The Measures outline the requirements and procedures for both self-initiated and regulator-requested compliance audits.

(Interestingly, they also clarify some other PIPL obligations, such as the data volume threshold for appointing a DPO as well as the necessity of separate consent for some processing activities.)

Who must conduct data protection compliance audits, and when?

The Measures require a data controller processing personal data of more than 10 million individuals to conduct a self-initiatedcompliance audit of its personal data processing activities (“Self-Initiated Audits“) at least once every two years. 

Data controllers below this volume threshold should still conduct Self-Initiated Audits on a regular basis as is already prescribed under the PIPL, as a matter of good governance.

In addition, the CAC or other data regulators may instruct any data controller to conduct an audit (“Regulator-Requested Audits“):

1. when personal data processing activities are found to involve significant risks, including serious impact on individuals’ rights and interests or a serious lack of security measures;
   
2. when processing activities may infringe upon the rights and interests of a large number of individuals; or
   
3. following a data security incident involving the leakage, tampering, loss, or damage of personal information of one million or more individuals, or sensitive personal information of 100,000 or more individuals.

The audit report for Regulator-Requested Audits must be submitted to the regulator. The regulator may request data controllers to undertake rectification steps, and a subsequent rectification report must be provided to the regulator within 15 business days of competing the rectification steps.

Data controllers may, if they wish or when requested by the regulator, engage an accredited third party to conduct the audit (but the third party and its affiliates must not conduct more than three such audits in total for the same organisation).  

DPOs of data controllers processing personal data of more than one million individuals are responsible for overseeing the audit activities.

Key elements to be audited

The Measures outline a detailed set of key elements to be audited, which offer valuable insights into the detailed compliance steps expected from controllers for compliance with PIPL obligations, and will help organisations to scope their audits. Unsurprisingly, these elements cover every facet of PIPL compliance, spanning the whole data lifecycle. They include: lawful bases, notice and consent, joint controllership, sharing or disclosing personal data, cross-border data transfers, automated decision-making, image collection/identification equipment, processing publicly available personal data, processing sensitive personal data, retention and deletion, data subject right requests, internal data governance, data incident response, privacy training, Important Platform Providers’ platform rules and CSR reports, etc.

Vietnam

Vietnam issued its first draft of a new Personal Data Protection Law (“PDPL”) in September 2024, for public consultation. The PDPL is anticipated to be adopted in May 2025, and it is tentatively scheduled to come into effect on 1 January 2026. The draft PDPL aims to create a more robust framework for data protection in Vietnam by unifying, clarifying, enhancing and supplementing the existing data protection rules set out in Vietnam’s existing Personal Data Protection Decree (“PDPD”). It remains unclear how the PDPD and draft PDPL will work together in practice, although some commentators suggest the PDPL will supersede the PDPD.

In addition to setting out eight personal data protection principles, the draft PDPL focuses on discussing specific compliance requirements for a number of processing activities and industries, including direct marketing, behavioural advertising, big data, AI, cloud computing, employee monitoring and recruitment, financial and credit information, health, insurance and social media. Key highlights proposed in the draft PDPL include (this is not a comprehensive list):

• Extra-territorial effect: the draft PDPL extends the scope under PDPD to cover processing of foreigners’ personal data within Vietnam.
• Consent: like the PDPD, consent remains the key legal basis for data processing, and separate consents are required for specific data processing activities.
• Clarified definitions: the draft PDPL clarifies the distinction between ‘basic personal data’ from ‘sensitive personal data’. New definitions are also introduced, including, amongst others, ‘developers’ and ‘personal data protection organization’. The data protection authority – currently known as A05 – would change its name if the draft PDPL is implemented.
• Updates to DPIA/TIA dossier filings: the now-familiar data processing impact assessment dossiers (“DPIA Dossiers”) for controllers and processors and transfer impact assessment for transferors (“TIA”) would have to be updated upon certain material change to the organisation were the draft PDPL to be implemented.
• Data protection department: companies would be required to have a data protection department overseeing personal data processing (although this could be outsourced to external service providers), as well as an expert (like a DPO) meeting certain eligibility criteria, with an initial short-term (two-year) exemption for new small businesses.
• Certification mechanism: the draft PDPL would introduce a data protection certification scheme, whereby certain organisations could earn trust ratings based on an assessment of their personal data protection practices.
• Breach reporting deadlines: the timescale for notifying authorities of breaches of personal data protection regulations is clarified as being 72 hours.

Malaysia

Significant changes to Malaysia’s Personal Data Protection Act (“PDPA”) were recently passed via the Personal Data Protection (Amendment) Act (subject to royal assent), and are anticipated to come into effect soon. The PDPA is now quite old (first passed in 2010), and so the amendments are largely to update the Malaysia data protection framework, to align it with more modern data protection laws elsewhere in Asia. The key amendments are:

• mandatory breach notification;
• mandatory appointment of DPOs;
• direct obligations on data processors;
• data portability rights for data subjects;
• change of “data user” terminology to the more familiar “data controller”;
• expanding sensitive personal data to include biometric data;
• removing rights of deceased individuals re their personal data;
• increased penalties (now fines of up to MYR1,000,000 and/or imprisonment of up to three years); and
• updating the cross-border data transfer framework, to remove the “whitelist” of approved jurisdictions, and instead allowing transfers to jurisdictions with equivalent standards of protection. 

