Data Privacy Strengthened – Perspectives from China and Singapore
This article examines the latest developments in China data privacy regime, from the point of view of how the draft Network Regulations advance the rights of data subjects in various aspects. As both the Singapore and China regimes are evolving, with regulatory agencies responding to privacy issues in an increasingly tech-connected world, a comparative survey of Singapore legislation is made of the Personal Data Protection Act and the latest regulations.
After key data privacy and cybersecurity laws, ie. Personal Information Protection Law (PIPL) and Data Security Law were enacted in China last year, the authority-in-charge, Cyberspace Administration of China (CAC), issued further draft regulations, Network Data Security Administrative Regulations (Draft Network Regulations) on 14 November 2021. While business media1see for example, https://www.reuters.com/technology/china-require-certain-firms-undergo-cybersecurity-reviews-before-pursuing-2022-01-04/; https://www.cnbc.com/2022/01/04/china-to-require-data-security-review-on-some-firms-before-ipo-abroad.html had in the past few months raised concerns about increasing regulatory oversight, in particular, of overseas listing companies being subject to cybersecurity review, it is worth noting, in contrast, how the Draft Network Regulations advance the rights of data subjects in many aspects. In some instances, stronger protection is accorded to what data subjects are entitled to in other Asian jurisdictions, for example Singapore, which does not confer right of deletion.
Broad Scope of Application
The Draft Network Regulations are similar to the data privacy regimes in Singapore and EU, applicable whenever products or services are provided to China. However, the Draft Network Regulations go a step further, in extending the scope not only to analyzing and evaluating the behaviour of individuals in China, but also to doing so in respect of “organisations in China”. In addition, the scope also includes the processing of “important data”. It remains to be seen whether the draft will remain in their current language, or be amended when the regulations are subsequently promulgated. Be that as it may be, this article will examine the Draft Network Regulations from the point of view of the enhanced protection of personal data for data subjects.
Right to Deletion/Anonymisation
Under the Draft Network Regulations, personal data must be deleted or anonymised within 15 days when certain circumstances arise, such as when the purpose for data collection has been fulfilled, or ceases being necessary. While the right to deletion has been set out in the PIPL, the Draft Network Regulations amplify this right to deletion, as well as other data subject rights. An affirmative duty is placed on the data controller2note that “data controller” terminology is used here, as commonly referred to under the EU General Data Protection Regulation (GDPR). Under the China legislation, the terminology corresponding to data controller under the GDPR is “personal information processor” to initiate deletion, or anonymization, unless difficulty in doing so, in which case the data controller is obliged to provide explanation to the data subject. It is worth noting the grounds for deleting include an additional ground not found in the PIPL, which is when automated processing risks encroaching on extraneous personal information.
In addition to data deletion being triggered by such objective situations, the Draft Network Regulations go a step further by enabling data subjects on their own volition to request for deletion, provided reasonable to do so. By bifurcating the deletion right, when objective circumstances arise, versus when requested by data subject, it marks a step forward in conferring broader protection on data subjects. Though some of the objective grounds precipitating data deletion could had been regulated under the principle of storage limitation.
Right to Access
Elsewhere in the Draft Network Regulations, the rights to access, amend and supplement one’s data are reiterated. The pro-consumer stance is also buttressed by strict prohibition on businesses resorting to coercive or other unfair tactics in seeking consent, ranging from refusing or disrupting supply, deceptive means in procuring consent, to consent obtained on the pretext of offering service upgrade, improving user experience, or R&D of new product. Notably, bundling of consent is proscribed, and instead should be obtained only when the purpose is clearly identified, with proper privacy notice being given. These new provisions thus preempt loopholes that may otherwise be exploited in circumventing consent requirement, by enumerating various instances of vitiated consent, which will be invalidated under the Draft Network Regulations.
Engaging Third Party Processor
Similarly if the data may be shared with, or transferred to a data processor3where the data controller (defined as “personal information processor” under China legislation) engages a third party to process data on its behalf, the “data processor” under the GDPR parlance is termed a “contracted party” in the China legislation or other third party, the onus is imposed on the data controller to inform the data subject of the purpose, data type, scope, retention period and place of storage, as a prerequisite to obtaining data subject consent to such transfer or sharing. This obligation on the controller is in addition to its duty to impose back-to-back protection measures via contractual or other means on the recipient with whom data is shared or transferred, and to monitoring the recipient’s compliance with such measures. It should be noted these requirements apply regardless of whether or not data is exported out of China, which is subject to regulatory approval.
Mandatory Data Breach Notification
In Singapore where most recent enforcement actions by the Personal Data Protection Commission (PDPC) have been triggered by data security breaches, it is worth noting the parallel emphasis in the draft Network Regulations on stringent measures required. These include implementing data backup, encryption of data, controlling access, and enhancing security protection of data processing systems, data transmission networks, and data storage environments. In particular, when processing important data, there is an additional requirement to fulfil Level 3 or higher cybersecurity protection standards set out in the Information security technology – Classification guide for classified protection of cybersecurity (GB/T 22240-2020) issued by issued by the PRC State Administration for Market Regulation and Standardization Administration of PRC.
