( The article only represents the author's personal opinion)
In 2021, Chinese legislature enacted two important laws, the Data Security Law and the Personal Information Protection Law. With these two laws and the Network Security Law as the core, China's network legal system has been preliminarily established. These three laws have different emphases and overlapping contents. This article aims at giving an overview over these laws and relevant regulation, as well as their impact on foreign companies which more or less process personal or non-personal data in their business operation.
I. The Network Security Law
The Network Security Law, which came into force on June 1, 2017, contains seven chapters and 79 articles. It is the basic law for China's cyberspace security management, including rules about network information content management system, cyber-security classified protection system, critical information infrastructure security protection system, personal information and important data protection system, network product and service management system, network security incident management system, etc. Taking network operators as the main targeted object, the Network Security Law puts forward a number of institutional management requirements for "network operation security" and "network information security", and stipulates the rights, obligations and responsibilities of network operators, as well as the monitoring, early warning and emergency disposal mechanisms established by the State to maintain network security. For network operation security, the Network Security Law stipulates responsibilities and obligations for network operators and critical information infrastructure operators concerning internal systems, technical measures, procurement objects, data storage and cross-border transmission. In addition to the general network operation security provisions, the Network Security Law absorbs the provisions on the protection of personal information previously scattered in different normative documents, and focuses on the obligations of network operators in protecting the security of personal information and the important rights of personal information subjects in Chapter IV. In Chapter VI, it formulates the legal liability for the infringement of personal information rights. As for net work information security, the Network Security Law makes outlined requirements for the management of network information content, and stipulates that network operators should strengthen the management of information released by users and the disposal and reporting obligations after discovering illegal information.
II. The Data Security Law
The Data Security Law, which came into force on September 1, 2021, is a basic law in data field. It is at the same legal level as the Network Security Law and jointly complements the security governance system under the framework of the National Security Law. The Data Security Law contains seven chapters and 55 articles, regulating data processing activities from the aspects of data security and development, data security system, data security protection obligations, government data security and openness, legal liability, etc. Compared to the Network Security Law, which focuses on regulating "network data", the Data Security Law defines "data" as "any record of information in electronic or non-electronic form", so the protection scope is greatly expanded. In addition, the scope of application of the Network Security Law is the construction, operation, maintenance and use of networks in China, while the Data Security Law stipulates that "organizations and individuals outside the People's Republic of China who carry out data activities and damage the national security, public interests or the legitimate rights and interests of citizens and organizations of the People's Republic of China shall be investigated for legal responsibility according to law". To some extent, it has extraterritorial effect. What the two laws have in common is that they both require classified management of data, and regulate critical information infrastructure and important data. The Network Security Law requires that the personal information and important data collected and generated by critical information infrastructure operators in China should be stored locally. If cross border transmission is needed, critical information infrastructure operators should conduct security assessment. The Data Security Law further puts forward the requirements for formulation of important data directories by relevant departments, regularly risk assessment on important data, and cross border transmission of important data collected and generated by non-critical information infrastructure operators in China.
III. The Personal Information Protection Law
The Personal Information Protection Law came into force on November 1, 2021. It contains eight chapters and 74 articles, and constructs a set of system covering the whole process of personal information collection, utilization and protection, which has an important impact on the protection of personal information subjects' rights and the construction of compliance systems that meet the requirements. In terms of the scope of application, the Personal Information Protection Law also has extraterritorial effect, that is, "this Law shall also apply to activities outside China if they deal with the personal information of natural persons in China", including: (1) for the purpose of providing products or services to natural persons in China; (2)analyzing and evaluating the behavior of natural persons in China; (3)other circumstances stipulated by laws and administrative regulations. The Personal Information Protection Law establishes five principles that should be followed in dealing with personal information, including the principle of legality, necessity and good faith, the principle of purpose restriction, the principle of minimization, the principle of openness and transparency and the principle of integrity and accuracy. As for the rights enjoyed by the personal information subject, the Personal Information Protection Law clearly stipulates that the personal information subject has the right to know, the right to make decisions, the right to restrict/refuse others' processing, the right to consult and copy, the right to carry, the right to correct and supplement, the right to delete and the right for interpretation. It also requires personal information processors to establish a convenient application acceptance and processing mechanism for personal information subjects to exercise their rights. For the cross-border transmission of personal information, the Personal Information Protection Law gives a clear realization path, which is to meet one of the following conditions: through the security assessment organized by the National Network and Information Department, the personal information protection certification by professional institutions, and signing the standard contract formulated by the National Network and Information Department with overseas recipients. If the personal information processor is the operator of critical information infrastructure, the personal information collected and generated in China shall be stored locally. If cross-border transmission is really needed, it shall pass the security assessment organized by the National Network and Information Department. The Personal Information Protection Law stipulates a punishment standard of "less than 50 million yuan or less than 5% of the turnover ofthe previous year" for serious illegal processing of personal information, imposing a fine of more than 100,000 yuan but less than 1 million yuan on the directly responsible executives and other directly responsible personnel, and may decide to prohibit them from serving as directors, supervisors, senior managers of relevant enterprises and persons in charge of personal information protection within a certain period of time, reflecting the legislators' determination to build a benign personal information processing environment.
