Disclaimer: This is not legal advice for your company to use in complying with the CSL. It only provides our interpretations of how it may generally affect the average business operating in China, and guidelines to audit companies’ compliance to the CSL. We strongly recommend to seek for legal advice on applying the regulations to your specific circumstances, and disclaim any liability in connection with the use of this guide.

In a massive effort to ensure that all Chinese citizens’ online profiles remain private and secure, the Chinese Communist Party (CCP) has mandated that all companies that collect and process personal data in China comply with Cyber Security obligations by December 31st, 2018.

Companies who fail to comply with these regulations by then risk facing a range of penalties from fines, online operations shutdown, loss of licenses to operate or trade, up to detention.

The most onerous changes for the average business are the obligations to:

· Go through a strict security self assessment procedure when transferring such data abroad, with a mandatory authority approval in some cases

· Host personal data on Chinese territory

· Obtain the user’s explicit consent on the scope of personal data collection and how it will be used, with the obligation to recontact and update your existing database if such consent was not collected

In this article, we will cover:

1.Introduction

2.Key compliance risk factors

3.What are the consequences of non compliance

4.Activities to evaluate for conformity

5.A compliance checklist

6.Looking forward: how to stay alert

1. Introduction

What is personal data? Any Personally Identifiable Information (PII), that taken alone or together with other information allows to identify or to reflect the activities of a person. Like full name, identification number, birth date, email address, online identifiers such as IP address or cookie, phone number etc. PII has to be mandatorily collected when offering online services such as publication/messaging systems: unless users register under their real name, they cannot be provided access to such services.

With most modern businesses having a technology component that collects and processes personal data, most operations are potentially affected: marketing, CRM, HR, etc.
China’s Cyber Security Law (CSL) went into application last June 1st 2017, so the obligations above are already enforceable. However, a grace period is granted until December 31st, 2018 to comply with the new data storage and transfer regulations.

With the release of the CSL, most of the initial focus has been on the definition of the two main categories of data processors in China: Critical Information Infrastructure Operators (CIIOs) and Network Operators (NOs). The latter having much less stricter obligations regarding personal data collection, security and usage. But since the new Measures, Guidelines and Standard issued after the CSL have increased data protection obligations imposed to NOs, the difference has lost some of its importance.

Are you a CIIO or a NO?

1. Critical Information Infrastructure Operators (CIIO): the precise definition is still unclear, but for now you fall in this category if:
· You belong to strategic sectors such as energy, finance, etc.
· You operate an IT infrastructure platform
· You collect and process a volume of data above a certain threshold (to be precised)
· A data breach in your systems can cause more than a certain threshold of monetary damage (to be precised)
· You process data on behalf of a CIIO: it does not make you one, but you need to comply with the same rules (“domino effect”)
2. Network Operator (NO): any company operating a network of interconnected computers, so virtually any business in China.

Therefore, so far you are considered as a NO at least, but take into consideration the CIIOs’ obligations to anticipate further changes to your company structure or to the regulations.

Implementation timeline of the Cyber Security Law and its neighboring regulations affecting personal data protection: “Measures”, “Guidelines” and “Standard”. Source: LPA-CGR Avocats

2. Key compliance risk factors

For marketing, operations, recruitment or any business activity that requires the collection and the processing of personal information in mainland China, here are the most impactful principles to understand and comply with:

1.Data transfer abroad must obey strict rules

2.Personal data should be stored in mainland China

3.User consent must be explicitly collected on scope and usage of data

4.Data collection must be strictly limited to the scope of your business offering

5.Data protection measures must be put into place

2.1. Data transfer abroad (cross-border) must follow a strict self-assessment procedure

Personal and “Important Data” transfer obligations have been explicitly extended to Network Operators by the Measures and the Guidelines drafts. The main principles to know are:

· CIIOs must undergo a thorough security self-assessment and may seek authority approval prior to any cross border personal data transfer

· NOs (the majority of businesses) may fall under the same obligations for “important data”, although the definition of such category is still unclear

· NOs are able to transfer personal data abroad, but only after the completion of the security self-assessment procedure. Authority’s approval may be mandatory depending on the data volume and content (to be detailed in further regulations).

