CAC issues data security rules

On 28 May 2019 the Cyberspace Administration of China (CAC) issued the Administrative Measures for Data Security (Draft for Comment).(1) The consultation period ended on 28 June 2019.

The draft measures include rules on:

• the collection, storage, transfer, processing and use of data (among other activities) in China via websites; and
• data protection and management.

The main rules set out in the CAC's draft measures are as follows:

• Network operators which collect personal information through websites, apps and other products should formulate and publish specific rules regarding the collection and use of such information.
• Network operators should not discriminate against personal information subjects who do not authorise them to collect their personal information or who impose limits on such collection.
• The collection of important data or sensitive personal information by network operators for business purposes should be subject to registration with the local cyberspace administration.
• Where network operators make use of user data and algorithms to push news information or ads (among other things) to targeted users, they must expressly include the term 'targeted pushing' in the information in a visible manner and enable users to opt out from receiving it. Where network operators make use of Big Data, AI and other technologies to automatically formulate news, blogs, posts, comments and other information, they must expressly include the word 'compound' in a visible manner.
• Where network operators provide personal information to third parties, they must assess the potential security risks and obtain the personal information subject's consent.
• Where network operators release, share, trade or provide important data to overseas parties, they must assess the potential security risks and obtain the competent industry department's approval.
• Network operators should specify the data security requirements and obligations which apply to third parties that access their platforms and prompt them to enhance their data security.

Endnotes

(1) The draft measures are available here.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.