Hi, privacy pros! Greetings from Beijing, China!
Although the heat is subsiding with the cool and pleasant autumn breezes, China’s data and cybersecurity space is getting hotter!
Beginning 1 Sept., the long-awaited measures on the security assessment for cross-border data transfer and the underlying guidelines went into effect. For those struggling to address China’s dynamic and challenging regulatory scheme for cross-border data transfers, the release and adoption of the new measures and guidelines are an applaudable development. Organizations will now have more practical guidelines as valuable references in designing the China-related cross-border data transfer mechanism and achieving better compliance for their business operations in China.
One important aspect that should not be missed is that the new measures and guidelines retroactively apply to cross-border data transfers, that took place before 1 Sept. Companies only have a short grace period — until the end of February 2023 — to complete the Cyberspace Administration of China-led security assessment according to the new requirements under the measures and guidelines. Comprehensive documents and information are required for the security assessment, so companies need to plan ahead and coordinate with business partners involved in the cross-border data transfer and leave sufficient time for preparing the application deck and completing the security assessment before the deadline.
While much attention has been on China’s Personal Information Protection Law, businesses should not forget about the Cybersecurity Law, one of China’s cornerstone data and cybersecurity laws. The CSL came into force in 2017 and has acted as China’s mini personal data law along with the more comprehensive PIPL. The enforcement and penalty provisions in the CSL are more lenient than the PIPL, but on 14 Sept., the CAC issued the draft amendments to the CSL to bring the penalties in line with the PIPL. If the CSL amendments are finalized as drafted, a company that violates the CSL’s cybersecurity obligation or the cross-border data transfer requirements will be exposed to a maximum penalty of RMB 50 million (approx. US$7.15 million) or 5% of the company’s turnover of the preceding year, which is significantly increased from RMB 1 million (approx. US$143,000) under the current CSL.
China’s regulators have been staying active in enforcement actions, demonstrated by multiple landmark enforcement cases where Chinese authorities impose significant fines on companies in breach and their executives and, in some serious cases, criminal liability is triggered.
Privacy awareness among the general public is also getting stronger. According to the statistics released in September by the Secretariate-General of the Personal Information Protection Working Committee under the China Internet Association, there has been a significant year-on-year increase in personal data whistleblowing and complaints, with an estimated total number of 300,000 complaints in 2022. All of this means that China’s data and cybersecurity landscape will continue to be fluid and dynamic!
I hope you enjoy this digest. Until next time!