Besides the amendments to the PDPA, the Commissioner will develop guidelines to supplement the PDPA. The guidelines will cover areas including data breach notification, appointment of data protection officer, data portability, cross border data transfer, data protection impact assessment, privacy by design, and profiling and automated decision making.

Indonesia

Finally, a reminder that Law No.27 of 2022 on Personal Data Protection (“PDP Law”), Indonesia’s first omnibus data protection law, came into full effect, after a two-year grace period, on 17 October 2024. For further information about the compliance obligations introduced by the PDP Law, please see our earlier updates Indonesia: prepare now for the new Personal Data Protection Law | Privacy Matters and INDONESIA: Personal Data Protection Law PDPL Now in Force | Privacy Matters.

Scope

The Regulation governs “network data”, and the compliance obligations primarily apply to “network data handlers”.

• Network data: the Regulation governs electronic data processed and generated via networks (“network data“) and applies to all the processing of network data within Mainland China. A “network” means a system composed of computers or other information terminals and related equipment that collects, stores, transmits, exchanges and processes information according to certain rules and procedures. So, in practice, this captures all electronic data processed or generated online (including personal information and non-personal information).
  
• Network data handler: a “network data handler” refers to the party that autonomously determines the purposes and means of processing network data. That is akin to a data controller when it comes to personal information. In practice, this would include communication network operators, online service providers and users.

The Regulation has extra-territorial effect. This means that, if a foreign entity processes personal information of Mainland China residents outside of Mainland China, the requirements of the Regulation and the PIPL will apply if the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour.

As has become common with China data regulations, if a foreign (non-Chinese) entity’s processing of network data outside of Mainland China may harm China’s national security, public interests, or the legitimate rights and interests of Chinese citizens or organizations, the Regulation restates Chinese authorities’ power to hold the foreign entity liable in accordance with other applicable laws. It remains unclear how these powers may be enforced in practice against non-Chinese entities without a presence in Mainland China.  

Key Compliance Obligations

The Regulation focuses on four key areas:

• personal information privacy: enhancements and clarifications to the existing China personal information protection framework as it pertains to “network data”;
  
• “large scale” personal information handlers: introduces additional reporting obligations on data controllers of large volumes of personal information;
  
• important data: imposes significant additional governance obligations to the existing “important data” compliance framework, and clarifies how organisations can assess whether or not they handle important data; and
  
• online platform operators: extends existing compliance obligations to manufacturers of smart terminal devices with pre-installed applications, and imposes additional reporting and governance obligations on “large-scale network platforms”. 

Impact on Data Privacy Compliance

Key developments as regards network data handlers processing personal information include:   

• Security defects, threats and risks: the timescale for network data handlers to report data incidents (i.e. security defects, threats or risks involving its products or services) is reduced, so that an incident must be reported within 24 hours of identification if it could harm national security or public interests. However, the Regulation does not specify what defects, threats or risks could harm national security or the public interest or provide any assessment methods.
  
• Data processing agreements (“DPAs”) and record-keeping: the obligation on network data handlers to enter into a DPA with each third party to which it transfers personal information is clarified now to include C2C (controller to controller) transfers as well as C2P (controller to processor) transfers. The DPA and relevant processing records must be kept for at least three years. This obligation is also now clarified to extend to the sharing of important data with third parties, not just personal information.
  
• Data portability: the PIPL gives data subjects the right to data portability (although it is little used in practice by data subjects in China). The Regulation now sets out the conditions that must be met to exercise such right, namely: (i) verifying the true identity of the data subject; (ii) the legal basis for processing the concerned personal information must either be consent or contract necessity; (iii) the transfer is technically feasible; and (iv) the transfer will not harm the legitimate rights and interests of others. Further, it is now clarified that, if the number of requests significantly exceeds a reasonable range, the network data handler may charge necessary costs of fulfilling the request. Please note that the right to data portability still only covers personal information. Unlike the EU Data Act, the portability of other non-personal business or operation data is not addressed under the Regulation.
  
• Foreign entities keeping and reporting institutions/representatives in China: The Regulation clarifies the procedure for complying with the PIPL requirement for foreign entities processing the personal information of Mainland China residents outside of Mainland China to establish a dedicated institution or designate a representative within Mainland China for personal information protection and to report the name and contact information of such institution/representative, where the processing purpose is to provide products or services to the data subjects or to analyze or evaluate their behaviour. According to the Regulation, such information should be reported to the municipal-level data authority, which will then forward it to other relevant regulators at the same level. However, foreign entities still need to watch out for further clarifications regarding other aspects of this requirement such as the reporting timeframe.

