资源描述
Definitive global law guides offering comparative analysis from top-ranked lawyers chambers GLOBAL PRACTICE GUIDE Data Protection (ii) GB/T 25070- 2019 Information Security Technology Technical Require- ments of Security Design for Multi-level Protection of Cyber Security; and (iii) GB/T 28448-2019 Information Security T ech- nology Evaluation Requirement for Multi-level Protection of Cyber Security (collectively New MLPS National Standards). The New MLPS National Standards overall maintained five levels for security protection specified in the MLPS. In addi- tion, recognising the fact that emerging technologies (eg, cloud 3Trends and d evelopmenT s Contributed by: Maggie Meng, Vincent Wang and Jerry Liu, Global Law Office computing and AI) create new cybersecurity concerns, the New MLPS National Standards address these new concerns by set- ting forth special requirements. In the transition from “Multi- level protection over information security” (commonly referred to as MLPS 1.0) to Multi-level protection over cybersecurity (commonly referred to as MLPS 2.0), the New MLPS National Standards present the recommended technical best practice under MLPS 2.0. New laws (or their drafts) promulgated The Cyberspace Administration of the Peoples Republic of China (CAC) released two eye-catching regulations in 2019, the Administrative Measures on Data Security (draft for public comments), in May, and the Measures on Assessing the Secu- rity of Cross-border Transfer of Personal Information (draft for public comments), in June. Compared to the Information Security Technology Guidelines on Assessing the Security of Cross-border Data Transfer (draft for public comments) and the Measures on Assessing the Security of Cross-border Transfer of Personal Information and Important Data (draft for public comments) circulated in 2017 from the China National Infor- mation Technology Standardisation Committee, the new draft regulations indicate that the agency is changing its legislative and regulatory methodology to differentiate “personal informa- tion data” and “important data” . On 1 October 2019, the Provisions on the Cyber Protection of Childrens Personal Information took effect. This is the first regulation focusing on the protection of childrens personal information. While specifying detailed requirements for the protection of childrens personal information, it prohibits any organisation or individual from producing, releasing, or dis- seminating information, without the consent of the childrens guardians, which may infringe those childrens personal infor- mation security. It also sets forth the regulatory powers of the CAC and its local counterparts, and the other related govern- mental authorities. Lastly, 2019 also saw a set of enforcement actions taken by the CAC, the Ministry of Information Industry Technology, the Ministry of Public Security, and the State Administration for Market Regulation (collectively, the Four Ministries) against app operators whose apps had illegally collected and used personal information. The Four Ministries established the spe- cial work group on app governance and jointly published the Announcement on Special Governance of the Illegal Collection and Use of Personal Information by Apps, specifying, among others, the app operators security obligations and regulatory penalties. In these regulatory actions, the Four Ministries inves- tigated millions of apps and released official warnings or even ordered app store operators to take certain apps offline due to their non-compliant behaviours in collecting and using per- sonal information. In order to address the compliance issues identified in the investigation, the Four Ministries, together with the special work group on app governance, enacted new regulatory rules such as: (i) the Self-evaluation Guidelines on Avoiding Collecting and Using Personal Information Illegally; (ii) the Information Security Technology Basic Specification on Collecting and Using Personal Information by Mobile Inter- net Applications; and (iii) the Measures on Determining Illegal Collection and Use of Personal Information by apps. The above rules not only provide guidance on the substance of the pri- vacy guidance documents published to the general public, but also shed light on the compliance faults affecting privacy by design and by default of apps, which secure users right to know and right to choose. For example, the apps privacy policies are required to exhaustively list all the personal information that it will collect and to be easily accessible by users. Where apps col- lect personal information without limitation and damage user privacy, these regulatory rules and law enforcement actions will step in and investigate. Trends in 2020 As of the date of this article, China has over 40 laws and 230 regulations and legislative documents covering the areas of data compliance and personal information protection. This creates difficulties in maintaining consistent law enforcement in prac- tice. Regulatory enforcement may be duplicative or miss a loop- hole; and the discretion exercised in enforcement over the same issue may be inconsistent, which will result in inefficiency in law enforcement and confusion for businesses. However, the complexity and confusion in the legal system are changing and improving. According to an official news report, two laws concerning data and privacy are listed in the legisla- tion plan of 2020: the Personal Information Protection Law and the Data Security Law. Once promulgated, they will contribute to the building of a comprehensive and complete legal system of data compliance and personal information protection and guide the relevant law enforcement actions in a more unified, co-ordinated, and efficient manner. In brief, we expect the fol- lowing changes in the areas of data compliance and personal information protection in 2020. More legal support on specific issues As mentioned above, national-level legislation on privacy com- pliance and personal information protection is missing in the current legal system. Relevant national-level legislation can only be found in some general provisions of the Cybersecurity Law and the Consumer Rights Protection Law, which is inadequate for individuals to protect their privacy and insufficient for law enforcement. 