China adopted the Cybersecurity Law in 2017 and issued a series of implementing rules, regulations and national standards for it later. After a development of over two years, what compliance regulation environment we will be facing in 2020? Will the identification and protection of critical information infrastructure (“CII”) enter a new phase? What problems will be encountered in cross-border data transfers? What are the challenges that will confront the enterprises trying to be compliant? With regard to these questions that receive most attention of companies, our Data Compliance Team of East & Concord Partners will give a forecast on the trends of development of data compliance in China in 2020 which may hopefully serve as a reference for the compliance work of companies.
* Part of this article has been published in Forecast 2020 | The Changed and the Unchanged in Cybersecurity and Data Compliance World on “Legal Brand Observations”.
Q1: What are the overall development trends of cybersecurity and information security in 2020?
We consider that in general, cybersecurity and information security work of China will achieve further development in 2020. Specifically, this includes: first, on the legislative level, fundamental laws such as the Personal Information Protection Law, the Data Security Law, as well as supporting regulatory documents and standards concerning various related matters, such as the identification and recognition of CII and the important data, data security management, security assessment for cross-border transfer of personal information and important data, cross-border supervision and classified protection of cybersecurity as well as regulation and application of cryptography, are expected to be formally passed in 2020 or published for comments. Second, on the law enforcement level, law enforcement activities focusing on cybersecurity and personal information protection will remain active and with the accumulated practical experience, law enforcement activities are likely to be carried out in more areas and show a tendency to pay equal attention to both special campaigns and day-to-day supervision. Third, on the industrial regulation level, standardization and supervision of cybersecurity and information security in key data-related industries or fields such as finance, health care, education, e-commerce, delivery, artificial intelligence may be further strengthened. Fourth, on the corporate compliance level, as the boundary of data compliance becomes increasingly clear, data compliance will become the inevitable choice for enterprises to prevent risks and create values.
Q2: With Classified Cybersecurity Protection 2.0 becoming all-rounded and ripe and the pilot project of CII protection completed, is it possible for the Regulations on Critical Information Infrastructure Security Protection to be launched officially? What kind of impact would it bring to the industry?
As far as we know, the Regulations on Critical Information Infrastructure Security Protection (“CII Regulations”) jointly formulated by the Central Administration of Cybersecurity and the Ministry of Public Security was originally planned to be submitted to the State Council in 2019. Meanwhile, the publication and implementation of a series of regulatory documents and standards related to network products and service management system, including Information Security Technology - Operation Supervision Framework of Cloud Computing Service, as well as Classified Protection of Cybersecurity standards 2.0 in 2019, have provided institutional support and guarantee for the establishment and improvement of CII rules system. The completion of national standard pilot project of Information Security Technology – the Guide to Security Inspection and Evaluation of Critical Information Infrastructure (Draft for Approval) and the pilot project of Information Security Technology – Basic Cybersecurity Protection Requirements of Critical Information Infrastructure (Draft for Approval) laid the foundation for subsequent standard promotion and CII security protection. At present, CIIs are gradually identified in relevant key industries. We believe that the conditions for the implementation of the CII Regulations are increasingly mature and it is expected to be formally introduced this year. The CII Regulations involves the operators’ responsibility of security protection (including storage and cross-border transfer administration of personal information and important data), products and services security management, monitoring and early warning, emergency response, test and evaluation and various other aspects. It will set clear boundaries and requirements of compliance in public communication, broadcasting, energy, finance, transportation, water conservancy, health care, social security and other related fields, promoting the level of cybersecurity and information security protection thereof.
Q3: In the current legal environment, where is the space of legal services in the field of cross-border transfer of data? After two regulatory approach optimizations in 2017 and 2019, will the conditions for officially introducing cross-border transfer of data regulatory framework be met in 2020?