Also similar to the introduction under the Singapore regime, under the Personal Data Protection (Notification of Data Breaches) Regulations 2021 (Singapore Data Breach Regulations), of mandatory data breach notification, the draft Network Regulations prescribe specific guidelines for purposes of responding and dealing with data breaches. As a pre-emptive measure, all data controllers are required to establish emergency response system for data security breaches, and expeditiously activate the emergency response once a data security incidence arises, for damage control and seek to remove the security risks.
In terms of notifying the affected data subjects, there is an obligation to do so within three business days, if the security breach “caused harm” to an individual or organisation. There are no further guidelines for what constitute harm. In comparison, the Singapore Data Breach Regulations set out an extensive list of what is considered harmful data breaches, comprising, among other things, name or alias of an individual and identification number, salary and income, health insurance and certain medical information, bank card number, password, access code, biometric data, and other account identifiers.
In the EU, helpful “practice-oriented, case-based guidance” is laid out in the European Data Protection Board Guidelines 01/2021 on Examples Regarding Personal Data Breach Notification Adopted on 14 December 2021. It includes guidance on how risks should be calibrated in light of pertinent factors in the event of a ransomware attack where there is no exfiltration of data, which is also backed up in the IT system. There is therefore no one-size-fits-all approach to report every breach incident (and the consequential burden on administrative agency workload). As it stands, data controllers under the Draft Network Regulations would have to make their own self-assessment of whether harm has been caused by the data breach incident, and if so, to notify data subjects through phone calls, SMS, instant messaging tools or e-mails, etc, and if the affected persons cannot be reached, via public announcement.
As for notifying the regulatory authorities, the reporting obligation is triggered whenever personal information of more than 100,000 individuals, or if “important data” (though this is not defined) are affected by the security breach. In such instances, an initial report that contains information about the security incident, including the amount and types of data involved, the possible impacts, and the response measures taken or proposed to be taken, must be filed to the city-level cybersecurity authority within eight hours of the incident arising. This is to be followed by a further investigation and impact assessment report, to be filed within five business days, outlining the cause of security breach, identification of the damages and rectification measures adopted.
Right to Data Portability
The right to data portability is further clarified. It is interesting to note that this right, exercisable by a consumer to move their personal data across to another provider, dovetails with the parallel development of China antitrust legislation which is also undergoing amendments to safeguard consumers against Internet and other platforms, in possession of massive data, from abusing their market dominance. The phenomenon is seen elsewhere from the EU to the US clamping down on tech giants.
With both data privacy and competition laws governing how customer data should be handled, we can expect businesses to ramp up on their IT system and staffing, to facilitate customer requests to access, correct or transfer their data to a competitor. Unanswered questions in the Draft Network Regulations remain, for example, what is the threshold for asking data subjects to foot the expenses of acceding to their requests, whether only machine-readable data must be ported, and what about the data controller’s own analysis that is derived from the underlying raw data provided by data subjects, whether the data controller can retain the fruits of their labour.
Must DPO be Appointed?
The Draft Network Regulations also strengthen the whistle blowing channel for data subjects, requiring that a proper channel be set up by data processor to enable complaints to be submitted, and contact persons identified. Though not explicitly stated, whether this would in practice create the need to appoint de facto Data Protection Officer for each company, as it would be prudent to have trained personnel handle complaints. And if so, whether companies can outsource the hotline function to a specialist firm, to benefit from professional support and handholding.
The draft Network Regulations complement the recently issued Internet Information Service Algorithmic Recommendation Management Provisions, and other draft regulations in the pipeline, including the draft Measures of Security Assessment of Cross-border Transfer. All in all, these are welcome developments, marking a step forward in consumer protection, alongside competition law safeguard, as well as relatively strict advertising law in China, for example, against celebrity product endorsement unless bona fide. Other Asian jurisdictions have been reforming their data privacy legislation, and one can look forward to the China regime also evolving over time to enhance personal information protection.
|↑1||see for example, https://www.reuters.com/technology/china-require-certain-firms-undergo-cybersecurity-reviews-before-pursuing-2022-01-04/; https://www.cnbc.com/2022/01/04/china-to-require-data-security-review-on-some-firms-before-ipo-abroad.html|
|↑2||note that “data controller” terminology is used here, as commonly referred to under the EU General Data Protection Regulation (GDPR). Under the China legislation, the terminology corresponding to data controller under the GDPR is “personal information processor”|
|↑3||where the data controller (defined as “personal information processor” under China legislation) engages a third party to process data on its behalf, the “data processor” under the GDPR parlance is termed a “contracted party” in the China legislation|