Latest updates on data protection in China (November update)
Updates on the measures on security assessment, the "Dual List" of personal information protection and regulation on pending issues under PIPL and DSL.
Draft Measures on Security Assessment
China’s Personal Information Protection Law (PIPL) took effect on 1 November 2021. The new law has significantly changed the landscape of data protection in China. On 29 October, the Cyberspace Administration of China (CAC) released the Draft Measures for Security Assessment of Cross-border Data Transfer (Draft Measures) for public comments until 28 November.
The Draft Measures set out the scope, procedure and required documents, focus and validity period of the security assessment for transferring personal information and “important data” out of mainland China. It also provides content to be included in a data transfer agreement.
Individuals and organisations may submit feedback via the official website of the Ministry of Justice (available in Chinese only) or email shujuju@cac.gov.cn.
The “Dual List” of Personal Information Protection
The Ministry of Industry and Information Technology of China (MIIT) initiated a campaign to improve the service quality of information and communication sector on 1 November. MIIT requires relevant organisations to set up a list of “personal information collected” (Collection List) and a list of “personal information shared with third parties” (Share List) by the end of December 2021, and display the two lists under the secondary menu of the relevant mobile application (APP).
The two lists should be concise and clear. The Collection list should show what types of personal information have been collected by the APP and embedded third-party SDK, purpose of collection and usage scenarios. The Share List should include types of personal information to be shared, purpose of sharing, usage scenarios and sharing methods underneath the relevant APP.
Draft Regulation on Pending Issues under the PIPL and the DSL
CAC published the Draft Regulation on Security Administration of Network Data (Draft Regulation) on 14 November for public comments until 13 December. This Draft Regulation provides specific requirements in relation to some pending issues under the PIPL and the Data Security Law (DSL), including but not limited to:
- Scope of “important data”
- Definition of “separate consent”
- Threshold and timeline of data breach notification
- Retention periods of certain data (eg consent records)
- Derogation of cross-border transfer requirement
- Scope of “large Internet platform”
Some requirements under this Draft Regulation may cause significant compliance burden for data processors (eg strict timeline for data breach notification and deleting data when retention period expires) beyond the current requirements under the PIPL and DSL. It is likely there will be adjustments made into the final form. Individuals and organisations may email feedback to shujuju@cac.gov.cn.
For any assistance with data protection laws in China or any other queries regarding how China’s data protection regime may impact you, please contact Jingyuan Shi.
_11zon.jpg?crop=300,495&format=webply&auto=webp)
