Shenzhen: Shenzhen Special Economic Zone Data Regulation – Regionalising data protection in China
The Standing Committee of Shenzhen Municipal People's Congress announced, on 7 July 2021, that the Shenzhen Special Economic Zone Data Regulation ('the Regulation') was adopted by the second meeting of the Standing Committee of the Seventh Shenzhen Municipal People's Congress on 29 June 2021. The Regulation entered into effect on 1 January 2022. OneTrust DataGuidance breaks down its key provisions and obligations, which are unique to the Regulations.
The Regulation outlines specific definitions in addition to those found in the Personal information Protection Law of the People's Republic of China ('PIPL'), such as data, biometric data, and user profile.
In particular, the Regulation defines data as any record of information, whether electronic or otherwise (Article 2(1) of the Regulation). Moreover, biometric data refers to personal data that can identify a natural person and is derived from processing the biological characteristics of the natural person's body, physiology, or behaviour, including the natural person's genetic, fingerprint, voice, palm, ear, iris, facial recognition features, and other data (Article 2(4) of the Regulation).
Furthermore, user profiling is defined as the automatic processing of personal data in order to evaluate certain conditions of natural persons, including the evaluation of a natural person's work performance, economic status, health status, personal preferences, interests, reliability, behaviour patterns, locations, and whereabouts (Article 2(8) of the Regulation).
The Regulation outlines general provisions regarding the processing of personal information, including requirements for lawful processing, data minimisation, accuracy, disclosure, and data security (Article 10 of the Regulation). Many of these principles can also be found in the PIPL.
Uniquely, the Regulation further clarifies the extent to which processing should be limited, specifying that the following considerations should be taken into account when determining the scope of processing (Article 11 of the Regulation):
- the type and scope of processing should be directly related to the purpose, such that the purpose cannot be achieved if the personal data is not processed;
- the amount of personal data processed should be kept to the minimum amount necessary to achieve the purpose;
- the frequency of processing should be kept to the minimum level necessary to achieve the purpose;
- the storage period should be kept to the minimum amount necessary to achieve the purpose; if the storage period exceeds the necessary storage period, the personal data should be deleted or anonymised, unless otherwise provided by laws and regulations or with the consent of the individual; and
- a minimum authorised access control policy should be established, such that authorised personnel can only access the minimum amount of personal data and have the minimum data processing rights required to complete their duties.
Furthermore, the Regulation introduces notification and consent requirements similar to those outlined in the PIPL, including the requirement to notify (Article 14 of the Regulation):
- the name and contact information of the data processor;
- the type and scope of processing;
- the purpose and method of processing; and
- the period of personal data storage.
Notably, data processors are required to notify individuals of the security risks that may exist in the processing of personal data and the security protection measures adopted for their personal data (Article 14(5) of the Regulation).
The Regulation outlines specific consent requirements, including exceptions for the processing of personal information and sensitive personal information, as well as biometric information.
In particular, data processors must not obtain consent through misleading, deceiving, coercion, or other methods that go against an individual's true wishes (Article 17 of the Regulation). In relation to the processing of sensitive and biometric information, data processors must obtain the express consent of the individual before processing (Articles 18 and 19 of the Regulation).
When processing biometric data, an alternative scheme for processing non-biometric data must be provided to the individual. However, where the processing of biometric data is necessary for the purpose of processing personal data and cannot be replaced by other means, the data processor must obtain the express consent of the individual (Article 19 of the Regulation).
Along similar lines, where biometric data is processed for a specific purpose, it must not be used for other purposes without the express consent of the individual. The specific measures for biometric data will be formulated separately by the Shenzhen Municipal People's Government (Article 19 of the Regulation).
In relation to the consent of adults (i.e. over the age of 14), the Regulation stipulates that when processing involves the personal data of adults who have no or limited limited legal capacity, the explicit consent of their guardian must be obtained before processing (Article 20 of the Regulation).
Personal data processing
The Regulation outlines specific requirements for the sharing of personal information.
Specifically, when a data processor provides personal data processed by it to a third party, it must de-identify the personal data so that the provided personal data cannot identify a specific natural person without using other data. However, where laws and regulations stipulate, or where the individual and data processor agree to anonymisation, the data processor must anonymise the data in accordance with the law and regulations, or the agreement between the two parties (Articles 26 of the Regulation).
