Notice of the Cyberspace Administration of China on Soliciting Public Comments on the Administrative Measures on Data Security

Effective Date: 05-28-2019

Source: Cyberspace Administration of China

Chinese Title: 国家互联网信息办公室关于《数据安全管理办法（征求意见稿）》公开征求意见的通知

For the purposes of safeguarding state security and social public interests, protecting the legitimate rights and interests of citizens, legal persons and other organizations in cyberspace and protecting security of personal information and important data, in accordance with the laws and regulations such as the Cybersecurity Law of the People’s Republic of China, the Cyberspace Administration of China has drafted the Administrative Measures on Data Security (Exposure Draft) jointly with relevant departments, which are open for public comments now. People can provide feedback through the following ways and methods:

1. Making comments by logging in the website of Legal Information of Chinese Government (website: http://www.chinalaw.gov.cn) and then entering the column of “Collection of Legislative Comments” on the homepage;

2. Emailing to: security@cac.gov.cn; or

3. Posting the comments to the address below: Office of Internet Security Coordination of the Cyberspace Administration of China, No. 11 Chegongzhuang Street, Xicheng District, Beijing, 100044, and indicating “Comments on Administrative Measures on Data Security” on the envelope.

The deadline for comments is June 28, 2019.

Administrative Measures on Data Security (Exposure Draft)

Chapter I General Provisions

Article 1 The Measures are formulated in accordance with the laws and regulations such as the Cybersecurity Law of the People’s Republic of China for the purposes of safeguarding national security and social public interests, protecting the legitimate rights and interests of citizens, legal persons and other organizations in cyberspace and protecting security of personal information and important data.

Article 2 The Measures shall be applicable to such activities as the collection, storage, transmission, processing and use of data (hereinafter referred to as “data activities”) as well as the protection, supervision and administration of data security within the territory of the People’s Republic of China. It shall not be applicable to pure family and personal matters.Where it is otherwise provided for in laws and regulations, such provisions shall prevail.

Article 3 The State lays equal stress on data security protection and development, encourages the research and development of data security protection technologies, actively promotes the development and use of data resources and guarantees the orderly and free flow of data in accordance with the law.

Article 4 The State takes measures to monitor, defend against and deal with data security risks and threats from both inside and outside the territory of the People’s Republic of China, protect data from being divulged, stolen, falsified, damaged or used illegally, and punish the illegal and criminal activities that endanger data security in accordance with the law.

Article 5 Under the leadership of the Central Cyberspace Affairs Commission, the state cyberspace administration shall be responsible for the overall planning, coordination, direction and supervision of the protection of personal information and important data security.Cyberspace administrations at the prefecture level or above shall, ex officio, direct and supervise the protection of personal information and important data security within their respective administrative areas.

Article 6 Network operators shall, in accordance with relevant laws and administrative regulations and by reference to national cybersecurity standards, perform data security protection obligations, establish the accountability of data security management and evaluation systems, work out data security plans, implement technical measures for data security protection, carry out data security risk assessments, develop emergency response plans for cybersecurity, timely deal with security incidents and organize data security education and training.

Chapter II Data Collection

Article 7 Any network operator that collects and uses personal information through products such as websites and applications shall develop and disclose the rules for collection and use separately. The rules for collection and use may be included in its privacy policies for websites, applications and other products, or may be made available to users in other forms.

Article 8 A network operator’s rules for collection and use shall be specific, easy to understand and access and shall highlight the following information:

(1) General information about the network operator;

(2) Names and contact information of the principal and the person responsible for data security of the network operator;

(3) Purposes, types, amounts, frequencies, methods and scopes of personal information to be collected and used;

(4) Place of storage and retention period of personal information as well as the method to deal with such information after the retention period expires;

(5) Rules to be followed for provision of personal information to others if the network operator provides personal information to others;

(6) Information relevant to the strategies of personal information security protection;

(7) Ways and methods for the data subjects to withdraw consents, and to access, correct and delete personal information;

(8) Channels and methods for making complaints and reports; and

(9) Other information as prescribed by the laws and regulations.

Article 9 If the rules for collection and use are included in private policies, they shall be presented in an relatively concentrated and obvious way to facilitate reading. Network operators may not collect personal information until the users have acknowledged the rules for collection and use of personal data and provide express consents.

Article 10 Network operators shall strictly comply with the rules of collection and use of personal data. The functions of network operators’ websites and applications to collect or use personal information shall be designed in compatible with the privacy policies, and shall be adjusted synchronically with privacy policies.

