Release M88 game APK Measures for Data Security Management (Draft for Comment )

On May 28, 2019, the Cyberspace Administration M88 game APK China (“CAC”) issued M88 game APK Measures for Data Security Management (Draft for Comment) (M88 game APK “Measures”), in order to solicit public opinions, which can be submitted up until June 28, 2019.

This article provides a summary M88 game APK the key elements M88 game APK the Measures.

I. Scope M88 game APK Application

Article 2 M88 game APK the Measures clearly stipulates that "these Measures apply to data collection, storage, transmission, processing, use and other activities via networks within the territory M88 game APK the People’s Republic M88 game APK China (hereinafter referred to as data activities), and to data security protection, supervision and management. These Measures do not apply to matters pertaining purely to household and personal affairs."

The definition M88 game APK “network” according to the Cybersecurity Law¹is very broad, and it is our understanding that the scenarios in which the Measures apply will be similarly wide-ranging. The data-related activities M88 game APK various types M88 game APK organizations and individuals in China may be subject to the Measures and may. for example, include the collection M88 game APK manufacturing-related data from industrial control systems by manufacturers, or information collected through local area networks or online by other general types M88 game APK business.

While Article 2 provides a broad definition M88 game APK “data activities”, the key types M88 game APK data for regulation by the Measures are consistent with the definition used in the Cybersecurity Law, and remain "personal information" and "important data."

Article 38 M88 game APK the Measures defines “important data” as “data such as undisclosed government information, large-area population information, genetic information, geographic information or mineral resources information, that if leaked could directly affect national security, economic security, social stability or public health and safety. Important data does not include production, operational and internal management information, personal information, etc.”

Although the definition M88 game APK important data remains very general, the exclusion clause may be helpful to businesses in determining the scope M88 game APK important data, since they can at least exclude their own production and operational data from such “important data.”

II. Strict Rules on the Protection M88 game APK Personal Information and Important Data

The Measures reiterate and strengthen the provisions for the protection M88 game APK personal information that were provided for in various previously issued regulations and guidelines, including the Personal Information Security Regulations, the Guidelines for Internet Personal Information Security Protection, and the Guide to the Self-Assessment M88 game APK Illegal Collection and Use M88 game APK Personal Information by Apps.

Provide details M88 game APK responsible person details and the means to withdraw consent

Article 8 explicitly requires that the rules for collection and use should clearly provide and highlight “the name and contact information M88 game APK the responsible person for data security” and the “method M88 game APK obtaining consent from the subject M88 game APK personal information.”

Limitations on M88 game APK purposes for information collection

Article 11 M88 game APK the Measures stipulates that "network operators must not force or mislead personal information subjects to agree to the collection M88 game APK their personal information in the form M88 game APK default permission, function bundling, etc., on the grounds that it will result in an improvement in service quality or user experience, provide custom content, or help develop new products." The elements whose interpretation will be most likely to directly impact the related privacy practices M88 game APK businesses are "not force or mislead the consent M88 game APK personal information subjects” and “in the form M88 game APK default permission, function binding, etc."

The Measures also make reference to the distinction between core functions and other functions that is drawn in the Personal Information Security Regulations, in which it is indicated that network operators shall provide core functions to personal information subjects when those subjects agree to the collection M88 game APK personal information that applies to such core functions. However, network operators shall not refuse to provide core functions to information subjects if such subjects refuse to provide consent or revoke their consent for the collection M88 game APK other information (which are not necessary for the core function).

Requirements for collecting personal information from minors

Article 12 M88 game APK the Measures clearly stipulates that the collection M88 game APK personal information from a minor under the age M88 game APK 14 shall require the consent M88 game APK his/her guardian.

Appointment and responsibilities M88 game APK person responsible for network security

Article 17 M88 game APK the Measures stipulates that if a network operator collects important data or personal sensitive information for the purpose M88 game APK its operations, it shall nominate a staff member to be responsible for data security. Such person responsible for data security shall have data security expertise and appropriate management experience, shall participate in decision-making about data activities, and report directly to the principal responsible person M88 game APK the company.

Filing the collection M88 game APK important data and personal sensitive data

Article 15 M88 game APK the Measures for the first time proposes that “network operators collecting important data or personal sensitive information for business purposes shall file with the local network information department. The filing content includes the collection and usage rules, the purpose, scale, method, scope, type and duration, etc., M88 game APK collection and usage.”