As an exception to the above, a data processor is not required to perform de-identification when providing personal data to third parties, if one of the following circumstances applies (Article 27 of the Regulation):
- the personal data is provided at the request of a public management and service agency in writing, in accordance with the law, for the performance of public administrative functions or for the provision of public services;
- the personal data is provided to a third party based on the consent of the individual;
- the personal data is necessary for the conclusion or performance of a contract, to which the individual is a party; and
- in other circumstances stipulated by laws and administrative regulations.
Where data processors carry out profiling activities for the purpose of improving the quality of products or services, they must clearly indicate the specific uses, as well as procedures of such profiling. In addition, individuals may refuse to be profiled by a data processor, or to have personalised products or services recommended to him or her based on their user profile, in which case data processors must provide them with effective ways of refusal in an easily accessible manner (Article 29 of the Regulation).
In relation to minors, data processors must not recommend personalised products or services to minors under the age of 14 based on user profiles, except in order to protect their legal rights and interests and where they have obtained the express consent of their guardians (Article 30 of the Regulation).
Data subject rights
The Regulation clarifies that individuals may request access to, and a copy of, their personal data from data processors, who must make it available in a timely manner and without charge in accordance with relevant provisions (Article 28 of the Regulation).
Data element market
In relation to the digital economy and the 'data element' market (i.e. the market for processing, sharing, and utilising data as a resource), the Regulation outlines a number of requirements for market entities, data trading platforms, and data processors.
In particular, market entities carrying out data processing activities are required to implement the main data management responsibilities; establish and improve data governance organisational structures, management systems, and self-assessment mechanisms; implement classified and hierarchical protection and management of data; strengthen data quality management; and ensure data security authenticity, accuracy, completeness, and timeliness (Article 57 of the Regulation).
Data trading platforms, on the other hand, are required to establish a safe, credible, controllable, and traceable data transaction environment; formulate rules for data transactions and information disclosure, as well as self-regulation, among other things; and adopt effective measures to protect personal data, business secrets, and important data prescribed by the State (Article 66 of the Regulation). Moreover, legally-established data transaction platforms can conduct data transactions for market entities; alternatively, both parties can conduct transactions on their own in accordance with the law (Article 65 of the Regulation).
Furthermore, the Regulation addresses ways to conduct data quality assessments and certifications, establishing that data processors may entrust third-party institutions to conduct such assessments and certifications (Article 62 of the Regulation). Importantly, the aforementioned third-party institutions must carry out the assessment and certification activities in accordance with the principles of independence, openness, and impartiality (Article 62 of the Regulation).
The Regulation stipulates where the use of personal data is open to, and entrusted to, third parties, an agreement must be concluded, and the use, transmission, and entrusting of processing must comply with the relevant provisions of Chapter 2 of the Regulation (Articles 59 and 60 of the Regulation).
The Regulation establishes requirements for the fair competition and trading of data.
Specifically, data products and services formed by legally processed data by market entities may be traded in accordance with the law, except for the following situations (Article 67 of the Regulation):
- data products and services traded contain personal data that has not been authorised according to the law;
- data products and services traded contain public data that has not been open by law; and
- in other situations where transactions are prohibited by laws and regulations.
In addition, market entities must abide by the principle of fair competition and must not carry out the following acts that infringe upon the legitimate rights and interests of other market entities (Article 68 of the Regulation):
- using illegal means to obtain data from other market entities;
- using illegally collected data from other market entities to provide alternative products or services; and
- other actions prohibited by laws and regulations.
Moreover, market entities must not use data analysis to impose differential treatment on counterparties with identical trading conditions, except where (Article 69 of the Regulation):
- implementing different trading conditions is based on the actual needs of the counterparty in the transaction, and in compliance with legitimate trading habits and industry practices;
- preferential activities are carried out within a reasonable time limit for new users;
- implementing random transactions is based on fair, reasonable, and non-discriminatory rules; or
- other circumstances stipulated by laws and regulations.
The Anti-monopoly Law of the People's Republic of China contains further requirements regarding fair competition in China.
Data processors are required to, in accordance with laws and regulations, establish and improve safety management systems for data classification, risk monitoring, safety assessment and safety education, among other things, and implement safeguards, as well as continuously upgrade technical means to ensure data security (Article 72 of the Regulation).
Furthermore, where the data processor changes due to, for example, mergers, divisions, or acquisitions, it must continue to implement data security management responsibilities (Article 72 of the Regulation).
