Translation: China's New Draft 'Data Security Management Measures'

Rules for personal information, 'important data,' and cybersecurity practices open for public comment
Blog Post
May 31, 2019

On May 28, the Cyberspace Administration of China released for comment a draft of a new regulatory document, the “Data Security Management Measures” (translated in full by DigiChina below). As drafted, the Measures add detail to several elements of the Cybersecurity Law (DigiChina translation) almost two years after it went into effect on June 1, 2017. It also overlaps with several regulatory documents in China’s emerging data governance regime, including the non-binding Personal Information Security Specification (DigiChina translation). Specifically, the Measures address comparatively established areas of policy around personal information protection, the definition of the Cybersecurity Law concept of “important data,” and cybersecurity practices for network operators, as well as emerging areas such as algorithmically targeted content or AI-generated material on social media platforms. The comment period ends June 28, and the Measures’ effective date is not yet set. –Ed.

[Chinese-language original]


Data Security Management Measures (Draft for Comment)

Published: May 28, 2019

Chapter I: General Principles

Article 1: In order to safeguard national security and society’s public interest, to protect the lawful rights and interests of citizens, legal persons, and other organizations in cyberspace, to ensure personal information and important data security, and in accordance with the Cybersecurity Law of the People’s Republic of China and other laws and regulations, these measures are formulated.

Article 2: These Measures apply to activities such as data collection, storage, transmission, processing, and use (hereinafter referred to as “Data Activities”), as well as the protection, supervision, and administration of data security, through networks within the People’s Republic of China, except in the course of purely household and personal matters.

Where laws and administrative regulations provide other requirements, such requirements apply.

Article 3: The State upholds the equal importance of safeguarding data security and development, encourages the research and development of data security protection techniques, actively promotes the development and use of data resources, and ensures the free flow of data in a lawful and orderly manner.

Article 4: The State adopts measures to monitor, defend against, and deal with data security risks and threats from inside and outside of the territory of the People’s Republic of China, protects data from leaks, theft, alteration, destruction, illegal use, etc., and punishes illegal and criminal activities endangering data security in accordance with the law.

Article 5: Under the leadership of the Central Commission for Cybersecurity and Informatization, national cybersecurity and informatization departments will coordinate, guide, and supervise personal information and important data security protection work.

The cybersecurity and informatization departments of the prefecture (city)-level and above instruct and supervise the data security work of personal information and important data within each jurisdiction and in accordance with their respective duties.

Article 6: Network operators shall, following relevant laws and administrative rules and referring to national cybersecurity standards: perform obligations of safeguarding data security; establish a mechanism for data security management responsibility, evaluation, and assessment; formulate data security plans; implement data security technical protections, develop data security risk assessments; make cybersecurity incident response plans; tackle security incidents promptly; and organize data security education and training.

Chapter II: Data Collection

Article 7: Network operators that collect and use personal information through products such as websites and applications shall separately formulate and make public rules for the collection and use of data. These collection and use rules can be included in the privacy policy of websites, applications, etc., or they can be provided to users in other forms.

Article 8: The collection and use rules shall be clear, specific, simple and easy to understand, and accessible. They shall highlight the following content:

  1. Basic information about the network operator;
  2. The name and contact information of the network operator’s main person responsible, and the person responsible for data security;
  3. The purpose, type, quantity, frequency, method, and scope of the collection and use of personal information;
  4. Where the personal information is stored, the duration for which it is stored, and the handling method after the storage period expires;
  5. The rules for providing personal information to other parties, if it is provided to others;
  6. Relevant information such as the strategy for personal information security protection;
  7. Channels and methods for the personal information subject to revoke consent, as well as to access, correct, and delete personal information;
  8. Channels and methods for complaints, reporting, etc.;
  9. Other content as stipulated by law and administrative regulation.

Article 9: If rules for collection and use are included in the privacy policy, they should be correspondingly assembled and clear, to facilitate reading. Network operators may collect personal information only after the user is informed of the rules for collection and use and explicitly agrees to them.

Article 10: Network operators shall strictly abide by the rules for collection and use, and the function for collecting and using personal information on the website or application should reflect the privacy policy and be updated accordingly.