Obligations re Important Data

• Defining/identifying important data: the Regulation follows the current approach whereby industry regulators have been tasked to formulate (and some have already formulated) important data catalogues, setting out what will be deemed to be “important data” in their industry sector. However, unfortunately the Regulation seems to indicate that such important data catalogues will not be an exhaustive list of important data, and instead they should be treated more as industry guidelines to help organisations classify whether data constitutes important data, and then report it to the industry regulators as required under existing reporting/monitoring rules. Therefore, unfortunately, the most critical question, i.e. what constitutes important data, is still not clearly answered. We now face the situation of, instead of waiting for important data catalogues to be published, rather unhelpfully network data handlers operating in sensitive industries may need to be prepared to identify and report its own important data based on the guidelines given by the authorities.  
  
• DPA: it is now clear that network data handlers must enter into a DPA with each third party to which it transfers important data, and that each such DPA must be kept for at least three years. This is a unique requirement for Mainland China, and means that organisations will potentially need to extend their template DPAs to cover important data as well as personal information.
  
• Network data security officer appointment: a network data handler that handles important data must appoint a “network data security officer” (who shall be a member of senior management) and establish a “network data security management department”. They shall be responsible for: formulating network data protection policies and procedures; organizing training and drills; monitoring daily data processing activities; and handling claims, investigations and other data protection related matters pertaining to important data. This is in addition to existing obligations to appoint a DPO, DSO and CSO.  
  
• Transfer assessment: an important data handler must conduct a risk assessment before transferring important data to any third party, including in the case of entrusted or joint processing (except where the transfer concerned is mandatorily required by law). The assessment should include, inter alia, the data recipient’s data protection capabilities and overall compliance status; and the effectiveness of the contract with the data recipient to comply with relevant data protection obligations. This appears to be closer to a PIIA for personal information than an EU-style DPIA or TIA, but we await a template assessment form or further guidance from the regulators on this.
  
• Reporting during M&A and corporate reorganisations, etc.: if the security of important data may be affected by an important data handler’s M&A, corporate reorganization, dissolution, bankruptcy or other similar events, the handler must take measures to ensure data security, and report information regarding the data recipients and related matters to the relevant industry regulator and/or data authority at provincial level or above.
  
• Annual assessment report: an important data handler must carry out a risk assessment of its data processing activities once a year, and submit the assessment report to the relevant industry regulator at provincial level or above. Details of what these annual reports must include, and how to submit them, have not yet been published; and it is also unclear how these align with the proposed mandatory data compliance audits recently proposed by the China data protection authorities.

Obligations on “Large Scale” Personal Information Handlers

The Regulation requires a network data handler who processes personal information of more than 10 million data subjects to comply with the “network security officer appointment” and “reporting during M&A and corporate reorganisations etc.” obligations (discussed above) in the same way as an important data handler. However, the Regulation does not address whether the personal information of more than 10 million data subjects per se constitutes important data.

Obligations on Online Platform Operators

The Regulation emphasizes existing obligations on online platform operators (that is, operators of websites, mobile apps, etc.) to monitor and supervise data processing activities carried out by the users or third parties via their platforms. For example:

• platform operators must formulate rules and put in place effective contracts with third parties residing on the platform to clarify data protection obligations and responsibilities; and
  
• app store operators must conduct security assessments of the applications distributed via their stores, and remove non-compliant applications if the compliance gaps cannot be effectively remediated.

Notably, the Regulation now extends the definition of online platform operators to manufacturers of smart terminal devices with pre-installed applications (such as mobile phone and smart home product manufacturers), and requires them to comply with online platform operators’ obligations in addition to hardware manufacturers’ obligations.

The Regulation also introduces a definition of “large scale network platforms” as online platforms which have more than 50 million registered users or more than 10 million monthly active users, offer complex types of services, and may have significant impact on national security, economy and people’s livelihood. The Regulation further provides that large scale network platform operators are subject to additional obligations such as publishing an annual social responsibility report discussing how personal information protection matters are handled, and implementing measures to prevent unfair competition conducted via the platforms, etc.

Next Steps

The Regulation adds to, rather than replaces, the existing – complex and ever-evolving – China data protection framework, and requires organisations handling China data to update their China data compliance obligations to prepare for these additional compliance obligations before the start of 2025.

Further, as indicated by the Regulation, data incident reporting, DPAs, record-keeping and compliance assessments/reporting will likely become the new compliance focus of the China data authorities in 2025.

Online platform operators’ responsibilities of monitoring in-platform data processing activities will still be an enforcement focus. Meanwhile, smart device manufacturers – who will now be regulated as online platform operators – will face a new set of complex obligations, and so are recommended to familiarize themselves with the requirements and upgrade their compliance programmes before the end of the year.

The final Guide largely aligns with the June draft, incorporating only a few changes in wording. However, it introduces several business-friendly clarifications to the list of common examples of sensitive personal information therein (“Examples List“) that help limit the scope of sensitive personal information, including:

• Location Access Methods: The issued Guide differentiates between location access methods used by mobile applications. It specifies that approximate location data derived from IP addresses is not classified as sensitive personal information, whereas precise mobile positioning data is considered sensitive.

