China: The interplay between the PIPL, DSL, and CSL
Except for the Civil Code of the People's Republic of China ('the Civil Code'), China has three main laws governing data processing activities, namely Personal Information Protection Law ('PIPL'), effective as of 1 November 2021, Data Security Law ('DSL'), effective as of 1 September 2021, and the Cybersecurity Law 2016 ('CSL'), effective as of 1 June 2017. These three laws together govern most data protection matters in China and, in some situations, outside of China, and constitute the data protection framework together with the Civil Code, making data protection a strict regulatory area in China. Dehao Zhang, Counsel at Fieldfisher China, discusses the interplay between the PIPL, the DSL, and the CSL.
Differences and connections among the three laws
Although the three laws are all related to data protection, they are nevertheless different, especially regarding their material scope. For example, the PIPL is a comprehensive law of personal information protection, applying to personal information processing, whether by automatic means or not. The DSL, on the other hand, is a law that applies to all data processing, with data referring to all of the records of information, both personal and non-personal. Furthermore, the CSL is a law which focuses on network security, with information security being part of this.
In addition to this, regarding territorial scope, we can see that these laws are different when it comes to the subject of long-arm jurisdiction. On this matter, the PIPL is similar to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as it has long-arm jurisdiction and will applies to organisations' personal information processing activities outside of China according to paragraph 2 of Article 3 of the PIPL. The DSL can also apply to data processing outside of China if such processing impacts on the national security and public interest of China. Moreover, the CSL does not apply to network security outside of China.
Before the PIPL and the DSL, the CSL alone governed data processing. Although the protection in the CSL is imperfect, it at least provides a legal requirement to protect personal information and the organisation's network security. After that, the PIPL and the DSL were adopted and made effective in 2021, which enhanced the overall personal information protection in China. From the perspective of continuity of legal requirements, some of these relating to security can be found in both the DSL and the CSL, while some legal requirements related to personal information protection can be found in all of the three laws.
The interplay between the PIPL, the DSL, and the CSL on personal information protection
Since the PIPL, the DSL, and the CSL all govern personal data processing, we should focus on the interplay between them in this area:
Network operator, data processor, and personal information processor
Certain related terms have been changed under each of the discussed laws, for example network operator, data processor, and personal information processor. Under the CSL, the name of organisations who build up, use, or maintain the network in China will be called a network operator. Meanwhile, under the DSL, an organisation that processes data is called a data processor. These two laws do not distinguish between controllers and processors. Things have changed under the PIPL, which differentiates between personal information processors and trustees, which are similar to controllers and processors under the GDPR. We can see that due to the different focuses of the three laws, the subjects who are legally regulated are different, but there is still a certain pattern throughout wider Chinese legislation, for example operators under the CSL and operators under the E-commerce Law of China. Moreover, the term data processors was used first in the Civil Code, whereas the DSL refers to processors and the PIPL refers to personal information processors.
Expansion of the personal information protection and data security framework
Under the CSL, the framework of personal information protection and data security is very general but also limited, as the requirements of personal information and data security focus on security, rather than a comprehensive data protection perspective. The PIPL has expanded on the protection of personal information protection, providing for data protection principles and obligations, with significant enforcement provisions to back these up. Furthermore, the DSL has expanded the data security framework, to cover all sorts of data and focus on the national security and public interest, which also impacts the CSL; for example, the revision of the Measures on the Cybersecurity Review has combined the requirements of the CSL and DSL.
Personal information and data
Regarding personal information processing, organisations must comply with the requirements of the PIPL first of all, although the DSL and the CSL also apply to personal information processing.
For example, if the volume of personal information is very large, this personal information may also be deemed as important data under the DSL. Such organisation may also be deemed as a critical information infrastructure operator or an important data processor, which will be subject to data localisation and data transfer obligations under the CSL and the PIPL.
CISOs and DPOs
According to the Article 21 of the CSL, network operators shall have a person in charge of cybersecurity. Furthermore, according to Article 27 of the DSL, an important data processor shall have a person in charge of data security.
Moreover, per Article 52 of the PIPL, personal information processors who meet a threshold set by the Cybersecurity Administration of China ('CAC') shall set up a position in charge of personal information protection, who is responsible for supervising the personal information processing activities and the security measures.
Certain requirements are not very clear, such as how to choose such persons, who can be qualified to be the person in charge of such matters, and whether it is possible to set up a part-time position to meet the requirements. However, it is clear that the laws require that the organisations who meet the thresholds must have a person in charge of cybersecurity and data protection, and privacy, which means data protection officers ('DPOs') and chief information security officers ('CISOs') will be very important under the laws, and organisations must pay attention to the requirements.
The three laws all require the security measures, however the PIPL and DSL have significantly enhanced the security measures relating to data protection.
CSL & MLPS 2.0
Internal security management policy and procedures
Internal data security management policy and procedures
Internal personal information protection policies and procedures
A person in charge of cyber security
A person in charge of data security
A person in charge of personal information processing
Take measure to protect the network from virus and network attack
Monitor and record the operation of network and incident, record the logs at least for six months
Multi-level protection scheme ('MLPS') based security measures
Data classification, important data back up, and encryption
Data classification, encryption, and de-identification
Have a cybersecurity incident response plan
Risk monitoring and assessment, incident management (handle the incident, inform the users and authorities)
Have a personal information security incident response plan
Data localisation and data transfers (for critical information infrastructure operators ('CIIOs')
Data transfers assessment
Data localisation and data transfers mechanism - CIIO and the data processors meets the threshold of the CAC
Cybersecurity review - CIIOs and important data processors
Cybersecurity review - CIIOs and important data processors
Conduct the important data risk assessment regularly - for important data processor
Conduct the Personal Information Protection Impact Assessment (in certain situations required by the PIPL) and audit regularly
Despite the entry into force of the PIPL and the DSL, the CSL is still a law and enforced by authorities. Altogether, the three laws constitute the regulatory system of cybersecurity and data protection in China. However, the laws also need to be further clarified by the authorities and the courts in the future, especially with regards to the requirements under the DSL related to the organisation's obligations, and we may still need to pay attention to the official guidance and explanations related to the laws.
Dehao Zhang Counsel
Fieldfisher China, Beijing