On April 29, 2021, China released the second draft of Personal Information Protection Law (hereinafter the “PIPL” or “Draft”) for public comments, which replaced the first draft issued in October 2020. The PIPL is regarded as the “Chinese GDPR” and widely believed to have significant influence on the development of many industries especially the digital business. To help multinational corporations better understand the PIPL and be well prepared for the coming new era of data protection in China, we will prepare 15 thematic articles on various topics to guide the compliance under the PIPL from a practical perspective.
Under the PIPL, data security plays a prominent role and the PIPL imposes strict obligations on personal information controllers regarding security. While the current Chinese data protection regime established mainly upon the Cybersecurity Law already includes a data breach notification requirement, the PIPL introduces several new and specific rules. This client alert interprets these rules, including the obligation to notify data breaches to the data protection authority and individuals, and summarises various security obligations to prevent data breach as required by the PIPL.
What are data breaches?
The PIPL requires personal information controllers to take a variety of measures to prevent “unauthorized access to, breach or theft, distortion, or deletion of personal information”, including the formulation of internal management systems, the adoption of data classification and so on (Article 51) – to be further discussed below. However, the PIPL does not define data “breach”. In Article 51, the PIPL mentions data “breach” together with unauthorized access and data theft, which seems to draw a distinction but may also be interpreted as emphasizing that the security obligations could be imposed on all types of data incidents. In the finalized version of the PIPL, whether there will be a properly defined meaning of data breach deserves further attention.
Notification to the authority and individuals
Article 56 of the PIPL provides the notification obligations of personal information controller after a data breach. The controller shall immediately take remedial measures and notify the personal information protection authority and individuals. The notification should include the following details: (1) reason for the breach; (2) category of personal information breached and damages that may be caused; (3) remedial measures that have been taken; (4) measures available for an individual to mitigate the damage; and (5) contact information of the controller.
However, notification to individuals is not a mandatory obligation under the PIPL, while notifying the authority is required. Where the personal information controller is able to take measures to effectively avoid damage caused by the breach, it may not notify affected individuals (Article 56). But if the authority considers that data breach may cause damage to individuals, it may require the personal information controller to notify individuals (Article 56).
Other than the general requirement of “immediately”, the PIPL does not provide a specific timing for notifying the authority or individuals.
Security obligations to precent data breach
As mentioned above, Article 51 of the PIPL imposes several security obligations on personal information controller to prevent data breach. These obligations includes various measures to ensure the compliance of processing personal information, including: (1) developing internal management systems and operating procedures; (2) implementing classified and categorized management of personal information; (3) taking appropriate security technical measures such as encryption and de-identification; (4) reasonably determining the operating permission for personal information handling, and conducting security education and training for employees on a regular basis; (5) developing and organizing the implementation of response plans for personal information security incidents; and (6) other measures as prescribed by laws and regulations.
A personal information controller needs to take “remedial measures” after a data breach under Article 56 of the PIPL and notify such measures to affected individuals, as mentioned above. This is also consistent with the requirements in Article 42 of the Cybersecurity Law to a certain degree. However, neither the PIPL nor the Cybersecurity Law provides specific rules for such remedial measures. In practice, the national standard Personal Information Security Specification (GB/T 35273) (“PISS”) provides more detailed provisions on such remedial measures that could be taken as a best practice guide, though the it is not legally binding.
The PISS requires that, after detecting a data security incident, the controller shall take the following measures in addition to notifying the authority and individuals: (1) record the content of the incident, including but not limited to the time and place of the incident, the person who identifies the incident, and number of individuals affected by the incident, (2) assess the possible impact of the incident; (3) take necessary measures to control the incident, and; (4) eliminate hidden threats.
It remains to be seen whether the PIPL, as the fundamental national legislation on personal information protection, will provide detailed guidance on remedial measures of data breach or adopts the current practice stipulated by the PISS.
Article 56 of the PIPL provides that where personal information is handled in violation of this Law or personal information is handled without necessary security protection measures in compliance with regulations, the authority may order a correction, confiscate any unlawful income, issue a warning, impose a fine of up to 50 million CNY (approx. US$7.8 million) or 5% of the annual turnover of the previous year, suspend business operations, and revoke business license. Any directly liable person-in-charge or any other directly liable individual of the personal information controller may also be fined up to 1 million CNY (approx. US$160,000).
Although Article 65 of the PIPL does not explicitly provides legal liabilities specifically on data breach, it is likely to be interpreted as covering various violations of the PIPL including data breach.
The PIPL does not provide a definition for data breach though, it has established a new data breach response mechanism. The most important part is clearly stipulating that data breach shall be notified to the authority and individuals and with the required information, as a general rule. This will demand multinational corporations operating in China to establish or improve their data breach policies to meet the requirements under the law.
Next Topic: [How will the public sector process personal information]
Note: After April 29, 2021, our alerts will be based on the second draft of the Personal Information Protection Law. For those released before April 29, they referred to the first draft.