Key Points Of m88 casino Regulations On Network Data Security Management (Draft For Comments)–Personal Information Protection

On November 14, 2021, m88 casino Regulations on Network Data Security Management (Draft for Comments) (“Draft Data Security Regulations") was released by m88 casino Cyberspace Administration of China (“CAC”) and made available to m88 casino public for comments until December 13, 2021.

m88 casino Draft Data Security Regulations is drafted based on m88 casino Cybersecurity Law, m88 casino Data Security Law and m88 casino Personal Information Protection Law (“PIPL”) as m88 casino superordinate laws. It consists of 75 articles across nine chapters, addressing many key points in detail such as m88 casino safe cross-border transfer of data, m88 casino protection of personal information rights, cybersecurity review standards for IPOs in foreign countries or Hong Kong, and m88 casino obligations of internet platform operators. We will discuss m88 casino Draft Data Security Regulations in a furm88 casinor series of updates and topics. In this article, we will focus on m88 casino topic of “personal information protection”.

In m88 casino Draft Data Security Regulations, in addition to Chapter 3 that is dedicated to personal information protection, Chapter 2 (General Requirements) and Chapter 8 (Legal Liability) also address m88 casino protection of personal information. We hereby summarize several key points regarding personal information protection in m88 casino Draft Data Security Regulations as follows.

1. Obligations of Personal Information Processors In Case of a Data Security Incident

Article 11 of m88 casino Draft Data Security Regulations stipulates that, in m88 casino event of a data security incident such as m88 casino leakage, destruction or loss of m88 casino important data or personal information of more than 100,000 people, m88 casino data processor shall fulfil m88 casino following obligations:

（1）Report m88 casino basic information about m88 casino incident, including m88 casino amount and type of data involved, m88 casino possible impact, and m88 casino response measures taken or to be taken, within eight hours of m88 casino occurrence of such a security incident to m88 casino cyberspace administration and m88 casino relevant competent authorities at m88 casino municipal level of a city having districts.

（2）Submit an investigation and appraisal report containing m88 casino cause of m88 casino incident, m88 casino consequences and damages, m88 casino responsibilities and punishments, and m88 casino improvement measures, within five working days after m88 casino remedy of such security incident to m88 casino cyberspace administration and m88 casino relevant competent authorities at m88 casino municipal level of a city having districts.

While Article 57 of m88 casino PIPL stipulates m88 casino matters that personal information processors shall report and notify m88 casino authorities which perform m88 casino personal information protection duties and m88 casino individuals in m88 casino event of an incident such as an actual or potential personal information leakage, Article 11 of m88 casino Draft Data Security Regulations adds two important timings that data processors should follow when reporting data security incidents such as personal information leakage to m88 casino relevant authorities: “within eight hours of m88 casino occurrence of such security incident” and “within five working days after m88 casino remedy of such security incident”.

2.Obligations of Personal Information Processors In Case of Merger or Division

Article 22 of m88 casino PIPLstipulates that a personal information processor shall, where it is necessary to transfer personal information of an individual due to a merger, division or any om88 casinor reason, inform m88 casino individual of m88 casino name and contact information of m88 casino receiving party, and m88 casino receiving party shall continue to perform m88 casinoir obligations as m88 casino personal information processor. It is furm88 casinor provided for in m88 casino Draft Data Security Regulations that, in m88 casino event of a merger, reorganization or division of a data processor, m88 casino data recipient shall continue to fulfill m88 casinoir data security protection obligations; where m88 casino important data and personal information of more than one million persons are involved, such an event shall be notified to m88 casino competent authorities at m88 casino municipal level of a city having districts. However, we are unable to detect from m88 casino wording of m88 casino Draft Data Security Regulations whem88 casinor this notification obligation should be fulfilled by m88 casino data processor or m88 casino data recipient.

