China’s new cybersecurity law has been updated again, a week before it comes into effect on June 1, introducing new criminal sanctions and a potential requirement to obtain consent before collecting personal information through cookies.
In a new advisory, DLA Piper partner and location head Scott Thiel and counsel Carolyn Bigg noted that the regulation will make the unauthorised collection, disclosure and receipt of “citizen’s personal information”, subject to a range of sanctions including five times the amount of any calculated illegal gains.
The level of sanctions will depend on factors including the degree of harm, the amount of illegal gains and repeat offenses. This stipulation has been made in interpretations from the Supreme People’s Court and Supreme People’s Procuratorate on issues concerning application of the law.
The same interpretations also clarify that personal information need not identify and individual but reflect and individual’s activities, indicating that collecting information via cookies does require notice and consent.
Suppliers of “important network products and services” to “key information infrastructure operators” will now also be subject to a new supervisory assessment regime from June 1. Products and services failing to meet these assessments way be blacklisted from future procurement.
A new draft measure could also require organisations regulated by China’s securities regulator to keep certain data within China.
These include currently undefined “important data”, customer information and important information systems that if breached, could have a significant impact on the securities market and investors.
A draft new encryption law would make use of encryption mandatory for some networks and data, but businesses will need to be able to provide “decryption technology support” to certain government bodies for national security reasons or criminal investigations.
In a separate advisory on the second draft export review measures of the new law, law firm Hogan Lovells said the second draft relaxes some of the more stringent requirements stated in the first draft.
But the revised measures “still leave a significant compliance challenge for multi-national businesses operating in China,” the company said.
Under the second draft, implementation of the localization requirements applicable for network operators will be delayed until the end of 2018, “introducing a grace period that will be important for MNCs to evaluate their data processing and storage arrangements under the new law.”
It also stipulates that implied consent will be adequate for data subject-initiated exports of personal data and will provide an exemption to the requirement to obtain consent in the case of an emergency that endangers the life or property of data subjects.
The draft act also removes the prerequisite of an export volume of more than 1,000GB of data that would be required to trigger a required data export security review. The scope of what’s considered personal data has also been expanded to include new location and behavioral information.
“The changes introduced by the Second Draft Export Review Measures make a few sensible technical adjustments and include a temporary reprieve from China’s new data localization measures through to 31 December, 2018,” Hogan Lovells said.
“Given the typical lead times for technology procurement, most MNCs will be forced to make decisions on their processing arrangements long before this date materialises. However, the broad thrust of the First Draft Export Review Measures has not changed nor has the scope encompassed by the key definition of “network operators” got any clearer.”
The law had already recently been amended to dramatically increase the number of businesses that must comply with the overseas data transfer component of the new law.