Article 11: Network operators may not coerce or mislead personal information subjects into agreeing to the collection of their personal information by means of tacit consent, functionality bundling, etc., for reasons of improving service quality, improving user experience, targeting recommendation of information, or developing new products.

After the personal information subject agrees to the collection of their personal information, network operators shall provide them with core business functions and services and may not withhold core business functions or services if the personal information agent refuses to provide or revokes consent for the collection of additional information.

Article 12: Collecting personal information of a minor under the age of 14 requires obtaining the consent of the minor’s guardian.

Article 13: Network operators may not discriminate against personal information subjects on the basis of whether the personal information subject consented to personal information collection or the scope of consent to collect personal information, including by reducing service quality or charging a different price, etc.

Article 14: Network operators that obtain personal information from other sources have the same responsibilities and obligations as the operator that directly collected the personal information.

Article 15: If network operators collect important data or sensitive personal information for business purposes, they shall file the matter with the local cybersecurity and informatization department. The filing should include rules for collection and use, as well as the purpose, scale, method, scope, type, retention period, etc., of data collection and use, but it should not include the content of the data itself.

Article 16: Network operators that use automated methods to access and collect data from websites may not hinder the normal operation of the websites. If such behavior seriously impacts the operation of websites, for instance if traffic from automated access and collection exceeds one third of all web traffic, when websites request a halt to automated access and collection, it should halt.

Article 17: If a network operator collects important data or sensitive personal information for business purposes, it shall designate a person responsible for data security.

Persons responsible for data security must have relevant management work experience and data security expertise, participate in important decisions about data activities, and report directly to the network operator’s responsible person.

Article 18: The person responsible for data security performs the following duties:

  1. Organize the formulation of a data protection plan and supervise its implementation;
  2. Organize the conduct of a data security risk assessment and supervise the rectification of potential safety hazards;
  3. Report data security protection and incident handling developments to relevant departments and the cybersecurity and informatization departments as required;
  4. Receive and handle user complaints and reports.

Network operators should provide persons responsible for data security with the necessary resources to ensure that they can perform their duties independently.

Chapter III: Data Processing and Use

Article 19: Network operators should refer to relevant national standards and adopt measures such as data classification, backup, and encryption to strengthen the protection of personal information and important data.

Article 20: The network operator's storage of personal information should not exceed the retention period in the collection and use rules. After a user cancels their account, the network operator should promptly delete their personal information, unless the information cannot be associated with a specific individual and cannot be recovered after processing (hereinafter referred to as “anonymization processing”).

Article 21: When a network operator receives a request for personal information access, correction, deletion, or cancellation of an account, it shall grant access, correct, delete, or cancel the account within a reasonable time and within reasonable price range.

Article 22: Network operators may not use personal information in violation of the rules for collection and use. If it is necessary to expand the scope of use of personal information due to business operation requirements, they should obtain consent from the personal information subject.

Article 23: Network operators who use user data and algorithms to recommend news information, commercial advertisements, etc., (hereinafter referred to as “targeted recommendation”) should clearly indicate the words “targeted recommendation” in an obvious way and provide users with the function of stopping targeted recommendation information. When the user chooses to stop receiving targeted recommendation information, operators should stop targeted recommendation and delete user data and personal information, such as device IDs, that they have already collected.

Network operators engaging in targeted recommendation activities should comply with laws and administrative regulations; respect social ethics, business ethics, public order, and good customs; and be honest and trustworthy. Discrimination, fraud, and similar activities are strictly prohibited.

Article 24: Network operators who use big data, artificial intelligence, or similar technologies to automatically synthesize news articles, blog posts, forum posts, comments, etc., should clearly indicate the word “synthesized”; they should not automatically synthesize information with the aim of seeking benefits or harming other people’s interests.

Article 25: Network operators should adopt measures to urge and remind users to be responsible in their online behaviour, to strengthen self-discipline. For users who use social networks to forward information written by other people, the original author’s account should be automatically indicated, or an unalterable user identifier included.

Article 26: When a network operator receives a report or complaint related to impersonation, faking, or illegitimately transmitting information in someone else’s name, they should promptly respond; once a report or complaint has been verified, they should immediately stop transmission and perform deletion.

