
– Personal information stored in PRC may only be provided to foreign
judicial or LEAs where PRC authorities have granted permission Blacklist Provision (A42)
– If foreign organisations or individuals violate PRC law on information protection or harm national security, State C&I Dept can add to list requiring their access to Chinese PI be limited or prohibited
Personal Information
Protection Law 2021
Key practical advice for compliance:
If in doubt, treat it as personal information – The profiling question (especially online)
Informed Consent is King
– Invest in ensuring consent properly acquired
Web design, training of telephone staff
Clearly explained privacy policies with appropriate attention
Recording for telephone (or a script)
– Consent trumps necessity!
Personal Information
Protection Law 2021
Key practical advice for compliance:
Sensitive Personal Data
– Easier to avoid where possible
– Extra care, only process where strictly necessary
If children are target market or among it:
– Remember *all* U14’s data is sensitive
Parental consent requirements
age verification – citizenship number, credit card…
Need extra flagging – website design, telephone procedure.
Personal Information
Protection Law 2021
Key practical advice for compliance:
Consent is an ongoing process, and can be withdrawn – Need for regular dialogue with user (e.g. cooking
warnings and regular reminders) Facilitating User rights
– Key contact details available, specialist staff where appropriate
– Proper internal organization & processes – Website design and access
Personal Information
Protection Law 2021
Key practical advice for compliance:
Facilitating User rights
– Procedure in place for posthumous dealing with data, deletion
whenever appropriate
Data Security
– Comply with all guidance per regulatory authorities
– Ensure encryption, firewalls et cetera are kept up to date
– Procedures in place for handling a data leak should one arise – Prevention better than cure!
Personal Information
Protection Law 2021
Key practical advice for compliance:
Working with others
– Individual consent
– The liability rules and importance of trusted partners
Oversight responsibilities
Importance of clear (written) rules
Personal Information
Protection Law 2021
Key practical advice for compliance:
Working with others
– Transfer of personal information outside China Ensure compliance with data localization rules
Necessity: not just convenience or cost-saving
Informed Consent
Clear contractual agreements
– May help with liability questions even where law recognized by PRC
Personal Information Protection Law 2021
Key practical advice for compliance:
Clear record keeping!
– Information sent to customers, security procedures, actions in event of breach, audit requirements, dealing with individuals, showing followed all the rules…
– Evidence Matters!
Other, General Provisions on Data Protection in Chinese Law
Communications Privacy in China
December 28 2012
– Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection
Forbidden: Collection of digital personal data by “network service providers and other en
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com