• Whereabouts/Tracking Information: The “whereabouts/tracking information” category of sensitive personal information has been clarified to encompass only data that indicates a “continuous track” of movements over a period of time, rather than including any data pertaining to locations of a person as in the June draft. Along the same line of reasoning, flight and high-speed train travel records have been removed from examples of this category.

• Medical Device Data: According to the final Guide, not all data produced by medical devices during healthcare services will be classified as sensitive personal information; only examination and testing data during healthcare services risks falling under such classification.

Notably, the final Guide, in line with existing laws and standards, includes a new explanatory note highlighting the primacy of the “risk of harm” test over the Examples List. The note stipulates that data covered by the Examples List may not qualify as sensitive personal information if there is substantial evidence and justification showing that it fails to pass the “risk of harm” test as outlined in the Guide. This gives organisations greater scope to self-assess whether or not data qualifies as sensitive personal information based on risk of harm rather than just a prescriptive list.

The extent to which the Guide will be relied on by the regulator or courts remains to be seen. However, organizations are encouraged to refer to the Guide alongside existing laws and standards when identifying the sensitive personal information. In particular, as noted above and in our previous article, it is crucial for organizations to focus on the “risk of harm” test when identifying Mainland China sensitive personal information.

1. What is the primary goal of the proposed legislation?

The proposed legislation, as set out in the paper submitted by the Hong Kong Government to the Legislative Council Panel on Security on 25 June 2024, aims to enhance the security of Hong Kong’s CIs that are necessary to maintain  “normal functioning” of Hong Kong society and people’s lives, by minimising the chance of disruption to, or compromise of, essential services by cyberattacks.

2. Who and what will be captured by the proposed legislation?

The proposed legislation would regulate only CI operators (“CIOs”) in respect of their critical computer systems (“CCSs”). Similar to the helpful approach in Mainland China, both CIOs and CCSs will be expressly designated by a new Commissioner’s Office to be set up (or, as explained in Question 6 below, the Designated Authorities for certain groups of organisations). This will ultimately remove uncertainty around whether or not a given organisation is a CIIO, and which of their systems will fall within the CCS framework. However, until such designations are made by the relevant authorities, it does leave significant uncertainty for organisations that may not obviously fall within the definition, especially technology companies.

Designation of CIOs

Under the proposed legislation, an organisation would be designated as a CIO if it were deemed responsible for operating an infrastructure that the Commissioner’s Office determines to be a CI, taking into account the organization’s level of control over the infrastructure. It is proposed that CIs cover the following two categories:

• infrastructures for delivering essential services in Hong Kong, i.e. infrastructures of the following eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting (“Essential Service Sectors”); and
• other infrastructures for maintaining important societal and economic activities, e.g., major sports and performance venues, research and development parks, etc.

When deciding whether an infrastructure within the scope of the two categories above constitutes a CI, the Commissioner’s Office would take into account:

• the implications on essential services and important societal and economic activities in Hong Kong in case of damage, loss of functionality, or data leakage in the infrastructure concerned;
• the level of dependence on information technology of the infrastructure concerned; and
• the importance of the data controlled by the infrastructure concerned. 

The Government also emphasized that CIOs will mostly be large organisations, and the legislation will not affect small and medium enterprises and the general public. 

The list of the designated CIOs will not be made public to prevent the CIs from becoming targets of cyberattack.

Designation of CCSs

The proposed legislation would only require CIOs to take responsibility for securing the expressly designated CCSs. Systems operated by CIOs but not designated as CCSs would not be regulated by the proposed legislation.

The Commissioner’s Office would only designate as CCSs the computer systems which:

• are relevant to the provision of essential service or the core functions of computer systems; or
• will seriously impact the normal functioning of the CIs if interrupted or damaged.

Importantly, computer systems physically located outside of Hong Kong may also be designated as CCSs.

3. Would organisations have opportunities to object to CIO or CCS designations?

Yes. Under the proposed legislation, before making CIO or CCS designations, the Commissioner’s Office will communicate with organisations that are likely to be designated, with a view to reaching a consensus on the designations. This is helpful, but adds to the recommendation that those potentially caught as a CIO should start planning now to be ready to put forward a clear, reasoned view on whether or not they – and/or all of their systems – should be designated.

After a CIO or CCS designation is made, any operator who disagrees with such designation can appeal before a board comprising computer and information security professionals and legal professionals, etc.

4. What are the obligations of CIOs?

Statutory obligations proposed to be imposed on CIOs under the proposed legislation are classified into three categories:

• Organisational:
  
  • provide and maintain address and office in Hong Kong (and report any subsequent changes);
  • report any changes in the ownership and operatorship of their CIs to the Commissioner’s Office;
  • set up a computer system security management unit, supervised by a dedicated supervisor of the CIO;
    

• Preventive:
  
  • inform the Commissioner’s Office of material changes to their CCSs, including those changes to design, configuration, security, operation, etc.;
  • formulate and implement a computer system security management plan and submit the plan to the Commissioner’s Office;
  • conduct a computer system security risk assessment at least once every year and submit the report;
  • conduct a computer system security audit at least once every two years and submit the report;
  • adopt measures to ensure that their CCSs still comply with the relevant statutory obligations even when third party services providers are employed;
    

• Incident reporting and response:
  
  • participate in a computer system security drill organised by the Commissioner’s Office at least once every two years;
  • formulate an emergency response plan and submit the plan; and
  • notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCSs within (a) 2 hours after becoming aware of serious incidents and (b) 24 hours after becoming aware of other incidents.
    