Security Self Assessment procedure flowchart as provided by Section 4.2.1 of the Guidelines’ second draft

Furthermore, personal data transfer must meet the following legitimacy criteria:

· Is not explicitly prohibited by any existing regulation

· Is legitimate: is necessary and corresponds to genuine business purposes (e.g. impossible to fulfill business contracts otherwise)

· Data subject has been unambiguously informed of the scope of the data transfer and its usage, intended purpose, type, recipients and possible risks

· Explicit consent has been obtained from data subject for the transfer

As shown in the flowchart above, after having assessed the legitimacy of the transfer, a security risk evaluation will have to be carried out. This will mostly cover:

· Features of the data being transferred: data types, recorded volume, scope, sensitivity and technical processing status

· Likelihood of security incidents and their level of impact, to be assessed over 15 risk factors

How often must the self assessment be done?

The CSL, Measures and Guidelines do not provide the possibility of a blanket self-assessment covering the entire scope of a business’s data transfers abroad. It must be done on a per-event basis (e.g. sending e-commerce orders to a foreign hosted order management system). Fortunately, when such an event occurs on a regular basis it is considered as being a single instance.

Then assessment must be updated once a year for all data transfer events. Finally, security must be reassessed whenever the data recipient is changed, or there is a significant change in the scope, purpose, volume or type of data.

We are using a third-party cloud CRM. Who is in charge of the security assessment?

You are. According to the Guidelines, the party that initiated the data transmission request shall be responsible for the self-assessment. If a transfer is not initiated by a customer (in this case, you or your company), but by the cloud provider itself (i.e., they host part of their internal databases cross-border), they should be responsible for the self-assessment.

Our Business Intelligence systems are located at headquarters, and they aggregate Chinese data. Is that at risk?

If your BI tools only collect and receive data aggregates or anonymized information from your Chinese activities, you are lawful. Compliance risks start whenever the data contains information that can be directly linked to a specific individual, e.g. an IP address.

Is it lawful to use data pseudonymization techniques (e.g. hashing) before exporting our data outside of China?

As long as the anonymization process is irreversible, the data transfer is compliant. If the pseudonymization is using a technique that will allow to reattach the exported data to a specific individual when reversed, then you must go through the security assessment procedure.

“To relocate our data infrastructure in mainland China, previously on the edge (HK/SG), we used the tremendous work done in Europe for GDPR, and notably its data mapping. Thanks to it, we could reduce the outbound data transfer to the bare essentials. For the remaining data to transfer, we documented our self-assessment by clarifying the need and the level of related risks.”
— Romain Henriot (COO) & Benjamin Billon (Compliance Director), SPLIO China

2.2. Personal data should be stored in mainland China

This may be the costliest measure to implement for foreign-owned businesses and multinationals, so much the US Government has officially asked China not to enforce it. Countless companies retain personal information outside of China, with the IT infrastructure managed and hosted at headquarters or distributed globally on cloud platforms: CRMs, loyalty programs, booking engines, HR management systems, or generally any database containing PII.

While the CSL originally only required CIIOs to store personal and “Important Data” locally, the first draft of the measures for the security assessment of outbound transmission of personal information and critical data (the “Measures”, published on April 11th, 2017), explicitly extended the data storage and protection requirements to NOs as well. This virtually puts China’s operations in a situation similar to what happened in Russia three years ago, when foreign companies were required to store personal data on the Russian territory.

Concerns seem to have been heard and such explicit requirement have been removed from the second draft of the Measures published on May 19th, 2017.

“This status will create a significant legal issue for most of the foreign invested companies in China that are providing Internet services via their offshore entities (e.g., their Hong Kong entities) and collecting Personal Information and/or Important Data through servers established outside of China”
— Pillsburry alert, 2017/06/19

“The measures would impose special scrutiny, particular procedures, or bans on the cross-border transfer of expansive and loosely-defined categories of data. The result would be to discourage cross-border data transfers and to promote domestic processing and storage. The impact of the measures would fall disproportionately on foreign service suppliers operating in China, as these suppliers must routinely transfer data back to headquarters and other affiliates. ”
— US Communication to WTO, 2017/09/25

However, in practical terms storage of personal data in China for Network Operators may still be required since

· A security self assessment must be conducted by NOs before any personal data transfer abroad

· Popular cloud software solutions receive large volumes of personal data generated in China, which may make them fall into the CIIO category

Discussion thread on Salesforce’s forums showing CSL compliance concerns among China mainland users. At the time of writing, Salesforce does not offer hosting instances on Chinese territory.

In order to comply with the CSL, large multinationals like AirBnb and Apple are already moving their hosting to China to provide services to Chinese consumers.

2.3. Individual consent must be explicitly collected on scope, usage and destination of the data

Relying on pre-ticked checkboxes, inactivity or implicit consent to collect data and to send marketing communications is not acceptable anymore. Consent, as outlined in the Standard, is:

· A “clear affirmative action” taken by the data subject (user of your services, customer, employee etc.)

