Skip to content
Photo of Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China's National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

As tensions continue to rise between China and the United States, the Chinese government has taken a step forward in actualizing the “Unreliable Entity List,” first announced by China’s Ministry of Commerce on May 31, 2019, following the addition of Huawei and affiliates to the U.S. Commerce Department’s “Entity List.” Now, as the U.S. government

China has set out on an ambitious agenda of aiming to become the world leader in artificial intelligence by 2030. Policy experiments for a critical part of China’s AI development strategy, and to that end multiple government think tanks have set out formulating standards that may impact AI innovation in China.

The China Electronics Standardization

On June 27, 2018, China’s Ministry of Public Security (“MPS”) released for public comment a draft of the Regulations on Cybersecurity Multi-level Protection Scheme (“the Draft Regulation”). The highly anticipated Draft Regulation sets out the details of an updated Multi-level Protection Scheme, whereby network operators (defined below) are required to comply with different levels of

On January 2, 2018, the Standardization Administration of China (“SAC”) released the final version of the national standard on personal information protection, officially entitled GB/T 35273-2017 Information Technology – Personal Information Security Specification (GB/T 35273-2017 信息安全技术 个人信息安全规范) (hereinafter “the Standard”).  The Standard will come into effect on May 1, 2018.As highlighted in our previous coverage of drafts of the Standard (see here and here), although it is nominally a voluntary framework, the Standard effectively sets out the best practices that will be expected by regulators auditing companies and enforcing China’s existing (but typically more generally-worded) data protection rules, most notably the 2016 Cybersecurity Law.  Drafts of the Standard — even prior its finalization — have also in some cases been the basis for non-compliance remediation plans and undertakings agreed between companies and the Cyberspace Administration of China (“CAC”) following CAC audits, as we reported here.The Standard applies to “personal information controllers,” namely any private or public organization that has “the power to decide the purpose and method” of processing personal information.  This is seemingly modelled on European law’s “data controller” concept.The Standard regulates the use of “personal information” by these controllers, a term largely aligned with strict conceptualizations of “personal data” under the EU’s General Data Protection Regulation (“GDPR”).  Examples of “personal information” listed in an annex to the Standard include device hardware serial codes, IP addresses, website tracking records, and unique device identifiers, among other things.  The definition of “sensitive personal information,” however, takes a different approach to the GDPR: rather than applying only to specific types of data, the Standard takes a risk-based approach, defining “sensitive” personal information as any personal information which, if lost or misused, is capable of endangering persons or property, easily harming personal reputation and mental and physical health, or leading to discriminatory treatment.  According to the Standard, this could for example include national identification card numbers, login credentials, banking and credit details, a person’s accurate location, information on a person’s real estate holdings, and information about a minor (under 14 years old).

Similar to general principles of most data protection laws, the Standard requires transparency, specificity and fairness of processing purpose, proportionality (use and retention of only the minimum information necessary to achieve the stated purpose), security, risk assessment, and the respect of individuals’ rights to control the processing of information about them.  It also requires either consent from individuals, or reliance on a limited range of exceptions set out in the Standard, for the purpose of collection and processing of personal information.

This article looks at some of these aspects in more detail, including some of their key divergences from European data protection law, including the GDPR.  (Please note that this is not an exhaustive description of the Standard, nor is it a detailed comparison with the GDPR.)

Consent and other legal grounds for processing

The Standard lays down a basic rule that the collection of personal information and its subsequent use should be affirmatively consented to ahead of time, with further (informed) consents being required for any activity exceeding the scope of the original consent.

For sensitive personal information, the informed consent must be clear and explicit, and the information to be provided must distinguish between the “core business functions” of the products or services being provided, and “other products or services, such as those that provide additional capabilities.”  If an individual refuses to consent to the ancillary uses of their data, the collector/controller may decline to provide the additional services, but may not cease or degrade the provision of core business products and services to that individual.

Where the data relates to a minor, explicit consent must be obtained from the minor’s parent or guardian, unless the minor is at least 14 years old, in which case consent may also be obtained directly from him or her.

The Standard derogates from these consent requirements by including a number of non-consensual grounds for collecting and processing personal information.  Analogues of several of those grounds can be found in the GDPR, but others are different, for instance necessity for troubleshooting products and services, or necessity for reporting by news agencies.  Collecting information from public sources, such as news reports, also does not require prior consent.  Some of the more permissive processing grounds found in GDPR Article 6 (for non-sensitive data) are absent, such as necessity for the legitimate interests of the controller or a third party, even though the Standard’s exceptions arguably cover some of the commonly seen examples of legitimate interests, including necessity to perform a contract.

As further described below, consent is usually also required to the sharing or transferring of personal information.