5. What would be the offences and penalties under the proposed legislation?

The offences under the proposed legislation include CIOs’ non-compliance with:

• statutory obligations;
• written directions issued by the Commissioner’s Office;
• investigative requests of the Commissioner’s Office; and
• requests of the Commissioner’s Office for relevant information relating to a CI.

The penalties for these offences would consist exclusively of fines. The level of fines would be determined by court trials, with maximum fines ranging from HK$500,000 to HK$5 million. For certain offences, persistent non-compliance would result in additional daily fines of HK$50,000 or HK$100,000 per day.

It is noteworthy that a CIO will still be held liable for the non-compliance with its statutory obligations if the non-compliance is caused by a third-party service provider. As such, service providers should also start planning now as to whether or not their customer base may be designated CIOs and, if so, what consequences this may have on contractual service obligations, incident notification obligations, security standards/specifications, SLAs, powers of investigation/inspection (including by regulators) and liability/indemnity provisions (including financial caps and exclusions). We anticipate CIOs will expect higher standards from their service providers in advance of the new regulations being introduced.

6. Which authorities would enforce the proposed legislation, and what would their powers be?

Commissioner’s Office

A Commissioner’s Office is proposed to be set up under the Security Bureau to implement the proposed legislation, headed by a Commissioner appointed by the Chief Executive. Its powers would include:

• designating CIOs and CCSs;
• establishing Code of Practice for CIOs;
• monitoring computer system security threats against CCSs;
• assisting CIOs in responding to computer system security incidents;
• investigating and following up on non-compliance of CIOs;
• issuing written instructions to CIOs to plug potential security loopholes; and
• coordinating with various government departments in formulating policies and guidelines and handling incidents.

Among these powers, the most significant might be the investigative powers granted to the Commissioner’s Office. Specifically, in respect of investigations on security incidents, the Commissioner’s Office would have, among others, the powers to:

• question and request information from CIOs;
• direct CIOs to take remedial actions; and
• check the CCSs owned or controlled by CIOs with their consent or with a magistrate’s warrant.

In respect of investigations on offences, it would have the powers to:

• question and request information from any person who is believed to have relevant information in his or her custody; and
• enter premises and take possession of any relevant documents with a magistrate’s warrant.

From a service provider perspective, these powers will likely extend – either directly or more likely via contractual flow down – from CIOs to their service providers. As such, again service providers may need to revisit their customer contracts in this regard.

Designated Authorities

Existing regulators of certain Essential Service Sectors which already have a comprehensive regulatory framework, such as a licensing regime in the financial services and telecoms sectors, may be designated as designated authorities (“Designated Authorities”) under the proposed legislation. The Designated Authorities would be responsible for designating CIOs (and CCSs) among the groups of organisations under their supervision and for monitoring such CIOs’ compliance with the organisational and preventive obligations. It is currently proposed to designate the Monetary Authority and the Communications Authority as the Designated Authorities for the banking and financial services sector and the communications and broadcasting sector respectively. The Commissioner’s Office, on the other hand, would remain responsible for overseeing the incident reporting and response obligations of, and retain the power to issue written directions to, such CIOs. It is hoped that the interaction between the Designated Authorities and the Commissioner’s Officer will be clearly defined when it comes to practicalities before the new framework is finalised.

7. How does the proposed legislation compare to critical infrastructure cybersecurity laws in other jurisdictions?

In formulating the proposed legislation, the government made reference to the legislation of other jurisdictions on critical infrastructure protection, including the United Kingdom, Australia, the United States, the European Union, Singapore, Mainland China and Macao SAR. For instance, the designation-based framework envisaged by the legislation mirrors Australia’s regulatory approach to systems of national significance under the Security of Critical Infrastructure Act 2018. Moreover, many obligations of the CIOs, such as those in respect of security risk assessments, audits and drills, have corresponding counterparts in the cybersecurity legislation of jurisdictions like Mainland China and Singapore. The investigative powers of the regulator to request information, access documents and enter premises can also be found in foreign legislation, including the UK’s Network and Information Systems Regulations 2018 and Singapore’s Cybersecurity Act 2018.

There are, however, technical nuances between similar mechanisms under the proposed legislation and existing laws in other jurisdictions. For instance, the proposed legislation requires organisations to report non-serious security incidents within 24 hours of becoming aware of them, providing greater flexibility compared to Singapore’s requirement of reporting all security incidents affecting critical information infrastructure within two hours of awareness.  

8. What are the next steps for the proposed legislation?

The proposed legislation is expected to be tabled in the Legislative Council by the end of 2024. Once passed, the Commissioner’s Office will be established within a year, and the law will come into effect around six months thereafter. This, therefore, gives a critical planning period until mid-2026 for organisations which may be designated CIOs and their services providers.