· Freely given by the data subject, not forced

· Explicit, specific, informed, and unambiguous

· Documented in detail by the data controller (the company that determines how the data will be processed)

· Easily withdrawn

Consent collection requirement are almost identical to GDPR’s. Table source: Reforge

Is using cookies to track visitors affected?

Yes, for any situation where the cookie, used as an identifier, can be attached to a specific individual. If you’re collecting any such data via cookies or scripts from foreign analytics vendors (Hotjar, Mixpanel, Google Analytics, etc.), you are required to display a consent box to new website visitors.

However, some of these services may already be compliant: Google Analytics’ free version, for example, has no specific Personally Identifiable Information (PII) attached to the anonymous sessions.

What does compliant collection of consent look like?

Forget about pre-ticked boxes and burying tracking notices in the General Terms and Conditions saying, ‘If you use our services, we will be collecting X and Y data and track your behavior’. To follow the new CSL regulations you will have to:

· Ask for explicit consent the moment you want to start collecting customer data

· Communicate the process clearly and unambiguously, easily allowing the data subject to opt-in or opt-out its consent, access and control their own data at any time

· Inform individuals of the scope of data collection, timeframe, and which parties the data will be shared with

Consent collection template as proposed in the Personal Information Security Specification Standard GB/T 35273-2017

Most of the GDPR best practices can be directly transposed to China:

Better UX? Consent form suggested by PageFair encapsulating browsing data sharing with a 3rd party

How about our existing database, for which we have not collected clear consent from the individual?

Neither the law nor the regulations are explicit for any data collected prior to the CSL. But like the GDPR in Europe, we can reasonably assume that the obligations apply retroactively to your existing database. You must then either:

· Delete all pre-existing personal information records, or

· Repermit: go back to the individuals whose personal data you have stored, and collect their explicit consent

Repermission principle

With the GDPR coming into application on May 25th, 2018, there is plenty of documentation on repermission techniques for email databases.

Most of our database has been collected via WeChat: how do I implement repermission?

If you have been binding personally identifiable data to WeChat follower profiles, you can send a broadcast message asking for consent to all of the followers in this situation, just as you would do for email or SMS channels. But with low opening rates on average, we recommend more interactive methods such as automated conversations.

Example of repermissioning over WeChat using a chatbot conversation. Source: Rikai Labs

2.4. Data collection must be strictly limited to the scope of your business offering, and have a precise lifespan

The Standard GB/T 35273-2017 established an existing relationship between the information collected and the realization of business functions, such as the delivery of products and services.

“Direct relation means the impossibility to realize the functions of its products or services without such collected information”.

Similarly, data collection frequency and quantity shall be kept to a strict minimum necessary to the realization of business operations.

For the basic delivery of products and services, that’s simple. How about more complex scopes, such as personalized recommendations?

The direct link is very clear for a simple process, like delivering an e-commerce order, for example: name, address and phone number are necessary in China.

But how to approach more complex situations? In these cases, it’s best to apply the Divide-and-Conquer technique, where you would divide the bigger instance in smaller data-points.

For any profiling activity, assess each collected data point category for its impact on the quality or relevance of the service you are offering. Whenever not necessary, or too diffuse to be directly linked to the relevancy, it’s better to drop the data point.

2.5. Personal Data must be protected all along its lifecycle

According to the Standard, after having collected data, companies must:

1. Process all personal information for de-identification purposes (alias, encryption, hash functions…)

2. Implement technological and managerial measures to properly protect and store the processed personal information

All data must have a precise shelf life, limited to the shortest time needed to realize the purposes it was collected for. After the period has expired, the information shall be deleted or anonymized.

“We modified our product to comply to the GDPR as well as China’s CSL. For instance, we got rid of the ‘viral’ counter which was using IP addresses to detect when a message was transferred. We also modified the unsubscribe link of emails, which previously contained a decipherable email address in it.”
— Benjamin Billon, Compliance Director at SPLIO

What if we have to shut down our activities?

When a Network Operator suspends its operations, it shall:

· Promptly stop activities that collect personal information

· Serve a notice of suspension to each data subject or publicly release an announcement for this purpose

· Delete or anonymize the personal information it holds

3. What are the consequences of non-compliance?

Main sanctions for breaking the law. Source: Ecritel / LPA-CGR Avocats

Complying to CSL may represent significant IT infrastructure and organizational costs for companies. For multinationals, it could range from hundreds of thousands to several millions of RMB, depending on their size, business models and the type and amount of data collected and stored. How does that balance with the risks?

