Implications of New Chinese Legislation for Data and Cybersecurity

Data privacy

At the end of May 2019, China's internet regulator, the Cyberspace Administration of China, or CAC, issued a draft data security regulation for feedback from industry stakeholders. The proposed law is intended to give customers more control over how their personal information is collected and used.

The draft regulations lay out specific rules regarding what can or cannot be done by internet companies in their collection and usage of customer data. Explicit labeling needs to be provided on customized content that uses personal data, such as advertising and news feeds. Network operators are also required to avoid forcing or misleading users to agree to the collection of their personal information on such pretexts as improving service quality or enhancing user experience.

The regulation applies to the network-based collection, storage, transmission, processing, and use of data, as well as data security protection and supervision in the country. It also requires operators to take immediate actions in the event of personal information leakage or when data security risks increase significantly.

The proposed data security regulation not only affects local internet companies, but also impacts foreign entities. Part of the regulation prohibits the routing of domestic internet information outside the country in certain cases; and requires appropriate permission for sharing “important data” with foreign entities.

Once implemented, the proposed regulation is expected to change the data compliance activities of network operators. For years, lax regulation on data collection was one of the major factors that allowed China's internet industry to develop so quickly and successfully, according to a recent Caixin report. This is because the more data that internet companies collect, the better they can target users, even though such targeting has at times come at the user's expense.

Regulators have now finally taken note of these activities following a series of violations over the past few months. For instance, a previous survey of 200 mobile apps by Renmin University found that more than 90% of them had flaws in their privacy policies and posed risks to users' personal data. Then, in December last year, authorities discovered that the personal data of 30 million people using the dating app Momo was available for sale online, and included customer phone numbers and their passwords.

This prompted the National Information Security Standardization Technical Committee to issue a guideline that prohibited mobile apps from collecting, using, or providing personal information to third parties without clear user consent.

The release of the new draft data security regulation comes about a week after the CAC also issued its draft Cybersecurity Review Measures document that, when approved, will require operators of China's critical information infrastructure, including major telecom network operators and financial service providers, to evaluate the national risk when purchasing foreign products and services.

The timing of that document's release has since sparked speculation that the law may be used as a retaliatory tool to block U.S. technology companies from doing business in China on the grounds of national security; particularly as trade war tensions are escalating between Beijing and Washington. The latter has ramped up the pressure on its allies to also blacklist China's Huawei Technologies' products. Early in May, the U.S. government ordered a ban on U.S. purchases of Huawei's products on the basis of national security. Chinese authorities could now use the new law to justify banning foreign tech firms for similar reasons.