China Solicits Opinions for the Regulations on Cyber Data Security

On November 14, 2021, Cyberspace Administration of China (“CAOC”) issued “Regulations on Cyber Data Security (Draft)” (“Regulations”) for soliciting public opinions. The Regulations actually provide more refined and specific implementation measures for the systems established by “Network Security Law”, “Data Security Law” and “Personal Information Protection Law”.

The highlights of the Regulations are as follow:

1. Establish a data classification and hierarchical protection system. According to the importance of the data, the data is divided into general data, important data, and core data. Different levels of data adopt different protection measures. The state provides key protections for personal information and important data, and strictly protects core data.

2. Cyber security review. When data processors carry out the following activities, they should apply for cybersecurity review in accordance with national regulations: (1) Internet platform operators that gather a large number of data resources related to national security, economic development, and public interest implement mergers, reorganizations, and divisions that affect or may affect national security; (2) Data processors that process personal information of more than one million people go for IPO in foreign capital markets; (3) Data processors go to Hong Kong for listing, which affects or may affect national security, etc. Operators of large-scale Internet platforms that set up headquarters or operation centers or R&D centers overseas shall report to the CAOC and competent authorities.

3. Data processors that use biological characteristics for personal identity authentication shall conduct risk assessments on necessity and safety, and shall not use biological characteristics such as face, gait, fingerprints, iris, and voiceprints as the only personal identity authentication method to force individuals to agree to collect their personal biometric information.

4. Establishing a data security emergency response mechanism. The Regulations clearly request data processors to notify interested parties of security incidents and risk conditions, harmful consequences, and remedial measures taken within 3 working days by telephone, text messages, instant messaging tools, and e-mail. Only when it is impossible to notify, can the notification be notified by way of announcement. In the event of a security incident such as leakage, destruction, or loss of important data or personal information of more than 100,000 people, the data processor must also report the basic information of the incident to the relevant department within 8 hours of the incident; and within 5 working days after the incident is handled. Report the investigation and evaluation report related to the incident to the relevant department. This requirement will encourage data processors to be more active when a security incident is discovered or occurs.