The Chinese Government passed the new PRC Cybersecurity Law on 7 November 2016 and it will take effect on 1 June 2017. The Law is a clear indicator of an increased focus by the Chinese authorities on data protection and its broad scope and potentially wide-ranging effects may increase data protection and data security compliance obligations for HR managers.
What are the main provisions of the PRC Cybersecurity Law?
The Law imposes various network security obligations on ‘network operators’ (as defined below). To name a few, network operators are required to:
- adopt measures in accordance with a classified cybersecurity protection system set out in the Law, including formulating internal security systems and operating rules, specifying relevant personnel in charge of network security protection, data incident notifications and keeping network logs for at least 6 months;
- formulate emergency response plans in the event of network security attacks; and
- render assistance to government authorities for the purposes of protecting national security or criminal investigations etc.
The Law also imposes additional obligations on any organisation that is a ‘key information infrastructure operator’ (KIIO). In essence, KIIOs are operators of information infrastructures that store information, the leakage of which would seriously jeopardise national security, the livelihoods of Chinese people and/or the public interest. As well as enhanced security obligations, the Law requires that any personal information and ‘important data’ gathered or produced by a KIIO can only be stored or transferred data outside China (i.e. the People’s Republic of China, excluding Hong Kong, Macau and Taiwan) where it is ‘necessary’ and subject to a security assessment by the Chinese authorities. These data localisation requirements have attracted significant coverage and concern, as they are likely to pose problems for many international businesses or organisations needing to transfer personal information outside of China. KIIOs will also be restricted from procuring non-approved network products and services.
In relation to data protection, the Law requires network operators to (amongst other measures):
- maintain confidentiality of the data subject's information
- clearly disclose the purpose, method and scope of collection and use of personal information
- seek consent from the data subject before collecting and processing personal information
- refrain from providing personal information of a data subject to third parties without the data subject's prior consent
The data subject also has the right to request a network operator to delete his/her personal information where the network operator has illegally collected or used his personal information, or to amend incorrect personal information.
Penalties for non-compliance with the Law include, but are not limited to, fines up to RMB 1,000,000 for network operators and RMB 100,000 for individuals, suspension of business, and revocation of operational permits or business licenses.
Should HR managers be concerned?
Although the Law does not make express reference to employee data or Human Resources operations and this is not the specific focus of the Law, the broad definition of various terms means it is capable of applying to network operators’ and KIIOs’ employee data as well.
For example, ‘network operator’ is broadly defined to include all network owners and administrators, as well as network service providers, and ‘network’ is defined as a system comprised of computers and other information terminals that collects, stores, transfers, exchanges and processes information pursuant to certain rules and procedures. Commentators have suggested that this definition is broad enough to cover any business or organisation that simply owns and/or administers a website in China.
Similarly, ‘personal information’ is defined to include all kinds of information that, taken alone or together with other information, is sufficient to identify a person’s identity. Such information includes a person’s name, birth date, identification number, identifying biological characteristics, address and telephone numbers. The natural reading is that this would cover all employee-related information collected and maintained by the Human Resources team of a ‘network operator’.
Great uncertainty remains about which organisations will be deemed KIIOs and thus required to keep their personal data within China. The Law and subsequent publications have sought to identify several industries that may be deemed KIIOs—including public communications and information services, energy, transportation, hydropower, finance, public service and e-government, education, scientific research, industry and manufacturing, medicine and health, and social security—however it is unclear whether those organisations will automatically be deemed KIIOs or whether the impact of a potential security breach by such organisations must also be considered. Unofficial reports have suggested, for example, that the Chinese authorities’ focus is on organisations where a cybersecurity breach could affect a significant proportion of the population of a city or whose website attracts millions of daily users, but this has yet to be confirmed officially. We await further guidance on this key issue, but in the meantime organisations within these industries should plan ahead in case they are determined to be a KIIO.
What does this mean for HR managers?
The Law builds on existing data protection obligations in China, including under-employment laws and laws relating to electronic data and confirms as binding law many data protections that were previously only prescribed as best practice in China. To this end, HR managers should:
-
Review the company's current network system to assess whether it is compliant and, if not, make the necessary adjustments. Data incident response and data breach notification should now be a particular area of focus.
-
Arrange training for employees and senior management to enhance awareness of cybersecurity and data protection requirements under the current Chinese employment and data protection framework, including the Law.
-
If potentially a KIIO, start making contingency plans to keep personal data within China.
-
Comply with employee requests to access and correct personal information, withdraw consent and make complaints.
-
Review current data protection notices and consent to ensure they clearly communicate the purpose, method and scope of collection of employee personal information. In particular ensure they obtain employees' express consent before providing or transferring any of their personal information to third parties.
While criminal sanctions, administrative penalties and civil liabilities potentially await those who violate the new Law, unfortunately great uncertainties remain as to how the new legislation will be enforced, who exactly is caught by the various new rules and the precise steps that organisations must take to comply with them. It is hoped that the Chinese authorities will publish more detailed, practical guidance in the coming months. In the meantime, HR managers are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance before 1 June 2017.
Article contributed by Carolyn Bigg, Of Counsel, DLA Piper and David Smail, Associate, DLA Piper
Paul Arkwright
Publisher
