On February 13, 2020, the People’s Bank of China issued the Personal Financial Information Protection Technical Specification, which is an industry standard, specifying the security protection requirements for all aspects of personal financial information life cycle processing, including collection, transmission, storage, use, deletion, and destruction. This standard is applicable to financial industry institutions in the provision of financial products and services, and also provides guidance for security assessment agencies in conducting security inspections and assessments. Based on the potential impact caused by unauthorized viewing or unauthorized change of financial information, this standard classifies personal financial information into three categories of C3, C2, and C1 from high to low sensitivity, and different requirements apply to information classified under different categories.
On March 12, 2021, the CAC, MIIT, Ministry of Public Security together with the SAMR promulgated the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications, which became effective on May 1, 2021. The provisions clarify the scope of necessary information required for certain common types of mobile apps and stipulate that mobile app operators shall not deny users’ access to basic functions and services of the app in the event that the users disagree with collection of unnecessary personal information.
On June 10, 2021, the NPC Standing Committee promulgated the Data Security Law of the PRC, which came into effect on September 1, 2021. The Data Security Law introduces a data classification and hierarchical protection system based on the materiality of data in economic and social development, as well as the degree of harm to national security, public interests, or legitimate rights and interests of persons or entities if such data is tampered with, destroyed, divulged, or illegally acquired or used. It also provides for a security review procedure for the data activities that may affect national security. Violation of the Data Security Law may subject the relevant entities or individuals to warnings, fines, suspension of operations, revocation of permits or business licenses, or even criminal liabilities.
On August 20, 2021, the NPC Standing Committee promulgated the Personal Information Protection Law of the PRC, which became effective on November 1, 2021. The Personal Information Protection Law stipulates certain important concepts with respect to personal information processing, including that: (i) “personal information” refers to all kinds of information relating to identified or identifiable natural persons recorded by electronic or other channel and methods, excluding information processed anonymously; (ii) “processing of personal information” includes the collection, storage, use, processing, transmission, provision, disclosure and deletion, etc. of personal information; and (iii) “personal information processor” refers to an organization or individual that independently determines the purpose and method of processing personal information. Except as otherwise provided in the Personal Information Protection Law, a personal information processor may only process personal information under the circumstances where the relevant individuals’ consents have been obtained or where certain contractual arrangements, employment relationships, public emergencies, performance of statutory duties or obligations or publishing of press release for public interests so require.
On April 13, 2020, the Measures on Cybersecurity Review were issued, which took effect on June 1, 2020. They provide detailed rules regarding cyber security review, and further provide that any operator found in violation of the Measures shall be penalized in accordance with Article 65 of the Cybersecurity Law. The Measures for Cybersecurity Review (2021 Revision), which came into effect on February 15, 2022, provide that, to ensure the security of the supply chain of critical information infrastructure and safeguard national security, a cybersecurity review is required when national security has been or may be affected where critical information infrastructure operators purchase network product or service and network platform operators process data. When an operator in possession of personal information of over one million users applies for a listing abroad, it must apply to the CAC for a cybersecurity review.
On October 29, 2021, the CAC published Draft Outbound Data Transfer Security Assessment Measures that outline the potential security assessment process for outbound data transfer. Under the October 2021 version of the Draft Outbound Data Transfer Security Assessment Measures, data processors that provide important outbound data that are collected or produced through operations within the territory of the PRC, or personal information where a security assessment shall be conducted according to the law, shall conduct a security assessment according to the provisions of these Measures. Under the October 2021 version of the Draft Outbound Data Transfer Security Assessment Measures, data processors providing outbound data shall apply for outbound data transfer security assessment with the Cyberspace Administration in any of the following circumstances: (i) when personal information and important data are collected and produced by critical information infrastructure operators; (ii) when the outbound data transferred contains important data; (iii) when personal information processors with over one million users’ personal information under processing transfer personal information outbound; (iv) when the data processor has cumulatively transferred personal information of more than 100,000 users outbound or has transferred sensitive personal information of more than 10,000 users outbound; or (v) under other circumstances that the CAC determines to be necessary. The October 2021 version of the Draft Outbound Data Transfer Security Assessment Measures also provide procedures for security assessment and submissions, important factors to be considered in conducting assessment, and legal liabilities of a data processor for failure to apply for assessment.