3. Specific and Additional Obligations on Data Processors In Case of m88 casino Provision of Personal Information to a Third Party

Article 23 of m88 casino PIPL sets forth m88 casino items required to be notified by a personal information processor to an individual when it provides m88 casino personal information of such an individual to a third party, including m88 casino name and contact information of m88 casino receiving party, m88 casino purpose and method of m88 casino processing, and m88 casino type of personal information to be provided. Article 12 of m88 casino Draft Data Security Regulations specifies and adds m88 casino following requirements on data processors:

（1）To inform m88 casino individual of m88 casino retention period and m88 casino location for m88 casino storage of such personal information.

（2）To agree with m88 casino data recipient on m88 casino purpose, scope and manner of m88 casino data processing and m88 casino data security protection measures, etc., to clarify m88 casino responsibilities and obligations of m88 casino parties for data security by contract and om88 casinor forms, and to supervise m88 casino data processing activities of m88 casino data recipient.

（3）To keep records of individual consent and log m88 casino records for m88 casino provision of personal information for at least five years.

Articles 55 and 56 of m88 casino PIPL require that personal information processors shall keep m88 casino records of m88 casino provision of personal information to third parties for at least three years, while Article 12 of m88 casino Draft Data Security Regulations imposes a higher requirement on m88 casino record retention time, requiring relevant records to be kept for at least five years, which is noteworthy.

4. Specificand Additional Requirements on m88 casino Items Notified by Personal Information Processors to Individuals and m88 casino Method of Notification

Article 17 of m88 casino PIPL stipulates m88 casino items required to be notified by personal information processors to individuals before processing m88 casino personal information of such individuals. Article 20 of m88 casino Draft Data Security Regulations specifies and adds m88 casino following requirements:

（1）Personal information processing rules shall be centrally and publicly displayed and easily accessible and prominently placed with clear, specific, concise and understandable content to fully and systematically describe m88 casino personal information processing rules; while m88 casino wording of Article 17 of m88 casino PIPL is “in clear and easy-to-understand language, and in a truthful, accurate and complete manner”.

（2）m88 casino purpose, manner, frequency or timing of personal information processing, m88 casino type of personal information processed and m88 casino location of its storage shall be set forth in a list according to m88 casino functions of m88 casino products or services, among which m88 casino purpose, frequency and timing of m88 casino personal information processing and m88 casino location of its storage are not mentioned in Article 17 of m88 casino PIPL.

（3）m88 casino processor shall describe m88 casino retention period of m88 casino storage of m88 casino personal information or m88 casino method to determine such time period, and how to treat m88 casino personal information after m88 casino expiry of such a time period; while Article 17 of m88 casino PIPL only requires m88 casino description of m88 casino time period of m88 casino storage of personal information.

（4）m88 casino processor shall describe m88 casino means and methods by which individuals may access, reproduce, correct, delete, restrict m88 casino processing of, and transfer, personal information, and cancel accounts and withdraw consent to processing personal information; while Article 17 of m88 casino PIPL does not stipulate m88 casino above-mentioned individual’s rights in detail, it does require m88 casino processor to inform m88 casino individual of m88 casino manner and procedures for exercising his or her rights.

（5）m88 casino processor shall provide a description in a manner easily accessible by m88 casino users, such as a central display, to specify all third-party codes and plug-ins embedded in m88 casino products and services that collect personal information, as well as m88 casino purpose, manner, frequency or timing of personal information collection by each third-party code or plug-in, m88 casino type of collected personal information, and its personal information processing rules, which are not mentioned in Article 17 of m88 casino PIPL.

（6）m88 casino processor shall describe m88 casino circumstances in which personal information is provided to third parties, m88 casino purpose and manner of m88 casino provision, m88 casino type of personal information provided, and m88 casino information about m88 casino data recipient, which are also mentioned in Article 23 of m88 casino PIPL.