4 Trends and d evelopmenT s Contributed by: Maggie Meng, Vincent Wang and Jerry Liu, Global Law Office With the release of the above two laws, we expect that the gov- ernment may simultaneously release certain technical regula- tions and standards, aiming to substantiate the compliance obli- gation of businesses and to provide practical guidance on the fulfilment of those obligations while facilitating the public s abil- ity to safeguard the rights of personal information protection. Multiple dimensions in regulation The coming year may bring legislation regarding different cybersecurity subjects. Taking CIIO as an example, pursuant to the Cybersecurity Law, CIIO must undertake stricter obliga- tions than other non-CIIO organisations. There are a set of draft regulations and national standards regarding CIIO. If released in 2020, these would provide more specific guidance to define a CIIO and its obligations. Additionally, the Information Security Technology Personal Information Security Specification, which had three draft revi- sions in 2019, is likely to be finalised. The new national stand- ards would regulate data compliance comprehensively through- out the datas whole life cycle: from its collection, use, storage and transmission, to its deletion. Once issued, it will serve as a detailed standard to provide enforcement guidance for the forthcoming Personal Information Protection Law. Furthermore, with the regulation of cross-border data trans- fer remaining unsettled, the development of draft legislations concerning cross-border data transfer in 2020 is an important aspect for businesses at home and abroad. Such draft regula- tions include Measures on Assessing the Security of Cross-bor- der Transfer of the Personal Information and Important Data (draft for public comments), Information Security Technology Guidelines on Assessing the Security of Cross-border Data Transfer (draft for public comments) and Measures on Assess- ing the Security of Cross-border Transfer of Personal Informa- tion (draft for public comments). Lastly, measures and national standards on data processing and internal compliance operations are still in draft status eg, Information Security Technology Guidelines on Deidentifi- cation of Personal Information (draft for public comments), Information Security Technology Guidelines on Personal Information Security Assessment (draft for public comments) and Information Security T echnology Guidelines on Informed Consents of Personal Information (draft for public comments). W e may see these draft standards put into practice after finalisa- tion in 2020. Construction of the data law We expect the future legal mechanism of data protection to be based on three basic laws: the Cybersecurity Law; the forth- coming Personal Information Protection Law; and the expected Data Security Law. Each of them represents a separate dimen- sion of cyberspace regulation. The Cybersecurity Law regulates general security issues of cyberspace including the construction, operation, mainte- nance and use of the network and sets forth the rules regard- ing the operational security of critical information infrastruc- ture and regulatory authorities responsibilities. The forthcoming Personal Information Protection Law will likely regulate the security issues during the life cycle of per- sonal information, including the security obligations of data controllers and data processors and the lawful rights of data subjects. The forthcoming Data Security Law will likely regulate the security issues during the life cycle of important data and non-personal information, with an emphasis on big data, and set forth obligations for data controllers. The draft Administra- tive Measures on Data Security (draft for public comments), promulgated in 2019, is expected to be a regulation to imple- ment the Data Security Law. The comprehensive structuring of data legislation provides a clear roadmap for enterprises to follow and to carry out internal compliance management systematically and efficiently. Stricter regulation in key industries In the general background of more strict regulations, the com- petent authority for each industry, especially key industries, is expected to develop detailed rules on the implementation and enforcement of data compliance and personal informa- tion protection as well as the penalties. Such detailed rules will likely be enacted pursuant to the above-referenced basic laws and tailored to fit specific industries. The key industries in this paragraph include: (i) under the Cybersecurity Law, the seven important industries that have critical information infrastruc- tures, which are public communication and information ser- vices, energy, transportation, water conservancy, finance, public services, and e-government; and (ii) other industries that have a critical influence on basic livelihood and public security. Challenges for Businesses The coming year will be a challenging one as regards compli- ance for businesses at home and abroad. As China is improving its legislation regarding cybersecurity and personal informa- tion protection, the compliance requirements for enterprises are becoming more challenging. Some of the major challenges are set out below. Management requirements for construction, operation, maintenance and use of an enterprises network The forthcoming Data Security Law (draft for comments), Administrative Measures on Data Security, and other relevant
展开阅读全文