The current definition M88 game APK "personal sensitive data" in the Personal Information Security Regulations is quite broad, and includes mobile phone numbers, email addresses, system account numbers, web browsing history, precise positioning information, etc., and therefore should this element M88 game APK the Measures ultimately be implemented, it may involve extensive filing requirements.

Providing pre-assessment M88 game APK personal information and exclusion.

Article 27 M88 game APK the Measures stipulates that before providing personal information to others, the possible security risks should be assessed and the personal information subject’s consent should be obtained.

It is currently not clear how such security risk assessment should be conducted.

Evaluation and approval before transferring important data

Article 28 M88 game APK the Measures stipulates that “network operators shall assess the potential security risks before publishing, sharing, transacting or providing important data to overseas, and shall report to the competent industrial authority for approval. If the competent industrial authority is not clear, it should be approved by the provincial cyberspace administration department."

The security assessment requirements M88 game APK the Measures are stricter than the applicable requirements M88 game APK the Administrative Measures for the Assessment M88 game APK Outbound Security M88 game APK Personal Information and Important Data (Draft for Comment) issued by the CAC in 2017. The Measures not only require a security assessment for the release, sharing and trading M88 game APK important data, but also require a security assessment report to be submitted to the competent industrial authorities or the counterparts M88 game APK the CAC.

Notification obligation for personal information security incidents

Article 35 M88 game APK the Measures for the first time explicitly requires that in the event M88 game APK data security incidents such as disclosure, damage, or loss M88 game APK personal information, or when the risk M88 game APK such is significantly increased, the network operator should inform the personal information subject by telephone, SMS, email or letter.

III. New Provisions for the Use M88 game APK Data

Labeling customized content

Article 23 M88 game APK the Measures for the first time proposes that when network operators apply algorithms to user data in order to push specific news and commercial advertisements, etc., they shall clearly label such news and commercial advertisements as “customized” (定推 in Chinese) and provide users with the means to unsubscribe from such customized “push marketing” content.

When M88 game APK user chooses to stop receiving push marketing, network operators shall stop such push marketing, and delete M88 game APK data and personal information collected from M88 game APK data, including any device identifiers.

This requirement is likely to have a significant and substantial impact on the current practices M88 game APK the online advertising industry.

Label as “Generated”

Article 24 M88 game APK the Measures proposes, also for the first time, that "when network operators use big data, artificial intelligence and other technologies to automatically generate news, blog posts, posts, comments and content, it should clearly be labeled as "generated". Content shall not be automatically generated with the intention M88 game APK making prM88 game APKits or harming others."

The interpretation M88 game APK "not be … with the intention M88 game APK making prM88 game APKits" requires further explanation by the regulatory authorities.

IV. Strict Liability

Responsibilities for indirectly collected personal information

Article 14 M88 game APK the Measures for the first time proposes that “network operators obtaining personal information from other sources shall have the same protection responsibilities and obligations as if the personal information was collected directly.”

Presumption M88 game APK fault in data security incidents

Article 30 M88 game APK the Measures stipulates that “network operators shall clarify data security requirements and responsibilities for any third-party applications which are connected to the network operator’s platform, and supervise third-party operators in order to strengthen data security management. If such third-party applications cause data security incidents and result in losses to users, the network operator shall be liable for part M88 game APK or the entirety M88 game APK the accident unless the network operator can prove that it has no fault.”

The application M88 game APK the principle M88 game APK the presumption M88 game APK fault will impose an extremely high requirement on the network operators M88 game APK platforms.

Data responsibility in M&A

Article 31 M88 game APK the Measures stipulates, for the first time, that “When a network operator merges, reorganizes, or goes bankrupt, the data acquirer shall undertake the data security responsibilities and obligations. If there is no data acquirer, the data shall be deleted. Where the laws or administrative regulations provide otherwise, such requirements shall be followed."

Hence, for any merger or acquisition, if the acquirer takes on the data M88 game APK the acquired party, it should take into account the corresponding data security responsibilities and obligations.

V. Our observation

The Measures propose many new requirements, responsibilities and obligations, some M88 game APK which may significantly impact upon network operators including online and other types M88 game APK business.

With the Measures still seeking public comment, we will pay close attention to and pass on further details M88 game APK any legislative updates.

1. Cybersecurity Law M88 game APK the People’s Republic M88 game APK China, enacted November 2016, implemented June 2017