Companies that break the new law may face:

1. Warnings and orders to comply

2. Confiscation of gains made under a non compliant situation, a fine up to 10 times the illegal gain, or a fine up to 500,000 RMB for the company and 100,000 RMB for the individual in charge

3. Website and online systems suspension for rectification

4. Business or trade licence in China removed

5. Up to 15 days of detention

How much of that is actually enforced already?

So far, most cases of enforcement have focused on 1) colossal state-owned enterprises for lack of personal data protection and consent collection 2) companies failing to control unlawful information published online by their users.

Companies have already been warned and sanctioned in Guangdong, Sichuan, Chongqing and Anhui, the most famous being Shenzhen Sanren Network Technology, fined and having its website shut down for rectification for default on the enforcement of the real-name policy, or Alibaba Cloud being investigated last September.

While the fines may not seem very high compared to GDPR, having a website or online system shut down is probably the highest risk, as it could lead to significant losses due to the disruption of operations.

Among foreign businesses, multinationals are running the highest risk of being controlled due to their visibility, but SMEs should beware of rewards that could be offered to whistleblower employees denouncing a non compliant employer.

4. Key activities to evaluate for compliance

You are at risk of non-compliance for these activities or if you use any of the following systems:

· Any online membership database (e.g. member/client/applicant area on your website)

· Email marketing: newsletter, Electronic Direct Mail (EDM), remarketing advertising from PPC campaigns, social media or offline advertising

· CRM/marketing automation (e.g. Salesforce, Marketo, Hubspot etc.)

· Central Reservation Systems (such as Booking engines for hospitality, events etc.)

· Electronic payments

· Ecommerce: order management, shipping and handling

· ERP/online accounting/payroll management

· Social CRM

· Knowledge management systems (e.g. Wikis)

· Usability testing, online performance tracking & measurement

· Online customer services

· Automated data exchange with third parties

We recommend auditing each tool with your marketing, IT and legal team or counsel to understand what data is collected and if it’s processed and stored in a compliant way. Here are some aspects you can audit already:

· Identify if you have a login and registration area

· Locate contact forms

· Use a website IP location online tool to identify the hosting location, e.g. Iplocation or Webhostinghero

· Identify tracking tools installed with Built With

“The Cyber Security Law (CSL) is a very serious topic in China, since non-compliance can lead to the withdrawal of its Business License. Without a Business License, a company is not able to operate in China. However, in order to comply with the CSL, companies have a lot to carry out, from technical restructuring to legal reviewing and assessment. Our recommendation is that the CEO / GM leads the project, and closely work and follow up with both the IT and Legal departments.”
— David Meimoun, Head of Sales & Marketing at Ecritel

5. Compliance checklist

A compliance project for China’s protection law should involve IT directors, directors for compliance, risk and PR, as well as legal teams. Here is a handy checklist of potential weaknesses to fix (not exhaustive):

Data collection and consent

· Go through all your data collection systems and make sure the user is fully informed on the scope of data collection and usage

· Make sure consent is clearly collected, recorded and timestamped, keep screenshots of the consent form

· Get you existing database opted-in with a repermission campaign

· Update your privacy policies to cover the 8 points of the Personal Information Security Specification

Data protection

· Encrypt all data, running servers (e.g. using VMware encryption), use HTTPS for all your web properties and sFTP for file transfers

· Set up a backup & system redundancy policy, encrypt backups (e.g using Veeam) and “cold store” them (disconnected from any network)

· Set up network protection systems (such as firewalls, antiviruses etc.) to protect against the leakage/modification/destruction of data

· Use a Security Information and Event Management (SIEM) solution for real-time monitoring of unauthorized connections

· Keep records of all network accesses (logs) and security incidents

· Build a very clear incident response plan on how to react in case of attack or security breach covering the main breakage scenarios: system restoration from latest backup, breach notification to authorities, personal notification to users affected by the breach (e.g. using the FMEA framework)

· Write down an internal security policy and train the employees accordingly (e.g. password rotation rules)

· Name in your organization an IT security manager in charge of defining and applying the processes, or outsource security management to a specialized provider

Data storage

· Consider hosting all data collection systems in mainland China: establish local instances of your infrastructure

· Liaise with all your third party service providers and make sure all personal data storage and processing is compliant, switch to compliant providers when required

· Don’t forget devices and equipment on the Internet of Things (IoT) that could be collecting or transferring personal information

Cross-border data transfer

· Formulate a data transfer plan covering relevant personal information, important data proposed to be transferred, the information system(s) involved, and the information about the recipient and transferor

· Form a working group to review the Data Transfer Plan and prepare the Self-Assessment Report with members from legal, IT and management functions

· Consider outsourcing the self assessment to a certified third party

· Keep logs of all data transfers for at least 2 years

6. Conclusion: Looking Forward

Does the NO/CIIO differentiation matter any longer?

