*written with assistance from co-author and W&L law student, Isabella Gray.
On May 28, 2019, the Cyberspace Administration of China (“Cybersecurity Administration”) released a set of draft Measures for Data Security Management (the “Draft Measures”). The Draft Measures provide articles governing how network operators, defined as someone who owns and administrates a network or a network service provider, can collect, use, and store different types of data.
The articles contained in the Draft Measures were developed to expand China’s existing Cybersecurity Law and to safeguard national security and the public interest while also protecting the rights of Chinese citizens, legal persons, and other organizations in cyberspace. The Draft Measures apply to the collection, storage, transmission, process, and use of data as well as the protection, supervision, and administration of cybersecurity within the territory of China.
Required Consent for Data Collection or Use
- general information about the network operator;
- the name and contact information for the network operator’s main person responsible for data security;
- how data is collected and used;
- how data is stored;
- a summary of the rules the network operator must comply with when disclosing collected data to others;
- how the collected data is protected by the network operator;
- how users can withdraw consent to collection and can access or delete collected personal information;
- how users can file complaints; and
- any additional information required by other laws or regulations.
A network operator may only collect data after a user acknowledges the rules for collection and use and gives express consent to those actions. If a user is under the age of 14, consent from a parent or guardian is required prior to collecting data. Additionally, network operators cannot mislead users into consenting to data collection or discriminate against users who do not consent.
Means of Collecting Data
The Draft Measures further prescribe what network operators must do after collecting two types of data: important data and personal information. “Important data” is defined as the kind of data that, if divulged, may directly affect national security, economic security, social stability, or public health and security. “Personal information” is defined as data which could be used to identify a person specifically, such as their name, date of birth, or telephone number.
If a network operator is collecting important data or personal information, the network operator must file information about its collection and use of such data with the Cybersecurity Administration. The network operator must describe the purpose of its data collection, the scope and type of data collected, and how long it will retain the data.
Additionally, a network operator collecting important or personal data must specify the person responsible for data security. Such designated person must:
- create data protection plans and ensure proper implementation of such plans;
- conduct data security risk assessments and rectify potential risks;
- report data security incidents to the Cybersecurity Administration; and
- oversee the resolution of complaints and reports from users.
In addition to cooperating with data users, the Draft Measures require that network operators cooperate with website owners. If a network operator uses automatic means to collect website data, the means must not interfere with the normal operation of the websites. If a website owner requests that the network operator stop collecting data from its site, the network operator must stop.
Use and Storage of Data
Data collected by network operators can be used for a variety of purposes such as more effectively displaying advertisements. In some instances, network operators must tell users how that are using certain data. For example, when conducting targeted pushes of information, network operators must clearly identify that the information presented to a user is a “targeted push” and give the user the option to reject the targeted push information. Additionally, network operators must identify when they are synthesizing information.
Under the Draft Measures, network operators are permitted to publish, share, and sell data after assessing potential security risks. Approval from the Cyberspace Administration is required to publish, share, or sell data internationally. The uses for data prohibited by the Draft Measures include publishing market predictions, statistics, credit, or any other information that would endanger national security or damage the lawful rights and interests of any person.
A network operator generally needs consent from a user to share collected data with a third party. However, consent is not required for a network operator to share data where:
- the data was collected from legal public channels;
- the data was voluntarily disclosed by the user;
- the data was anonymized so that it could not be traced back to any specific user;
- sharing the data is necessary for compliance with law enforcement agencies in accordance with the law; or
- sharing the data is necessary for safeguarding national security, public interest, or the life of the user.
Under the Draft Measures, a network operator may only keep data for the retention period specified in its filing with the Cyberspace Administration. Should a user request that its data be deleted prior to the end of the retention period, the network operator must comply. Network operators must also take steps to urge users to be responsible with their network behavior and encourage self-regulation.
Finally, security is a large issue with data collection, use, and storage. To address this, the Draft Measures require that network operators categorize, back-up, and encrypt data to strengthen the protection of it. In the event of a security incident where data is divulged, a network operator must immediately take remedial measures to inform users about the incident and additionally report the incident to the Cyberspace Administration.
Penalty for Noncompliance
A network operator’s violation of any of the Draft Measures could result in disciplinary actions, such as confiscating income received as a result of the violation, suspending the network operator’s business operations, or revoking the network operator’s business permit. If the violation amounts to a crime, the network operator could be subject to applicable criminal punishments.
The Draft Measures will remain open for comment until June 28, 2019.