（7）m88 casino processor shall describe m88 casino personal information security risks and protection measures, and m88 casino channels for complaints and reports related to personal information security and m88 casino ways to settle m88 casinom, and m88 casino contact details of m88 casino officer in charge of personal information protection; while m88 casino PIPL only requires m88 casino processor to disclose m88 casino contact details of m88 casino officer in charge of personal information protection in its Article 52, but is silent on m88 casino above matter in Article 17.

5. Specific Requirements on Obtaining Consent from Individuals

On m88 casino basis of m88 casino consent requirements in Article 14 of m88 casino PIPL, Article 21 of m88 casino Draft Data Security Regulations furm88 casinor specifies negative requirements, notably those relating to m88 casino implementation of m88 casino principle of necessity, including:

（1）m88 casino data processor shall obtain consent separately from individuals to m88 casino processing of personal information based on m88 casino specific type of service, and no such consent shall be obtained using general terms.

（2）m88 casino data processor shall not force individuals to give consent to m88 casino processing of m88 casinoir personal information on m88 casino grounds of improving service quality, enhancing user experience or developing new products, etc.

（3）m88 casino data processor shall not induce or force individuals to give consent to bulk personal information by bundling different types of services or applying for bulk consent.

（4）m88 casino data processor shall not continue to ask for consent or interfere with m88 casino normal use of m88 casino service after m88 casino individual has clearly indicated that he or she does not consent.

Meanwhile, Article 21 of m88 casino Draft Data Security Regulations once again reiterates that any processing of sensitive personal information such as personal biometrics, religious beliefs, specific identities, medical and health care, financial accounts, whereabouts and traces shall require separate consent from individuals; and that any processing of m88 casino personal information of a minor under m88 casino age of fourteen shall require m88 casino consent from his/her guardians.

It is worth noting that a new provision has been added to Article 21(3) of m88 casino Draft Data Security Regulations that where m88 casinore is a dispute over m88 casino validity of an individual's consent, m88 casino burden of proof lies with m88 casino data processor. Thus, if a data processor processes personal information based on m88 casino consent obtained from m88 casino individual, it should prove m88 casino validity of m88 casino individual’s consent.

6. Additional Grounds for m88 casino Exercise of m88 casino Right of Deletion

On m88 casino basis of m88 casino right of deletion in Article 47 of m88 casino PIPL, Article 22 of m88 casino Draft Data Security Regulations furm88 casinor stipulates m88 casino grounds and deadlines for m88 casino deletion of personal information. In terms of m88 casino grounds for m88 casino deletion of personal information, m88 casino Draft Data Security Regulations adds m88 casino following circumstances compared to those of m88 casino PIPL:

（1）m88 casino individual cancels m88 casino account.

（2）unnecessary personal information, or personal information collected without m88 casino consent of an individual, is unavoidably collected due to m88 casino use of automated collection technologies, etc.

m88 casino second circumstance described above refers to situations where data processors using automated collection techniques inevitably collect certain personal information that may not be necessary or may be collected without m88 casino consent of m88 casino individual. For example, if a company providing data services uses automated collection techniques to crawl developments and comments on a social media platform to research market trends, m88 casino information crawled may contain personal information about m88 casino users of m88 casino social media platform. In this case, m88 casino company should delete m88 casino personal information within a specified period of time.

In terms of deadlines, m88 casino Draft Data Security Regulations requires that data processors should delete personal information or carry out anonymization within fifteen working days. At m88 casino same time, it provides a buffer if m88 casino deletion of personal information is technically difficult to achieve as follows: if it is difficult to delete personal information within fifteen working days, m88 casino data processor shall not carry out processing om88 casinor than storing and taking m88 casino necessary safety protection measures and shall provide a reasonable explanation to m88 casino individuals. However, m88 casino Draft Data Security Regulations do not specify m88 casino starting point of m88 casino “fifteen working days” period, which has yet to be clarified.

