The past month has witnessed a flurry of activity from Chinese regulators that has resulted not only the publication of multiple standards and draft regulations in the areas of cybersecurity and data protection, but also two related enforcement initiatives with the potential to tangibly impact companies in China. Below we provide a brief summary of each of these important developments.

Legislative Developments

Measures related to the Cross-border Transfer of Personal Information. On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information, intending to create a cross-border data transfer mechanism to govern all transfers of personal information by network operators (e.g., companies). (See our blog post here.) These draft measures introduce a broad jurisdictional scope for regulating cross-border transfers of personal information, and require all network operators to undergo a security assessment before transferring any personal information collected in China to recipients outside of China. Furthermore, network operators must implement contracts with personal information recipients outside of China, requiring them to fulfill certain data protection obligations and including a third-party beneficiary clause that would provide individuals with a legal means to enforce their rights and seek compensation for abuses of personal information, among other requirements.

Protection of Children’s Personal Information Online. On May 31, 2019, the CAC released the draft Regulation on the Protection of Children’s Personal Information Online, which sets out heightened requirements for network operators when collecting, storing, using, transferring or disclosing the personal information of minors, defined as under 14 years old. (See our blog post here.) Notable requirements include: providing notice to and obtaining consent from guardians acting on behalf of minors; appointing an internal person responsible for overseeing the protection of children’s personal information; implementing internal access controls; conducting data security assessments for certain data-sharing activities; implementing measures to facilitate the exercise of individuals’ rights; and implementing an incident response plan. CAC may enforce these provisions in a variety of ways, including fines of up to RMB 1 million (~$145,000), closing down a website, revoking a business license, or even criminal prosecution.

Data Security Management. On May 28, 2019, the CAC released the draft Measures for Data Security Management, which incorporate some previously issued requirements for personal information protection while also introducing several new rules for the protection of “important data.” (See our blog post here.) Requirements to protect personal information address issues such as notice and consent, data subjects’ rights, targeted advertising, data sharing, data retention, and incident response. Requirements to protect “important data” (i.e., “data that, if leaked, may directly affect China’s national security, economic security, social stability, or public health and security”) include, for example, notifying the local CAC if a business collects important data or sensitive personal data for “operational purposes,” and conducting a security assessment for cross-border transfers. The draft measures provide the CAC with a variety of means by which to enforce these provisions and punish violations – not only through fines and penalties, but also with the possibility of criminal prosecution.

Cybersecurity Review when Procuring Network Products and Services by CII. On May 24, 2019, the CAC released the draft Measures on Cybersecurity Review, which have the objective of safeguarding the procurement of network products and services by Critical Information Infrastructure (“CII”) operators that may impact the national security of China. (See our blog post here.) The cybersecurity review process laid out in these measures includes a self-assessment of risks associated with the procurement of network products and services. If the self-assessment flags specific risks, then the CII operator must undergo a review by an inter-agency body comprised of members from eleven different government agencies. In some ways similar to the CFIUS review process in the United States, members of the CAC review body will assess the national security risks associated with the procurement, considering factors such as: supply chain transparency and security; influence on technologies and industries relating to national defense, the military and CII; and whether the provider receives funds from or is controlled by a foreign government.

MLPS 2.0 Standards. On May 13, 2019, China’s State Administration for Market Regulation released three standards related to the country’s Cybersecurity Multi-level Protection Scheme (“MLPS”), describing technical and organizational controls that companies must implement to comply with MLPS-related obligations. (See our blog post here.) These standards (commonly referred to as “MLPS 2.0”) include provisions to: (i) significantly expand the applicability of the MLPS by broadening the definition of “information systems”; (ii) establish common controls for all types of systems; and (iii) establish extended controls for certain types of systems. The MLPS 2.0 standards introduce different technical and organizational controls for companies at different security classification levels and provide important technical guidance for companies that are making efforts to comply. Certain extended controls – such as localized infrastructure, storage, and maintenance for cloud computing systems – could, if they become mandatory, potentially raise significant compliance issues for global cloud service providers and their customers.

Enforcement Initiatives

MLPS Systems Audit. In early June, we understand from some of our multinational clients that the Public Security Bureaus (“PSBs”) of both Beijing and Shanghai are requiring companies to submit information regarding “important systems” which must be certified under MLPS. This self-reporting can take the form of submitting spreadsheets to PSBs, identifying systems potentially in scope, and providing proof of MLPS certification. We further understand that after the completion of the PSB’s collection of information from company systems, the next step in the process is for the PSB to conduct on-site inspection of company systems. Apparently, these inspections will be done at random, although it is believed that the PSB will focus on systems classified as Level 3 or higher. The on-site inspection may also involve the use of scanning tools to examine company systems, although it is unclear at this time exactly what tools the PSB may use.

Mobile Application Privacy Check. We have also received reports from multinational clients that regulators at both the central and the local levels (including but not limited to local PSBs) are currently carrying out a campaign to audit the collection and use of personal information via mobile applications. Specifically, some clients have received an audit report from PSB which identifies gaps in two main aspects of mobile application privacy compliance: collection of user data through API or SDK and privacy policy. Our clients were told that they must remediate these gaps in one month to avoid further regulatory action. Many of the requirements for compliance are quite prescriptive, as outlined in the CAC’s “Guidelines for Self-Assessment on Illegal Collection and Use of Personal Information” and the “Identification Methods for Illegal Collection and Use of Personal Information by Apps.” These rules focus particularly on the privacy notice (e.g., its presentation, readability and consistency), and the means by which consent is obtained (i.e. whether an application obtain user data through API or SDK without obtaining explicit permission from users).

If you have any questions concerning the material discussed in this client alert, please contact the following members of our
Data Privacy and Cybersecurity practice:
Tim Stratford +86 10 5910 0508 tstratford@cov.com
Yan Luo +86 10 5910 0516 yluo@cov.com

This information is not intended as legal advice. Readers should seek specific legal advice before acting with regard to the subjects mentioned herein. Covington & Burling LLP, an international law firm, provides corporate, litigation and regulatory expertise to enable clients to achieve their goals. This communication is intended to bring relevant developments to our clients and other interested colleagues.