Article 11 Network operators shall not force or mislead, in such forms as authorization by default or bundling functions, data subjects to consent to the collection of personal information on the grounds of improving service quality, enhancing user experience, delivering targeted push information or carrying out research and development of new products, etc.After data subjects have provided consents to the collection of personal information that enables the operation of the core functions of network products, network operators shall provide core service functions to data subjects, and shall not cease the provision of such core service functions on the grounds that data subjects refuse to provide consents or withdraw consents to the collection of aforesaid personal information.

Article 12 For the collection of personal information of minors under the age of 14 years, consents from their guardians are required.

Article 13 Network operators shall not take discriminatory actions, such as implementing different service quality and prices, against the data subjects based on whether the data subjects have authorized the collection of personal information and the scopes of such authorizations.

Article 14 Network operators shall have the same responsibilities and obligations to protect the personal information obtained from other channels with the personal information directly collected by themselves.

Article 15 Network operators shall make a filing with the local cyberspace administration when they collect important data or sensitive personal information for the purposes of business operations. The filing shall include the rules for collection and use of such data, purposes, scales, methods, scopes, types and retention periods of the data, but shall not include the contents of data themselves.

Article 16 Network operators shall not interfere with the normal operation of the websites when they access and collect website data by automatic means. If such acts seriously affect the operation of websites, e.g., for example, the traffic of data collection by automatic access exceeds one-third of the average daily traffic of the websites and the websites require network operators to cease such automatic access and collection, network operators shall cease such acts.

Article 17 Network operators that collect important data or personal sensitive information for the purpose of business operations shall specify the persons responsible for data security.The persons responsible for data security shall be selected from among personnel with relevant management work experience and professional knowledge on data security, and they shall participate in important decisions of relevant data activities, and report work directly to the principals of network operators.

Article 18 The persons responsible for data security shall perform the following responsibilities and obligations:

(1) Organizing the formulation of data protection plans and urging the implementation of such plans;

(2) Organizing data security risk assessments and urging rectification and elimination of potential risks of security;

(3) Reporting data security protection and incident handling to relevant departments and cyberspace administrations as required; and

(4) Accepting and handling the complaints and reports of users.Network operators shall provide necessary recourses to the persons responsible for data security to enable them to independently perform their responsibilities and obligations.

Chapter III Processing and Use of Data

Article 19 Network operators shall, in accordance with relevant national standards, take measures such as data categorization, data backup and encryption to strengthen the protection of personal information and important data.

Article 20 The retention of personal information by network operators shall not exceed the retention period provided in the rules for collection and use. Personal data shall be timely deleted after the users close their accounts, unless the personal information has been processed to make it impossible to identify a specific person from the information and such information cannot be recovered (hereinafter referred to as “anonymization processing”).

Article 21 Network operators shall, upon receipt of requests to access, correct and delete personal information and close accounts, fulfill such requests within a reasonable period of time and at reasonable cost.

Article 22 Network operators shall not use personal information in violation of the rules for collection and use. If it is necessary to expand the scopes of the use of personal information due to business needs, network operators shall obtain consents from personal information subjects.

Article 23 When network operators use user data and algorithms to push news and commercial advertisements (hereinafter referred to as “targeted push”), they shall clearly indicate the words of “targeted push” and provide an option for users to cease receiving the targeted push information. If the users opt not to receive targeted push information, network operators shall stop the push and delete the user data collected such as device identification codes and any personal information.Network operators conducting targeted push activities shall comply with laws and administrative regulations, respect social morality and business ethics, abide by public order and good morals, and be honest and diligent. All discriminatory and fraudulent acts shall be prohibited.

Article 24 Where network operators automatically synthesize information such as news, blog posts, posts and comments by using big data, artificial intelligence and other technologies, they shall explicitly indicate the word “synthesis”. Network operators shall not automatically synthesize information for the purposes of making profits or damaging the interests of other persons.

Article 25 Network operators shall take measures to urge and remind users to be responsible for their network behaviors and strengthen self-regulation. If users forward information made by other persons through social media network, network operators shall automatically suffix the social media network accounts of the information producers or indicate unchangeable user identification.

Article 26 Upon receipt of reports and complaints on faking, counterfeiting or embezzling the release of any information in the name of other persons, network operators shall respond in a timely manner, and shall stop spreading the information and delete it once verified.