9. What must organisations do in light of the proposed legislation?

It is hopes that the uncertainty around some critical issues, including the scope of the Essential Service Sectors (particularly the information technology sector), the specific criteria to distinguish CIs among the Essential Service Sectors, and the threshold for “serious” security incidents, will be resolved as the proposed legislation passes through the public consultation and the usual legislative process. 

Organisations should closely monitor the development of the proposed legislation, develop an internal position on their designation (or their customers’ designation, in the case of service providers, as a CIIO and systems as CCS, and prepare to advocate/lobby for their position once the designation communications commence, and monitor and update their cybersecurity measures and procedures and contracts.

Basic rules

As a general principle, sectoral authorities shall publish categories and guidelines to set out the sector-specific data classification and grading frameworks. Data handlers’ internal data classification and grading work shall be conducted under the relevant sectoral framework.

To be specific, a data handler shall first conduct data classification by identifying the sectors in which the data is processed, and classifying data as industrial data, telecom data, financial data, energy data, traffic and transportation data, natural resources data, health data, education data, science data, etc.

The data handler shall further classify the data in each sector by considering factors such as the objects described (e.g. user data, business data, operation data and system maintenance data, etc.), the business processes concerned (e.g. R&D, manufacturing, distribution, after-sales services, etc.), and the processing purposes (e.g. interna management, supplier management, marketing, etc.). Where personal data is involved, the existing personal data classification requirements (which is summarized in Schedule B of the new standard) must be reflected.  

Under the new standard, data is graded as core data, important data and regular data. The grading should be based on the significance of the data to economic and social development, as well as its impact on national security, public interests and the legitimate rights and interests of individuals and organizations that could result from tampering, destruction, leakage, unauthorized access, or illegal use of the data.

The following factors may affect the grading: business contexts in which the data is processed; the business objects or personal data subjects that the data describes; the geographic areas the data concerns; the data accuracy; coverage scale and level of details etc. Schedules 3 and 4 of the new standard provide further guidance on how each factor shall be assessed when determining the grading.

Important data

Important data refers to data specific to certain sectors, groups, regions, or has reached a certain level of precision and scale that, once leaked, tampered with, or destroyed, may directly jeopardize national security, economic operations, social stability, public health, and safety. Data that only affect the data handler itself or individual citizens are usually not considered as important data.

The new standard also sets out the factors and standards that sectoral authorities must consider when formulating the important data catalogues. Once such catalogues are published, data handlers must follow the catalogues, identify the important data within their own organizations and prepare their own important data catalogue accordingly.

If a data handler believes that it also processes other important data after considering all the factors provided in the new standard, it can identify such data as important data voluntarily. This is so, even though the data is not included in the sectoral authorities’ important data catalogues. However, only the important data included in sectoral catalogues (rather than the voluntarily identified important data) must go through the special approval processes before it can be transferred overseas.

After finalizing the important data catalogue internally, data handlers shall record their important data catalogues to the sectoral authorities in accordance with the requirements specified in sector-specific guidance. For example, according to the Measures for the Management of Data Security in the Field of Industry and Information Technology (for Trial Implementation), data handlers in the industry and information technology sector shall record their important data catalogues with local sectoral authorities and provide information on: the source; classification; grade; scale; carrier; purpose and method of processing; scope of use; responsible party; external sharing; cross-border transfer; and security protection measures etc. of the important data. The specific data items in the important data catalogue are not required to be provided.

Practical Next Steps

Since the standard has already set out a relatively clear framework and includes reasonable details, sectoral authorities are expected to publish sector-specific guidance and catalogues soon. While following such developments closely, data handlers are recommended to conduct thorough data mapping internally and initiate preliminary data classification and grading work in parallel.

Please contact Carolyn Bigg (Carolyn.Bigg@dlapiper.com), Amanda Ge (Amanda.Ge@dlapiper.com), or Venus Cheung (Venus.Cheung@dlapiper.com) if you would like to discuss what these latest developments mean for your organisation.

New Exemptions for Certain CBDTs

As a recap, the relevant routes to legitimise CBDTs routes are: (1) CAC Security Assessment, (2) China SCCs Filing, and (3) CAC Certification (together, “Legitimising Routes”). Under the Guidelines, certain exemptions have been now introduced meaning the following CBDTs are exempted from having to follow any one of the Legitimising Routes (“Exempted Transfers”):

1. Collection outside of Mainland China: the personal data being transferred outside of Mainland China was originally collected and generated outside of Mainland China and thereafter imported back into Mainland China, and the processing of such personal data within Mainland China does not involve any personal data or important data that is collected from or generated in Mainland China;
   
2. Cross-border HR management: the transfer is necessary for implementing cross-border human resource management in accordance with legally formulated employment policies and procedures or legally executed collective contracts. This is subject to a “necessity” test (see below);
   
3. Cross-border contract: the transfer is necessary for concluding or performing a contract between the data subject and the data controller (e.g. those contracts that relate to cross-border shipping, logistics, remittance, payments, bank account opening, flight and hotel booking, visa applications, examination services etc.). This is subject to a “necessity test” (see below); 
   
4. Emergency situation: the transfer is necessary for protecting the life, health or property security of any natural person under emergency circumstances; or
   
5. Volume threshold: the transfer falls below a specified volume threshold (see below).

Do we still need to obtain separate consent and put in place other measures for CBDTs?