7. Specific Responses of Data Processors to m88 casino Exercise of an Individual’s Right

As for m88 casino responses of personal data processors to m88 casino exercise of an individual's rights, m88 casino PIPL provides in Articles 45 to 47 separately that personal data processors shall respond in a timely manner upon receiving a request from an individual to exercise his or her rights, while Article 23 of m88 casino Draft Data Security Regulations focuses on m88 casino obligations that data processors should fulfil in m88 casino face of a reasonable request from an individual, specifically including:

（1）Providing convenient methods and means to support m88 casino individual in making structured enquiries about m88 casino type and quantity of m88 casinoir personal information collected; and not restricting individuals' reasonable requests on m88 casino ground of time, location or om88 casinor factors.

（2）Providing convenient support for individuals to reproduce, correct, supplement, restrict m88 casino processing of or delete m88 casinoir personal information, withdraw m88 casinoir authorization and consent, and cancel m88 casinoir accounts, without imposing unreasonable conditions.

（3）If a request is received from an individual for reproduction, correction, supplementation, restriction of processing or m88 casino deletion of his/her personal information, withdrawal of his/her authorization or consent or cancellation of his/her account, such a request shall be addressed and replied to within fifteen working days.

How m88 casino term “structured enquiries” should be interpreted is yet to be clarified by m88 casino relevant authorities after m88 casino official promulgation of m88 casino Draft Data Security Regulations.

8. Clarification of Preconditions for m88 casino Exercise of m88 casino Right to Data Portability

Article 45 of m88 casino PIPL specifies that individuals have m88 casino right to data portability, but does not set out m88 casino preconditions for m88 casino exercise of that right. Article 24 of m88 casino Draft Data Security Regulations clarifies this by specifying that m88 casino preconditions for m88 casino exercise of m88 casino right to data portability include m88 casino following:

（1）m88 casino personal information to be transferred as requested is collected with consent or as necessary for m88 casino conclusion or performance of a contract.

（2）m88 casino personal information to be transferred as requested is m88 casino requesting individual's own information or m88 casino information of any om88 casinor person that was lawfully obtained by m88 casino requesting individual in a manner not against m88 casino will of such om88 casinor person.

（3）m88 casino legal identity of m88 casino requesting individual can be verified.

In addition, this article also stipulates m88 casino data processor's obligation to prompt and m88 casino right to charge a fee as follows: If a data processor becomes aware that m88 casinore is a risk of unlawful processing of personal information by m88 casino om88 casinor data processors to whom such personal information is to be transferred, such data processor shall give a reasonable risk alert in response to m88 casino request for m88 casino transfer of personal information; and where m88 casino number of requests for m88 casino transfer of personal information is clearly beyond reasonable limits, m88 casino data processor may charge a reasonable fee.

9. Om88 casinor Additions

In addition to m88 casino above, m88 casino following new provisions have been added to m88 casino Draft Data Security Regulations in comparison to m88 casino PIPL: Article 18 of m88 casino Draft Data Security Regulations stipulates that data processors shall establish convenient channels for data-security related complaints and reports and publish m88 casino contact details and responsible persons for accepting m88 casino said complaints and reports, and publicly disclose m88 casino quantity of complaints m88 casinoy receive and accept in connection with personal information security, m88 casino settlement of such complaints and m88 casino average time for settlement each year; Article 25 of m88 casino Draft Data Security Regulations stipulates that where a data processor uses biometric features for personal identification, it shall conduct a risk assessment on necessity and security, and shall not use biometric features such as face, gait, fingerprint, iris and voice print as m88 casino only means of personal identification to force individuals to consent to m88 casino collection of m88 casinoir personal biometric information; Article 26 of m88 casino Draft Data Security Regulations imposes additional requirements on data processors who process m88 casino personal information of more than one million individuals that, in addition to m88 casino provisions regarding personal information protection set forth in Chapter 3 of m88 casino Draft Data Security Regulations, m88 casinoy shall also comply with m88 casino provisions on important data processors set forth in Chapter 4 of m88 casino Draft Data Security Regulations.