Article 27 Prior to providing personal information to other persons, network operators shall assess the potential security risks and obtain consents from the data subjects. Exceptions shall be applied to the following circumstances:

(1) The personal information is collected through legal public channels and provision of it does not go against the willingness of the data subjects;

(2) The personal information is voluntarily disclosed by the data subjects;

(3) The personal information has been subject to anonymization;

(4) Provision of such information is necessary for the performance of responsibilities and functions of law enforcement departments in accordance with the law; or

(5) Provision of such information is necessary for safeguarding state security, social and public interest or the lives of data subjects.

Article 28 Network operators shall assess the potential security risks prior to releasing, sharing or selling important data or transferring such data abroad, and shall report to the competent regulatory department for approval. If the competent regulatory department is unclear, network operators shall report to the cyberspace administrations at the provincial level for approval.Provision of personal information abroad shall be implemented in accordance with the relevant provisions.

Article 29 When domestic users visit the domestic internet, the flow shall not be routed overseas.

Article 30 Network operators shall specify data security requirements and responsibilities for any third-party application connected to their platforms, and shall urge and supervise any third-party application operator to strengthen data security management. If a data security incident occurs to a third-party application causes damage to users, network operators shall assume all or part of the liability, unless they are able to prove that they are not at fault.

Article 31 Where network operators undergo mergers and acquisitions, reorganizations or bankruptcy, the data recipients shall assume the data security responsibility and obligations. If there are no data recipients, network operators shall delete relevant data. Where it is otherwise provided for in laws and regulations, such provisions shall prevail.

Article 32 Network operators that publish information such as market predictions, statistics and personal and enterprise credit, etc. by analyzing or using the data resources in their possession shall not endanger national security, economic operation or social stability, nor shall they damage the legitimate rights and interests of other persons.

Chapter IV Supervision and Administration of Data Security

Article 33 Where a cyberspace administration finds, in the course of performing their functions and duties, that a network operator fails to implement data security management responsibilities, the cyberspace administration shall interview the principal of the network operator and urge the network operator to make rectifications.

Article 34 The State encourages network operators to voluntarily pass data security management authentication and application security authentication, and encourages search engines and application stores to clearly identify and give priority to applications that have passed the authentication.The national cyberspace administration shall, in conjunction with the administration for market regulation of the State Council, direct national cybersecurity review and authentication institutions, organize data security management authentications and application security authentications.

Article 35 In case of occurrence of security incidents where personal information has been divulged, damaged or lost, or the risk of data security incidents has increased significantly, network operators shall forthwith take remedial measures, inform personal information subjects in a timely manner by such means as phone calls, text messages, emails or letters, and report the cases to the competent regulatory departments of the industry and cyberspace administrations in accordance with relevant requirements.

Article 36 If the relevant competent departments of the State Council require network operators to provide relevant data in their possession for the purposes of performing functions and duties such as national security, social management, economic control in accordance with relevant laws and administrative regulations, network operators shall provide such data to them.The relevant competent departments of the State Council shall assume the responsibility of security protection of the data provided by network operators, and shall not use the data for purposes unrelated to the performance of their functions and duties.

Article 37 For any network operator violating the provision hereof, the competent departments shall, in accordance with relevant laws and administrative regulations and depending on the circumstances, take disciplinary actions such as disclosing misconduct publicly, confiscating illegal incomes, suspending relevant business operations, ceasing business operation for rectification, shutting down the websites, revoking the relevant business permits or business licenses on it. If the violation constitutes a crime, criminal liability shall be investigated in accordance with the law.

Chapter V Supplemental Provisions

Article 38 For the purpose of the Measures, the following terms shall be defined as follows:

(1) “Network operators” refer to the owners and administrators of networks as well as network service providers.

(2) “Network data” refer to all kinds of electronic data collected, stored, transmitted, processed and generated through the network.

(3) “Personal information” refers to all kinds of information recorded in electronic or other forms, which can be used, independently or in combination with other information, to identify a natural person’s personal identity, including but not limited to natural person’s name, date of birth, identity certificate number, biometric information, address and telephone number, etc.

(4) “Personal information subjects” refer to the natural person identified or connected by the personal information.

(5) “Important data” refer to the kind of data, if divulged, may directly affect national security, economic security, social stability and public health and security, such as undisclosed government information, large-scale population, genetic health, geography and mineral resources, etc. Important data shall usually not include information related to the production and operation and internal management of enterprises or personal information, etc.

Article 39 Data activities involving State secrets or the use of encryption shall conform to the relevant provisions of the State.

Article 40 The Measures shall come into force as of (date).