Yes, the exemptions only apply to the Legitimising Routes. The other requirements for CBDTs under the Mainland China data laws must still be complied with, namely:

• clearly describe the CBDT in the privacy notice, and obtain separate, explicit data subject consent to the cross-border data transfer (as well as the general consent to data processing etc.); and

• put in place appropriate contractual and other measures (e.g. due diligence, TOMs, DPIA) to protect the data to the appropriate standard when processed outside of Mainland China.

What is the “Necessity Test”?

Exempted Transfers 2 (cross-border HR management) and 3 (cross-border contracts) above rely on a “necessity” test. This means the organisation must prove that the CBDT is necessary in order for the exemption to apply. However, it remains unclear as to what would constitute a necessary basis for the cross-border transfer of personal data. For example:

• Will overseas transfers of personal data within global companies where IT services are procured at a group level be a satisfactory reason for the CAC?
  
• When it comes to the contractual necessity exemption, the Guidelines require the data subject and data controller to be direct contracting parties, but does not provide for situations where the contracting party is an organisation rather than an individual (e.g. in corporate customer situations).

What are the Volume Thresholds?

If the above Exempted Transfers are not applicable, or are only partly applicable (after deducting the number of data subjects in which any of the above Exempted Transfers would apply):

1. CAC security assessment (i.e. full CAC approval) is required where:
   
   • important data is processed – the list of important data examples will be published by the CAC in due course; 
     
   • non-sensitive personal data of 1 million data subjects or more is transferred overseas; or
     
   • sensitive personal data of 10,000 data subjects or more is transferred overseas.
     
2. China SCCs filing is required where:
   
   • non-sensitive personal data of between 100,000 and 1 million data subjects is transferred overseas; or
     
   • sensitive personal data of fewer than 10,000 data subjects is transferred overseas.
     
3. None of the three Legitimising Routes is required – i.e. it is an Exempted Transfer (see above) – where  non-sensitive personal data of fewer than 100,000 data subjects is transferred overseas.

For the purposes of calculating the above volume thresholds, the relevant date for the calculation is a period of one year from 1 January of the year when the calculation is conducted.

For the third Legitimising Route – namely the CAC certification route – there remains uncertainty around its applicability. It was previously thought to cover largely CBDTs by non-China data controllers. However, it is not now mentioned in the Guidelines, and indeed the Guidelines seem to have covered most data processing scenarios and data volumes in any case. As such, further guidance is awaited on whether the CAC Certification is now just a voluntary compliance measure (e.g. for non-China data controllers), or an alternative to the other Legitimising Routes.

What about CIIOs?

The Exempted Transfers do not apply to organisations dedicated as a Critical Information Infrastructure Operator (“CIIOs”). CIIOs must in any case undergo a CAC Security Assessment to transfer or access data outside of Mainland China – regardless of the data category, data volume or data processing activity to be undertaken.

What if the Exempted Transfers do not Apply to My Organisation?

Along with the Guidelines, the CAC has also updated its template assessment and filing documents for the CAC security assessment and SCCs filing routes. In particular, these new templates reflect very specific requirements that the CAC expect in terms of drafting and formatting applications and filings. As such, any organisations that have drafted but not yet submitted their assessment application or PIIA or SCCs filing PIIA must now use the new templates.

In addition, a central submission platform has been set up. It is anticipated that only new submissions would need to submit via the platform. Organisations that have already submitted assessments or filings may continue to contact their designated case officer.

Practical Next Steps

1. Reconsider your Legitimising Route or whether an Exempted Transfer applies, by:
   
   • Checking internally whether your organisation has been informed by any authorities that it is designated as a CIIO, or if it processes important data (per the official list to be released in due course).
     
   • Identifying any provincial (e.g. Greater Bay Area Standard Contract, or Free Trade Zone rules that may be published etc.) nuances or exceptions to the CBDT requirements that may apply to your organisation.
     
   • Identifying whether your organisation’s CBDTs qualify as an Exempted Transfer. If so, this volume of data may be carved out from the overall volume calculation.
     
   • Classify your data to map out the categories of non-sensitive personal data and sensitive personal data.
     
   • Calculating in parallel the relevant volume of non-sensitive personal data and sensitive personal data being transferred overseas, and thereafter, identify the applicable Legitimising Route.
     
2. Organisations which have yet to make any submissions to the CAC should now consider internally whether they fall within any of the Exempted Transfers and those that cannot, or can only partially rely on the Exempted Transfers should determine whether it is transferring sensitive personal data, and if so, the necessity of doing so as this would impact the route chosen for legitmising CBDTs.
   
