CHINA (PRC FIRMS): An Introduction to Data Protection & Privacy
View firm profile
China: Data Protection & Privacy (PRC Firms)
Practice Area Overview in Chambers GCR 2022
Increasingly over the last five years, the legal framework of the People’s Republic of China (“PRC”) for data and privacy protection has been a focus of PRC legislators and regulators. While the first national-level unified law in this area, the Cybersecurity Law of the PRC (“Cybersecurity Law”), was enacted in 2016 and followed by a flurry of draft regulations, it was not until very recently that the legal framework began taking on substantial shape and force.
This past year was witness to the enactment of the Personal Information Protection Law of the PRC (“PI Protection Law”) and Data Security Law of the PRC (“Data Law”), as well as the issuance and revision of several general and sector-specific regulations, and multiple high-profile investigations or enforcement actions, including one against giant domestic car-and-bike-riding service provider Didi Chuxing. Notwithstanding the relatively rapid development of late, no few lacunae remain in the legal framework for data and privacy protection. In short, any businesses operating in Mainland China and handling any data, and possibly some offshore businesses handling data of PRC persons, are faced with data and privacy protection obligations that are not only numerous albeit in part rudimentary but also growing in number and complexity – though in theory benefiting from a degree of clarity and predictability.
Key Legislator Activity
The legislative milestones of 2021, the PI Protection Law and Data Law, address many concerns that have recently come to be key in China, including automated decision-making and cross-border transfers, and may bring some innovations (although still subject to how certain clauses may be implemented, interpreted and applied), e.g., the extraterritoriality provisions and the standard for informing and obtaining consent from subjects of personal information (“PI”) processing. In general, the laws apparently impose a myriad of concrete responsibilities on parties processing data, and heightened requirements for some categories of parties or circumstances, such as those that process “important data” or PI (even more so those that process large volumes of PI or operate important online platforms).
Still, no few of the laws’ provisions, especially those of the Data Law, remain at a relatively high and generic level. For example, what comprises “important data” is largely left to be set out by particular industry regulators – though that has essentially been so since the Cybersecurity Law took effect, in 2017 – yet only one (publicly issued) regulatory document even purports to do so, for the vehicle industry. While no further new laws are clearly on the horizon as of the end of 2021, so-called “implementing” and other regulations are and will likely continue to be released; notable releases at the end of 2021 include the draft Measures concerning the Security Assessment for Cross-Border Data Transfers and the draft Administrative Regulations on Network Data Security. Based on practices to today, new regulations may be released in several draft forms before (if ever) being officially issued, but the drafts may be used by regulators as reference points in their enforcement work.
Key Regulator Activity
Significantly, it was not any of the above laws that was referred to in 2021’s prominent investigation into Didi (China’s Uber) for violations of the cybersecurity framework, but rather the Measures for Cybersecurity Review (“Cybersecurity Review Measures”) officially released by the Cybersecurity Administration of China (“CAC”) and 11 other government departments on 13 April 2020. Most interestingly, the application of the Cybersecurity Review Measures, which set out details regarding the “cybersecurity review” process introduced by the Cybersecurity Law for the procurement of network products and services that may impact China’s national security, to Didi’s case was unclear.
In the event, a draft revision to the Cybersecurity Review Measures was released on 10 July 2021 – one week after the investigation of Didi commenced. The revisions would no longer limit the scope of cybersecurity review procedures to only so-called “critical information operators”, but rather extend it to the wider concept of all “data processors”. Likewise, they would expand regulated activities to include “data processing activities” that affect or may affect national security, rather than only the procurement of network products and services. The draft revisions would also impose entirely new restrictions and requirements, e.g., any data processor with personal information of more than one million users that intends to list “outside of the country” would need to undergo a cybersecurity review (regardless of whether its data processing activities affect or may affect national security).
As of early December 2021, the investigation of Didi had not concluded. In other words, for at least six months, the most popular taxi-hailing and bike-renting app could not be downloaded and the operations of the service provider were weighed down by the regulatory investigation and inevitable operational and corporate adjustments (possibly including a reversal of the recent New York Stock Exchange listing and a re-listing on the Hong Kong Stock Exchange). That may reflect a welcome prudence on the part of regulators – not rushing to conclude an investigation if it would be only to penalise Didi – but in any case it demonstrates the seriousness and severity of their attitude. In fact, since the launch of the Didi investigation, dozens of other (mostly high-profile and almost entirely Chinese) companies have been investigated.
As in many other jurisdictions (including in the United States and Europe), data protection and privacy constitutes one of the most active and growing areas of law in China – and with special characteristics and implications that lawyers, businesspeople, and other parties would do well to be attuned to. In this jurisdiction, which has not only had the most rapid and far-reaching commercial growth generally, perhaps of all time, but is also now taking world-leading positions in e-commerce, fintech, and other socio-digital industries, data protection and privacy are naturally prime concerns. While there is vast potential to operating in such industries, not to mention serving the compliance needs of such operators, PRC regulators are likewise taking many steps, in many directions – one might even say “experimenting” – to achieve a balance among the various interests of businesses, consumers, and the PRC government itself. As such, in China, the economics of the equation may need less focus or work than the “legal logistics”: businesses may benefit, at this time and in the area of data protection and privacy, from a steady supply of legal and compliance counsel that is sensitive to the shifting grey areas of law (and enforcement) yet concrete and actionable.