Figuring out if your business is a CIIO is still important, as falling into the CIIO category still brings plenty of responsibilities organization- and infrastructure-wise compared to the NO status, like:

· Naming a CAC certified security officer

· Technical training and skill assessment for practitioners

· Security review organized by the CAC when purchasing network products and services

· etc.

But as shown by personal Measures, Guidelines and Standard issued after the CSL, the regulatory environment tends to become stricter for NOs. Preparing for compliance following the strictest set of rules is probably the safest choice if your budget and organization allow it.

“If you are a growing business in China, you will eventually fall into the CIIO category, as the scope of your activities, online operations and data processing expand. It’s just a matter of time before you reach the ‘CII trigger’ ”  
—  Maxime Oliva, CEO of digital risk intelligence company TekID.

When will the final version of the Measures and Guidelines be released?

The CAC has not disclosed a definite publication yet, but the final drafts will be published before the expiration of the grace period, on December 31st, 2018. We strongly recommend that you subscribe to cyber security compliance alerts or newsletters from attorneys in China (e.g. send an email to ltusseauleveque@lpalaw.com.cn to subscribe to such alerts).

We’re not 100% sure what we do is compliant. What should we do?

Some of the definitions of the law are unclear, e.g. “Important Data”, CIIOs, and so on. Whenever unsure if the scope of your data collection and processing is compliant, we recommend seeking legal help. But more generally, the best protection is to setup clear, documented processes internally to ensure compliance: risk assessment checklists, training procedures and materials, establishing working groups and so on. These will show good will on your part should a check happen, maximizing your chances to only receive a warning and a rectification order should the authority interpret some of your activities in violation of the regulation.

“Implementation of the CSL is one more brick being laid in building a specific regulatory environment in China. Every company targeting Chinese clients should keep in mind it is necessary to establish a physical and legal presence in China, and comply with Chinese regulations, if it wants its business to grow successfully”
— Fanny Nguyen, Partner of LPA-CGR Avocats Shanghai office.

Reading list

· CSL

· Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country (“Measures”), first draft 2017.04.11

· Measures for the Security Assessment of Personal Information and Critical Data Leaving the Country (“Measures”), second draft 2017.05.19

· Guidelines for Cross-Border Data Transfer Security Assessment (“Guidelines”), first draft 2017.05.27

· Guidelines for Cross-Border Data Transfer Security Assessment (“Guidelines”), second draft 2017.08.25

· Personal Information security specifications Standard GB/T 35273-2017

Interpretations:

· Communication From The United States S/C/W/374 at the WTO – Measures Adopted And Under Development By China Relating To Its Cybersecurity Law, 2017.09.25

· Findings of the Investigation Into China’s Acts, Policies, and Practices Related to Technology Transfer, Intellectual Property, and Innovation Under Section 301 of the Trade Act of 1974, 2018.03.22 (Section VI.2.)

· European Business in China Position Paper 2017/2018 (Cybersecurity Sub-working Group)

Authors


David Meimoun

David is Sales & Marketing Director at hosting and managed services company Ecritel in China. He helps companies improve the performance, availability and security of their websites and applications. Feel free to reach him at dmeimoun@ecritel.cn if you have any question regarding these topics.

Lucie Tusseau Leveque

Lucie is a senior associate at LPA-CGR Avocats. She helps international companies navigate the complexities of ever changing Chinese regulations. Her practice encompasses cross border investments, mergers and acquisitions, commercial matters and IT related issues. Reach Lucie at ltusseauleveque@lpalaw.com.cn.

Clement Ledormeur

Clement is the Deputy General Manager at digital agency 31Ten. He is currently leading the delivery of digital projects, understanding client’s business and technical requirements and converting them into a solution and project plan. He is always looking to help build something exciting. Reach Clement for consulting at clement@31ten.network.

31Ten
Shanghai-based digital agency specializing in UX/UI, cutting-edge WeChat & web development, online performance & analytics

We don’t publish very often, but when we do, we make sure it counts! Long press to make sure you don’t miss out what we’re coming out with next.


CLEMENT LEDORMEUR
WRITTEN BY

CLEMENT LEDORMEUR

Starbucks - Club Med– Bioderma – Axent - Thomas Cook – Herborist – Novotel (Accor) - Decathlon – Sisley…