The Cybersecurity Law, which came into force on 1 June 2017, marks that China has initially established a legal framework for cybersecurity and personal information protection. Since then, China has issued a series of regulations (or drafts for comments) detailing the contents of the Cybersecurity Law; relevant competent authorities have also launched APP special governance actions and other law enforcement actions. So, what are the characteristics and trends of legislation and law enforcement in the fields of personal information protection and cybersecurity in 2020?
Q: What important new legislation is likely to occur in the fields of personal information protection and cybersecurity in 2020?
A: First of all, the enactment of the Data Security Law and Personal Information Protection Law have been included in the legislation plan of the Standing Committee of the 13th National People’s Congress. It is hoped that the drafts will be published in 2020 to solicit comment from society. These two laws, along with the Cybersecurity Law, will become the basis for comprehensively regulating the protection of data security and personal information in China, which is of great significance.
Second, for a number of regulations drafted in accordance with the Cybersecurity Law and published for public comment before 2020, the legislature is likely to issue the final effective versions in 2020, which may include:
- Data security management measures, regulating the use of networks to carry out data collection, storage, transfer and processing activities, and data security protection;
- Measures for the security assessment of cross-border transfer of personal information, regulating the cross-border transfer and security assessment of personal information;
- Regulations on security protection of critical information infrastructure, regulating the definition, scope and security protection measures of “critical information infrastructure”;
- Regulations on cybersecurity grade protection, regulating the applicable scope of grade protection, classification of network grade, and review of grading;
- The competent authorities of various industries may also formulate and issue regulations or drafts for comments on cybersecurity, data security protection and personal information protection applicable to their industries in accordance with the Cybersecurity Law.
Third, the national standard Information Security Technology – Personal Information Security Specification is in the process of revision, and its formal revision is likely to be issued in 2020. Before the promulgation of the Personal Information Protection Law, the national standard will still be an important reference document to guide the compliance work of personal information protection by enterprises. Other national standards on cybersecurity, data security protection and personal information protection, or the drafts for comment, are also likely to be introduced in 2020.
Q: What will be the noteworthy tendencies and trends in the law enforcement of personal information protection and cybersecurity in 2020?
A: One of the law enforcement priorities of relevant authorities in 2019 was the special governance action against the illegal collection and use of personal information by APPs. We believe that in 2020 it is still possible for relevant competent authorities to continue the law enforcement action in this field, and the governance of such behaviours will likely be subject to regular supervision.
The APP special governance action has also profoundly affected other departments in addition to the “four ministries” initiating the APP governance action, urging them to strengthen supervision and law enforcement in terms of personal information protection and cybersecurity. For example, the China Securities Regulatory Commission’s (CSRC) investigation items on relevant listed enterprises and enterprises to be listed have included such issues as “the rectification situation and rectification effect of problems pointed out in the notice of the APP special governance working group”, “whether it is approved by the competent authority, and whether it faces the risk of being punished”, and so on.
In 2020, the competent authorities of various industries are likely to further deepen the supervision and law enforcement in cybersecurity and personal information protection in their industries.
Under the special campaign of “Purifying Network 2019”, the Ministry of Public Security severely cracked down on cybercrimes such as infringing on the personal information of citizens. A number of technology companies using crawler technology to provide big data risk control services for “routine loans” were also deeply involved. We believe that in 2020, the public security authorities will remain focused on cracking down on all kinds of crimes that infringe on citizens’ personal information, including some new forms of crimes.
Q: In 2020, what are your suggestions for the personal information protection and cybersecurity compliance of enterprises?
A: Although the legal framework of China’s cybersecurity and personal information protection has been initially established, some laws, regulations and national standards have not yet been implemented. In this case, enterprises need to balance “the changed” and “the unchanged” in their compliance work.
For compliance requirements embodied in the laws, regulations and national standards still in the process of formulation, enterprises need to make an analysis on specific issues: For some new requirements that fully reflect the international legislative trend and industry voice, and will probably become effective compliance requirements in the future, enterprises can start relevant compliance preparations.
However, some new requirements are controversial and enterprises will incur higher costs to meet them (e.g., to realize full localization of data) and there is great uncertainty as to whether they can become effective compliance requirements in the future. For such requirements, enterprises should not take overly radical compliance measures to try to check all the boxes in one go.
In addition, the author suggests that enterprises regard data compliance as an organic whole, take appropriate project management measures and work processes, carry out compliance work in a planned and step-by-step manner, and avoid inefficient and disorderly practices.
Samuel Yang is a partner at AnJie Law Firm.
AnJie Law Firm
19/F Tower D1, Liangmaqiao Diplomatic Office Building
19 Dongfang East Road, Chaoyang District
Beijing 100600, China
Tel: +86 10 8567 5988
Fax: +86 10 8567 5999