IV. The Regulation on the Security Protection of Critical Information Infrastructure
The Regulation on the Security Protection of Critical Information Infrastructure is a supporting regulation of the Network Security Law, which is specifically aimed at the security protection of critical information infrastructure and came into force on September 1, 2021. The regulation includes six main contents: (1) making it clear that important network facilities and information systems in key industries and fields belong to critical information infrastructure. The State implements key protection for critical information infrastructure and takes measures to monitor, defend and deal with network security risks and threats from domestic and abroad, so as to protect critical information infrastructure from attacks, intrusion, interference and destruction; (2) stipulating that under the overall coordination of the National Network and Information Department, the Public Security Department of the State Council is responsible for guiding and supervising the security protection of critical information infrastructure; (3) specifying the organization mode and procedure of the identification of critical information infrastructure, and the State summarizes and dynamically adjusts the identification results of critical information infrastructure according to the industry identification rules, to ensure that important network facilities and information systems are included in the scope of protection; (4) stipulating that the operators of critical information infrastructure implement network security responsibilities, establish and improve network security protection system, set up special security management organization, carry out security monitoring and risk assessment, report network security incidents or network security threats, and standardize the procurement activities of network products and services; (5) stipulating the formulation of industrial security protection plan, the establishment of information sharing mechanism, the establishment and improvement of monitoring and early warning system, the clarification of emergency disposal requirements for network security incidents, the organization of security inspection and detection, and the provision of technical support and assistance; (6) specifying measures such as penalization, punishment and prosecution for criminal liabilities for critical information infrastructure operators who fail to perform the responsibility of security protection, and the relevant competent departments and staffs who fail to perform their duties in accordance with the law.
V. Impacton Foreign Companies
For foreign enterprises with Chinese business, the business operation will more or less involve the processing of personal information of natural persons in China or non-personal information related to business. The following are the most common scenarios, in which foreign enterprises will be regulated by Chinese laws.
1. Involving the processing of personal information of natural persons in China.
In this scenario, no matter whether a Chinese subsidiary established by a foreign company collects the personal information of a natural person in China or a foreign company directly collects the personal information of a natural person from outside China, such activities will be regulated by the Personal Information Protection Law. At this time, foreign companies should fulfill the obligations stipulated by the Personal Information Protection Law for personal information processors, including informing processing rules, ensuring data security, carrying out regular audit, carrying out impact assessment of personal information protection, establishing a convenient application acceptance and processing mechanism for personal information subjects to exercise their rights, and taking remedial measures in case of or possible security incidents. If a foreign company collects the personal information of a natural person from outside China, it shall also set up a special agency or designated representative in China to handle matters related to personal information protection, and report the name and contact information of the relevant agency or representative to the government department performing the responsibility of personal information protection. If it is necessary to transmit the personal information of natural persons collected in China by Chinese subsidiaries established by foreign companies to overseas, it shall meet one of the following conditions: passing the security assessment organized by the National Network and Information Department, carrying out personal information protection certification by professional institutions, and signing a standard contract formulated by the National Network and Information Department with overseas recipients.
2. Foreign companies are identified as critical information infrastructure operators.
If a foreign company is identified as critical information infrastructure operator, it shall store the personal information and important data collected and generated in the operation in China locally. If the data needs to be provided outside China, the foreign company shall carry out security assessment in accordance with the measures formulated by the National Network and Information Department in conjunction with the relevant departments of the State Council. In addition, it is also required for critical information infrastructure operators to implement the network security responsibility, establish and improve the network security protection system, set up a special security management organization, carry out security monitoring and risk assessment, report network security events or network security threats, and standardize the procurement activities of network products and services in their daily business operations.
3. Not identified as a critical information infrastructure operator, but the information processed involves important data.
If the information processed by a foreign company involves important data, it shall fulfill the obligations stipulated by the Data Security Law for important data processors, including establishing and improving the data security management system, organizing data security education and training, taking corresponding technical measures and other necessary measures, specifying the person in charge of data security and management organization, conducting regular risk assessment, and submitting risk assessment reports to relevant competent departments. If cross-border transmissions of important data collected andgenerated in the operation in China are involved, they shall be conducted in accordance with the rules formulated by the National Network and Information Department in conjunction with the relevant departments of the State Council.