Cross-border transfer of data is an issue of great concern in the field of cybersecurity and data compliance all over the world. The EU, the United States and some other countries and regions have formulated or are in the process of formulating relevant regulations. In this global context, how to deal with the conflicts in compliance regulations in different countries and regions and to meet these requirements of different jurisdictions is one of the most concerned issues for enterprises, especially multinational enterprises, and also one of the focuses of legal services.
We believe that, after more than two years of design, the basic mode of Chinese system of cross-border transfer of data has been determined, but there are still some problems to be solved in the current regulatory framework of cross-border data transfer, such as the lack of higher level of laws, the need to take more operational measures for the implementation of the cross-border data transfer system, etc. In the process of implementing One Belt and One Road strategy of China, further deepening the Reform and Opening Up and constantly optimizing the business environment, the “Going-Out” of Chinese enterprises and the “Bringing-In” of foreign investment both will involve cross-border transfer of data. How to balance data flow and data security is a problem under deliberation in all countries and the introduction of system on cross-border transfer of data for China needs to be done with prudence. Therefore, except for the rules of CII Operators’ cross-border transfer of data, the regulation of general network operators’ cross-border transfer of data may require more time to complete.
Q4: In 2019, the enforcement of Cybersecurity Law focused on the infringement of users’ rights and interests by Apps and crawler software, etc. Will this trend continue in 2020, which fields will receive some “special care” from the law enforcement authorities, and in which fields the regulation will be more stringent?
The year of 2019 witnessed strong law enforcement actions of personal information protection by Personal Information Protection Task Force on Apps. In November of the same year, the Method for Identifying the Illegal Collection and Use of Personal Information by Apps came into being at the right moment, which reflected the achievements of the special campaign of Apps administration in 2019 and set a law enforcement benchmark for the follow-up normalized supervision. In 2019, some of the law enforcement activities related to crawler software infringement were partly due to the illegal loan collection in the financial sector, which triggered the hidden data compliance problem. Currently, the financial industry is also strengthening the protection of consumer rights and data compliance. As a significant way for enterprises to obtain data other than from generation in businesses or sharing data through cooperation, the access of data by crawler technology may still be the key area of law enforcement. With the continuous promulgation and improvement of the relevant supporting laws and regulations of the Cybersecurity Law, we expect that the security measures for more important information systems and the implementation of the classified protection of cybersecurity system will also probably be under intensified scrutiny from law enforcement departments. The data storage and cross-border transfer of data in the field of CII will face the corresponding regulatory enforcement once the relevant new regulations are promulgated.
From the perspective of industries, education, finance, health care, e-commerce, delivery, artificial intelligence and other industries will probably face tighter supervision. New regulations have been issued recently in some of the above-mentioned industries, which involve the protection rules of personal information in those industries, establishing and strengthening the law enforcement basis of administrative regulators in various industries.
Q5: What are the suggestions from legal professionals and what should be the focal points for the cybersecurity and data compliance work of companies in 2020?
With the gradual improvement of relevant supporting laws and regulations (including data compliance legislation in various industries) of the Cybersecurity Law, the classified protection of cybersecurity system, information security and personal information protection principles established by the Cybersecurity Law will be implemented in detail. We expect that in addition to the collection and use of personal information by internet Apps, the focus of law enforcement will also include classified protection of cybersecurity (including classification and filing requirements), data storage place and cross-border transfer. We suggest that enterprises pay close attention to the legislation and law enforcement dynamics in the field of cybersecurity and data compliance, especially whether there are newly-added and detailed compliance requirements in their respective industries; for those who have not yet completed the classification and filing for classified protection of cybersecurity, they should promptly get them done, establish and/or timely adjust and refine the compliance management system and personal information protection system for internal data and external data collection and utilization; the enterprises operating online businesses should pay attention to the latest regulations and adjust the contents and settings of privacy policies in due time; the enterprises with overseas business and foreign-funded enterprises in China should keep an eye on the relevant legislative developments of requirements for data storage place and cross-border transfer of data in multiple jurisdictions involved in their businesses so as to make timely arrangements.