Story image

Are you ready? Only five weeks until China's new data security law comes into effect

02 May 2017

With China’s new cybersecurity law only five weeks away, businesses should be preparing and understanding the new rules. According to DLA Piper, the new draft regulations mean more businesses are likely to be caught by new offshore data transfer rules in the new PRC Cybersecurity law.

The company says China has been moving into the data protection space through court decisions, regulations and laws. However, those rules have not been enforced. That will now change, particularly as a new ‘whistleblower’ system comes into effect. DLA Piper says companies can now no longer ignore the offshore data requirements.

DLA Piper has provided a series of requirements and actions:

1. The new draft regulations apply to both “personal data” (as defined in the PRC Cybersecurity Law) and “important data”, which is widely defined to include information that relates to national security, economic development, or social or public interest. 

Required action: Assessment of data flows to determine what is being sent offshore and whether it falls within these definitions. 

2. Consent must be obtained from all individuals before their personal data is sent out of China

Required action: Consents need to be obtained at all data collection points including for employees, customers and individuals within your supply chain or distribution networks. Existing datasets should be identified and consents obtained where none are currently in place. 

3. A security assessment needs to be carried out before offshore transfer occurs. The security assessment needs to be redone annually.

Required action:

Your security assessment includes the need to establish:-

  • the legitimate business necessity of transferring the data offshore;
  • the amount, scope, type and sensitivity of the “personal data”, and whether consent has been obtained;
  • the amount, scope, type and sensitivity of “important data”;
  • the safety precautions established by the offshore data recipients (including group companies);
  • the risk of the transferred data being retransferred, leaked or misused; and
  • whether the transfer may create national security concerns, public or individual risks.  

4. The offshore transfer needs to be notified to relevant regulators if any of the following transfer thresholds are met:-

  • data sets of 500,000+  individuals;
  • data files in excess of 1000GB;
  • data related to nuclear facilities, chemical biology, national defence or military, large engineering activities, ocean environmental protection or sensitive geographical information;
  • network information of "key information infrastructure", including system loopholes or security measures; or
  • you are a “key information infrastructure operator”.

Required action: Your security assessment should specifically identify if any of these thresholds are met and if so relevant regulators must be identified and notified. Notification will trigger an independent assessment by the relevant regulator(s) and/or the CAC and should be carefully constructed to minimize the risk of the transfer being blocked. Regulators are required to make an assessment within 60 days of receiving notification.

5. There is an absolute prohibition on offshore transfer if:-

  • consent has not been obtained from data subject for transferring their Personal Data;
  •  it may result in risks for state politics, the economy, technology, national defence, national security, social or public interests; or
  • any relevant regulators issue specific prohibitions.

Required action: Data must not be transferred offshore in any of these circumstances. For businesses caught by and unable to circumvent these prohibitions, China based infrastructure and onshore processing is likely to be the practical solution. 

6. Any individual or organisation has a right to report an offshore transfer that violates the law to the relevant regulators. Required action: Complaints by individuals are one of the most common ways in which privacy and data security issues are brought to the attention of regulators in other countries.  Disgruntled employees and competitors represent obvious threats and this practical risk needs to be considered as part of your data handling policies and practices. The “nobody will find out” argument has suddenly become less compelling.

7. Sanctions will be imposed in the event of a violation of the provisions of the regulations in accordance with relevant laws and regulations.

Required action: While specific sanctions are not called out in the draft regulations, sanctions mentioned in existing privacy laws are wide ranging and include the possibility of cancellation of your China business license.

Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."
Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.