Article 27: Before providing personal information to others, network operators should assess possible security risks and obtain the consent of the personal information subject. The following situations are exempt from this:

  1. Collection through lawful public channels that does not clearly violate the personal information subject’s wishes;
  2. When the personal information subject has made it public of their own accord;
  3. When having undergone anonymization processing;
  4. When necessary for law enforcement bodies to perform their duties in accordance with the law;
  5. When necessary to safeguard national security, the social public interest, or the safety of the personal information subject’s life.

Article 28: Before publishing, publicly sharing, or conducting a business transaction with important data, or providing it overseas, network operators should assess possible security risks and report to the sectoral controlling supervisory authority for approval; if the relevant sectoral controlling supervisory authority is not clear, they should obtain approval from the province-level cybersecurity and informatization department.

They should act in accordance with relevant regulations when providing personal information to locations outside of China.

Article 29: If a domestic user accesses the domestic internet, their traffic may not be routed outside the country.

Article 30: Network operators should clarify data security requirements and responsibilities for third-party applications accessing their platform and urge and supervise third-party application operators to strengthen their data security management. If a third-party application experiences a data security breach that causes harm to the user, the network operator shall bear partial or full responsibility, unless the network operator can prove that they are not at fault.

Article 31: When a network operator is acquired, is reorganized, or goes bankrupt, the party receiving the data shall receive the responsibilities and obligations for data security. If there is no party receiving the information, the network operator should delete the data. If there are other provisions in laws and administrative regulations, such provisions shall apply.

Article 32: Network operators who conduct analyses using data sources they have obtained, and publish data such as market forecasts, statistical information, and personal and corporate credit information, may not affect national security, the functioning of the economy, and social stability, and they should not harm others’ lawful rights and interests.

Chapter IV: Data Security Supervision and Management

Article 33: If in fulfilling their duties, cybersecurity and informatization departments find that the network operator's responsibility for the management of data security is not in place, they should supervise rectification in accordance with the prescribed authority and procedures in consultation with the responsible person for the network operator.

Article 34: The state encourages network operators to voluntarily pass data security management and application procedure security certifications, and encourages search engines and application stores to clearly identify and recommend those applications which have passed the certifications.

State cybersecurity and informatization departments, in conjunction with the market supervision and administration departments under the State Council, will guide the national cybersecurity review and certification agencies and organize certifications for data security management and application procedure security.

Article 35: When data security incidents such as leaking, damage, or loss of personal information occur, or when the risk of these data security incidents increases significantly, the network operator should take immediate remedial measures and promptly notify the respective personal information subject via telephone, text message, email, letter, etc., and report to the relevant regulatory authorities and cybersecurity and informatization departments as required.

Article 36: When the relevant departments of the State Council, in order to fulfill the requirements of their responsibilities in safeguarding national security, social management, economic regulation, etc., and in accordance with the provisions of laws and administrative regulations, request network operators provide them with relevant data in their possession, network operators should provide it.

The relevant departments of the State Council shall be responsible for the security protection of the data provided by the network operator, and it may not be used for purposes unrelated to the performance of duties.

Article 37: If a network operator violates the provisions of these measures, the respective departments, in accordance with relevant laws and administrative regulations, shall impose penalties such as public exposure, confiscation of illegal income, suspension of business operations, restructuring of business, closure of websites, and/or revocation of relevant business licenses and permits according to the circumstances. Where it constitutes a crime, criminal liability will be investigated according to law.

Chapter V: Supplementary Articles

Article 38: The meanings of the following terms in these Measures:

  1. “Network operator” refers to the owners, managers, and network service providers for the network.
  2. “Network data” refers to various electronic data collected, stored, transmitted, processed, and generated through the network.
  3. “Personal information” refers to various information recorded by electronic or other means that can identify a natural person's personal identity alone or in combination with other information, including but not limited to the name of the natural person, date of birth, ID number, personal biometric information, address, phone number, etc.
  4. “Personal information subject” refers to the natural person identified or associated with the personal information.
  5. “Important data” refers to data that, if divulged, may directly affect national security, economic security, social stability, or public health and safety, such as undisclosed government information or large-scale data on the population, genetic health, geography, mineral resources, etc. Important data generally does not include enterprises’ production, operations, and internal management information, personal information, etc.

Article 39: Data activities involving the use of state secret information and encryption shall be carried out in accordance with relevant state regulations.

Article 40: These Measures shall come into force on the [day] of [month], [year].