The Standard also imposes a requirement akin to the GDPR’s “purpose limitation” requirement (namely, that all uses of the information, including secondary uses, should be reasonably connected with the original purpose of collection of the data, and should be reauthorized if that is not the case).  It sets aside that principle for certain research and academic purposes, provided the personal information is de-identified in public disclosures about the research.

Notice

The Standard requires the inclusion of certain information in privacy notices, including but not limited to:

  • For each business use: personal information collection and processing rules such as the collection method and frequency, place of storage, and frequency of collection;
  • If data is shared, disclosed or transferred, the types of data involved, the types of the data recipients, and rights and obligations of each party;
  • Data subject rights, and complaint handling;
  • Security principles followed, and security measures implemented;
  • Security risks that may exist after providing personal information; and
  • The controller’s “usual office location” and contact information.

The Standard does not explicitly allow such information to be omitted from notices if the individual already possesses it from other sources (e.g. from app pop-up notices, or through their regular dealings with the organization), unlike the GDPR.  Privacy notices must be delivered to individuals “one by one,” though if costs become too high or when there are significant difficulties, a public announcement is possible instead.

The Standard also requires cessation of processing to be notified to individuals, either individually or by general announcement.

Rights of individuals

The rights conferred on individuals are similar to those under the GDPR, although:

  • The Standard requires requests to be complied with in less than 30 days (or other legally-stipulated period), whereas under certain circumstances the GDPR allows further extensions;
  • The Standard includes a “straightforward account cancellation” right;
  • The erasure right appears somewhat strengthened, through omission of exceptions found in the GDPR (which for example allows refusal of erasure requests in the interests of freedom of expression and information, or scientific research), and includes significant obligations to notify third parties of the erasure (and in some cases, order them to also delete the data). On the other hand, the right can only be invoked after processing violates applicable law or an agreement with the individual.
  • The data portability right arises in a wider range of situations, but is limited to certain information, such as health, education or occupational information.

Use of vendors / processors

Before outsourcing the processing of personal information, the Standard requires controllers to conduct risk assessments and ensure that the vendor (processor) would offer adequate security; once the subcontracted processing is underway, controllers must supervise the processors, including through audits and assessments.  Processors must obtain controllers’ permission before further subcontracting the processing services.

Like the GDPR, processors must help controllers comply with data subject requests, and promptly notify controllers of security incidents.  The Standard adds broader duties to promptly notify controllers when processors are “unable to offer an adequate level of security” or after they process the information entrusted to them other than strictly in accordance with the controller’s requirements.

Data sharing

Unless the information is de-identified, prior notice and consent from individuals to the transfer or sharing of their data is required (distinct from the consent that covered the initial collection and processing of data), as is also required by China’s Cybersecurity Law.  By contrast, the GDPR does not strictly require consent to sharing of data.  However, the GDPR and the Standard both suggest that the sharing be covered by some sort of prior risk assessment and mitigation exercise.

The Standard also sets out specific record-keeping obligations regarding the sharing or transfer of personal information, and an obligation on controllers to assume a degree of responsibility for any damage caused to individuals by the transfer or sharing of their personal information.

Alternative rules apply in respect of mergers, acquisitions, reorganizations or “other kinds of change,” as well as to public disclosures of personal information.  Public disclosures of biometric information are prohibited.

As with processing grounds, exceptions to the aforementioned sharing, transfer and disclosure consent requirements apply, for instance, where the data was collected from public sources, or if the disclosure is necessary for criminal investigations.

Security and deletion

The Standard prescribes that controllers must (i) have internal procedures to grant access to personal information and authorize operations such as batch modification, copying and downloading; (ii) keep records of data processing; (iii) appoint a Chief Information Security Officer plus designated “key personnel” with leadership responsibility for information security; (iv) conduct periodic (at least annual) staff training; (v) conduct security testing before the release of products or services; and (vi) if the organization is large enough or processes information about more than 500,000 people (or expects to do so in the next 12 months), have a dedicated information security team.  Individuals with access to large amounts of sensitive personal information must be subjected to background checks.  In requiring these specific programs, the Standard is more granular than the GDPR.

Incident response

The Standard requires organizations to maintain information security incident response plans, undertake regular training and emergency drills (at least once a year), implement incident record-keeping and assessment, adhere to the CAC’s “National Network Security Incident Contingency Plan” for notification of incidents to authorities, and notify cybersecurity incidents to affected individuals.  Unlike the GDPR, no severity threshold or specific time period for reporting is expressly mentioned under the Standard.

Note that the Cybersecurity Law requires “network operators” to notify an incident to regulators and affected individuals when there has been actual or potential “leakage, damage, or loss” of personal data (Article 42).  It is not clear whether a data controller would be subject to this reporting obligation if the breach occurs within their processors’ network, nor what kind of incidents may be counted as “potential” breaches.