Notably, when processing sensitive personal data or important data as prescribed by the State, a data security management agency must be established in accordance with relevant regulations, the person responsible for the data security management clarified, and special technical protection implemented (Article 73 of the Regulation).
Data security management
The Regulation outlines several data security management requirements for data processor, including record keeping, data retention, data destruction, vendor management, and data leakages.
In particular, the Regulation stipulates that data processors must record the entire process of their data processing to ensure that the source of the data is legal, and the entire process of processing is clear and traceable (Article 75 of the Regulation).
In addition, data processors are required to implement technical security protections for the data processing process and establish disaster recovery and backup systems for important systems and core data (Article 78 of Regulation).
In relation to the de-identification or anonymisation of personal information, data processors must de-identify or anonymise collected personal data in accordance with the requirements of laws and regulations, as well as national standards, and store them separately from the data that can be used to restore the identification of specific natural persons (Article 76 of the Regulation).
Correspondingly, when storing personal information, data processors must conduct a domain-based and hierarchical management of data storage, and select storage mediums that match the security performance, protection, and security level. In addition to the above, sensitive and important data, as specified by the State, must be encrypted when stored, and authorisation access or other stricter security protection measures adopted (Article 77 of the Regulation).
Data processors are required to establish data destruction procedures to effectively destroy data that needs to be destroyed. Particularly, where the data processor is terminated or dissolved and there is no data receiver, they must promptly and effectively destroy the data under their control, except where otherwise provided by laws and regulations (Article 80 of the Regulation).
Under the Regulation, data processors must implement monitoring and early warning measures that are compatible with the level of data security protection and that monitor early warnings of abnormal situations, such as data leakage, damage, loss, and tampering (Article 83 of the Regulation). Along similar lines, data processors are required to establish a data security emergency response mechanism and formulate a data security emergency response plan; such plans will classify data security incidents according to factors, such as the degree of harm and the scope of influence, and provide corresponding emergency response measures (Article 85 of the Regulation).
Furthermore, in the event of data security incidents, such as data leakage, damage, loss, and tampering, the data processor must immediately initiate an emergency response plan, take corresponding emergency response measures, promptly notify the relevant right holders, and report to the Municipal Internet Information Center, public security departments, and relevant industry authorities in accordance with relevant regulations (Article 86 of the Regulation).
The Regulation outlines legal responsibilities, including administrative fines, confiscation of illegal gains and litigation, as well as criminal responsibility.
Trade and fair competition
Persons who trade data in violation of Article 67 of the Regulations will be ordered to make corrections in accordance with their duties and with any illegal gains confiscated. A maximum fine of less than RMB 1 million (approx. €139,260) can be imposed, if the transaction amount is more than RMB 10,000 (approx. €1,390). Where laws and administrative regulations provide otherwise, those provisions will prevail (Article 94 of the Regulation).
Similarly, persons who violate the provisions of Articles 68 and 69 of the Regulation and infringe on the lawful rights and interests of other market entities and consumers will be ordered to make corrections in accordance with their duties and with the illegal activities confiscated. Those who refuse to make corrections may face a maximum fine of not more than 5% of the previous year's turnover, up to a maximum of RMB 50 million (approx. €6.96 million), where the circumstances are serious. Where laws and administrative regulations provide otherwise, those provisions will prevail (Article 95 of the Regulation).
Furthermore, market entities that violate the provisions of Article 70 of the Regulation and engage in unfair competition or monopolistic conduct will be punished in accordance with the relevant laws and regulations on anti-unfair competition or anti-monopoly (Article 95 of the Regulation).
Data processors who violate the provisions of the Regulation and fail to perform their data security protection responsibilities will be punished in accordance with relevant laws and regulations on data security (Article 96 of the Regulation).
In addition, data processors who process data in violation of these regulations and cause damage to others will bear civil liability according to the law. Where a violation of public security management is constituted, public security management penalties will be imposed and, if a crime is constituted, criminal responsibility will be investigated according to the law (Article 99 of the Regulation).
In instances where data is processed in violation of the provisions of the Regulation, causing damage to national or public interests, organisations specified by laws and regulations may initiate civil public interest litigation in accordance with the law. The People's Procuratorate may support the litigation, if it deems it necessary (Article 98 of the Regulation).
However, where an organisation specified by laws and regulations does not initiate a civil public interest lawsuit, the People's Procuratorate may initiate a civil public interest lawsuit in accordance with the law (Article 98 of the Regulation).
Keshawna Campbell Lead Privacy Analyst