3. For organisations whose submission (whether CAC security assessment or SCCs filings) is already with the CAC for review, it is recommended to consider getting in touch with your relevant designated case officer to understand the status of the assessment or filing and whether it may be withdrawn if the Exempted Transfers conditions are met.

Please contact Carolyn Bigg (Carolyn.Bigg@dlapiper.com), Amanda Ge (Amanda.Ge@dlapiper.com), or Venus Cheung (Venus.Cheung@dlapiper.com) if you would like to discuss what these latest developments mean for your organisation.

With 2023 having come to an end, the fast-paced changes to the China data protection regime throughout the year are continuing well into Q1 2024.

As well as a near finalisation of the different routes to legitimise cross-border data transfers, the Cyberspace Administration of China (“CAC”) has begun to direct its efforts into harmonising its data compliance requirements across regions, as well as other aspects of data compliance.

Most notably, these include:

1. GBA Transfers – Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (“Implementation Guidelines”)

Following from the various cross-border data transfer mechanisms published by the CAC earlier in the year, the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administration Region (“HKITIB”) jointly issued the Implementation Guidelines, containing the Standard Contract for Cross-boundary Flow of Personal Information within the Greater Bay Area (GBA Standard Contract), on 13 December 2023, to apply with immediate effect.

The GBA Standard Contract seems to be a less stringent version of the China Standard Contractual Clauses (“China SCCs”) route to legitimising cross-border data transfers to Hong Kong, given its limited scope of applicability.

See here for more information on the full China SCCs route.

• Scope of applicability. Under the Implementation Guidelines, personal information controllers and recipients registered or located within the Greater Bay Area (“GBA”) can sign the GBA Standard Contract to transfer personal information (but excluding important data) within the region.

• Key obligations and responsibilities. To rely on the GBA Standard Contract to legitimise cross-border data transfers, data controllers must fulfil the following obligations outlined in the GBA Standard Contract:
  
  
  • Providing notice and obtaining separate consent from data subjects in accordance with the laws and regulations prior to the transfer;
  • Not transfer any personal information outside the Greater Bay Area; and
  • Conducting a personal information protection impact assessment. However, note that there will be no need to file this simpler assessment with the authorities (a less stringent requirement compared with the formal China SCCs route).

• Filing procedure. Data controllers must still make a filing containing the signed GBA Standard Contract, together with other specified documents, with the Guangdong Province CAC or the Office of the Hong Kong Government Chief Information Officer within ten working days from the contract’s effective date.

• Onward transfers are permitted only within the GBA. The GBA Standard Contract must not be abused as a means of leveraging Hong Kong as a safe habour to transfer onwards to jurisdictions outside the GBA, without following the appropriate means of legitimising those cross-border data transfers.

Regardless of the above, the Implementation Guidelines still represent an important first step towards a much-anticipated relaxation of restrictions on personal information flows across the GBA, as seen in the Memorandum of Understanding to Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macau Greater Bay Area signed in June 2023.

2. Breach Notification – Draft Administrative Measures for the Reporting of Cybersecurity Incidents (“Draft Measures”)

On 8 December, the CAC – as a response to China’s concern with large-scale data security incidents within its borders – issued Draft Measures aiming to safeguard national cybersecurity via the standardisation of reporting cybersecurity incidents. The Draft Measures closed for public consultation on 7 January 2024.

If passed in its current form, network operators will be mandated to report any network security incident that may cause significant harm to relevant government bodies.

The incident reporting is categorised into different levels, based on the type of network operators.

The Draft Measures provide procedures in making notifications. Most notably, it introduces stringent notification timescales. Those cybersecurity incidents classified as “major”, “significant” or “particularly significant” should be reported within one hour of discovery – with information not then available to be supplemented within 24 hours.

3. Cross-border Data Transfers – CAC Certification route

Following the finalisation of two out of three of the cross-border data transfer mechanisms (CAC Assessment and China SCCs), the CAC now turns to the final route – CAC Certification.

Despite uncertainties around the CAC Certification, developments came to light from 25 December onwards, where the first certifications were granted for notable household names – such as Alipay, JD Technology and the University of Macau.

Most notably, it was reported that in considering the approval of the University of Macau’s certification, various internal governance processes were taken into account. These included but are not limited to: data spatialization, data classification and grading, identity authentication, data subject consent management, personal information impact assessments, data transfer risk assessments etc. – all of which provide a well-rounded governance of the entire lifecycle of data processing.

That said, there is little public information regarding  the basis on which these certifications were approved – in particular, whether the certifications only concern in-country processing of China personal information, or what specific business contexts were involved.

We expect to see more certification approvals during 2024.

See here for a recap on the CAC certification requirements.

Looking ahead – 2024

The China data protection regime is expected to witness more significant changes in the coming year.

Draft measures on important data, as well as compliance audits in the pipeline are indicative of the regulators shifting their focus onto wider data compliance requirements – after the frenzy on cross-border data transfers.  

Given the shift in regulator’s priorities from an external-facing to internal-facing focus of data compliance, it is especially important in the coming months for businesses with a presence in China to focus on formulating a China data compliance programme and remediating any gaps in compliance – now with a focus on internal procedures and governance.