Periodic data protection impact assessment

Finally, the Standard requires data protection impact assessments (“DPIAs”), which are not unlike those in the GDPR, although the GDPR is less specific about how frequently they must be conducted: under the Standard, DPIAs must be repeated at least annually, as well as when (i) new legislative requirements come into effect, (ii) business models, information systems or operational environments undergo a major change, or (iii) a significant personal information security incident occurs.  The assessment reports must be “open to the public in appropriate form.”

International data transfers

The Standard states at a high level that data controllers will need to go through a security assessment if they would like to transfer personal data out of China.  More detail regarding cross-border data transfers are expected to be covered by separate regulations and standards.


Continue Reading China Issues New Personal Information Protection Standard

In the past three weeks, China’s State Council and the State Cryptography Administration (“SCA”) issued two documents that reveal a major change in the regulatory regime governing commercial encryption products in China, potentially paving the way for the draft Encryption Law to establish a uniformed encryption regime. This development and its practical implications will be

For years, the foreign business community has called for greater transparency and opportunities to provide more input into China’s legislative and regulatory rule-making processes. In a small step forward, on July 19, the Legislative Affairs Office of the State Council (“SCLAO”) released draft revisions to the Regulations on Procedures for Formulating Administrative Regulations (“Draft Revisions”)

On July 11, 2017, the Cyberspace Administration of China (CAC) released the draft Regulation for the Protection of the Critical Information Infrastructure (“Draft Regulation”) for public comment (official Chinese version available here). The comment period ends on August 10, 2017.

Aiming to add greater clarification to the Cybersecurity Law, which took effect on June 1, 2017, the Draft Regulation clarifies the scope of Critical Information Infrastructure (“CII”) and elaborates on how CII operators are supposed to protect their networks against cyber threats. The Draft Regulation also sets out additional obligations CII operators face, including allowing officials to perform cybersecurity inspections, among others.

The Draft Regulation may help reduce some of the confusion surrounding the key phrase “critical information infrastructure,” which constitutes a crucial part of China’s fast-evolving cybersecurity regulatory framework. But many important questions remain unanswered in the current draft. Companies that either operate in the sectors identified in the Draft Regulation or that supply operators in those sectors should be mindful of the requirements relating to cybersecurity, especially relating to cybersecurity reviews and procurement of network services and products, and closely monitor the regulatory developments.

Key elements of the Draft Regulation are summarized below.

Classification of CII and CII Operators

The Cybersecurity Law defines CII broadly as “infrastructure that, in the event of damage, loss of function, or data leak, might seriously endanger national security, national welfare or the livelihoods of the people, or the public interest.” Article 31 of the Cybersecurity Law references a number of “key sectors,” including telecommunications, energy, transportation, water conservation, financial services, utility, and e-government.

Article 18 of the Draft Regulation further clarifies the scope of CII, specifying that “critical network infrastructure and information systems” operated or managed by entities in the sectors identified below should be considered CII, if such infrastructure, “in the event of damage, loss of function, or data leak,” may “seriously endanger national security, national welfare or the livelihoods of the people, or the public interest.” The entities that can be identified as operators of CII include:

  • Governmental agencies, and entities in the sectors of energy, finance, transportation, water conservation, healthcare, education, social insurance, environmental protection, utilities and so on;
  • Information network operators such as operators of telecommunication, broadcasting networks, and the Internet, as well as service providers of cloud computing, big data, and other large-scale public information services;
  • “Manufacturing and research and development entities” in sectors such as national defense, large-scale equipment, chemical engineering, and food and drugs;
  •  “News units,” including broadcasting stations, TV stations, and news agencies; and
  •  “Other key sectors.”


Continue Reading China Seeks Public Comments on Draft Regulation on the Protection of Critical Information Infrastructure


On May 16, 2017, the Legislative Affairs Commission of the National People’s Congress (NPC) Standing Committee of China released for public comment a draft of the National Intelligence Law (“the Draft Law”). The Draft Law, if enacted as drafted, would be the first Chinese statute to systematically address national intelligence related issues, including institutional structures,

When China’s Cybersecurity Law was enacted last November, one question (among many) that surfaced was how the government would implement the “national security review” that the law requires for certain network products and services.  The law, which takes effect this June, provides that any network products and services that might affect national security procured

On October 31, the Xinhua news agency reported that the Standing Committee of China’s National People’s Congress (“NPC”) is conducting the third reading of the draft Cybersecurity Law (“the Law”). NPC released two previous drafts of the Law for public comment in July 2015 and July 2016 (see Covington e-alerts here and here), but

We and the third parties that provide content, functionality, or business services on our website may use cookies to collect information about your browsing activities in order to provide you with more relevant content and promotional materials, on and off the website, and help us understand your interests and improve the website. Privacy Policy

AcceptReject