China Data Protection and Cybersecurity: Annual Review of 2023 and Outlook for 2024 (I)

In 2023, we witnessed a profound evolution in the realms of cybersecurity and data compliance governance. With the enactment of three pivotal laws— the Personal Information Protection Law (“PIPL”), the Data Security Law (“DSL”), and the Cyber Security Law (“CSL”)—China embarked on a journey to refine and actualise data protection imperatives. Throughout the year, a plethora of new regulations and enforcement dynamics emerged, meticulously aligning with China’s commitment to safeguard data subjects’ rights. Simultaneously, emphasis was placed on the fluidity of data—both in cross-border circulation and internal ecosystems—allowing the very essence of data to come alive. As we head into 2024, what are the new challenges for businesses? Let's take a closer look at these developments and what we can expect from them in 2024.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

We will highlight our observations on major regulatory and enforcement developments in 2023 in the following four key sections.

• Personal information protection, a realm where a multitude of legislative updates have been orchestrated to further operationalise the stipulations embedded within the PIPL. These dynamic developments span diverse domains, encompassing cross-border data transfers, personal information protection audits, and astute governance of mini programs as well as minors’ rights protection.
• Data security, where we witnessed advancements in the formulation of data security risk assessments by the Ministry of Industry and Information Technology (“MIIT”) aiming at effectively implementing the DSL after it came into force. We also observed other sectoral developments where we see regulators in various industries have made their efforts to strengthen compliance governance.
• Cyber security, where continuous regulatory efforts have been made such as developing legislative plan to finalise the proposed revisions on the CSL, requiring swift implementation of cybersecurity reporting mandates, proposing sectoral cybersecurity classification system, and enforcing the cybersecurity review.
• Data exchange and transactions, where we have seen an effort to foster the development and governance of the data element market via the establishment of the National Data Bureau, implementation of regulations on the data resource to be recorded as asset in financial statements, data exchange and transactions practices using different business models, and developments of local rules and guidance.

In this first article, we give an overview of the highlights in China, and developments in personal information protection.

Part One: Highlights of the Year 2023

In 2023, our gaze was mainly drawn to two burgeoning domains:

• Cross-border data transfers: where China has established three mechanisms for data export regulations (see more details in Part Two below); progress has been made, but challenges remain. For instance, the lengthy assessment process and high compliance costs might hinder data exporters. In that regard, we witnessed the release of the Regulations on Administering and Promoting Cross-border Data Flow (“Draft Data Export Regulations”), which proposes changes to relax obligations. Additionally, the Guangdong-Hong Kong-Macao Greater Bay Area (“GBA”) saw regional-focused guidelines for cross-border data flow within the GBA, providing variation of mechanisms concerning data export.
• Data exchange and transactions, where following the release of the Opinions on Building Data Infrastructure System to Better Play the Role of Data Elements in December 2022, the establishment of the National Data Bureau on 25 October 2023, signifies a significant step toward creating a robust data foundation system in China. This bureau aims to integrate data resources and drive digital innovation across various technologies. We have seen rapid developments in the data exchange and transactions domain during2023, including the publication of regulations related to data resources to be recorded as asset in financial statements, the emergence of more dynamic business models for data exchange and transactions practices, and the implementation of local regulations that shape rules in the data exchange and transactions regime.

In addition to these developments, a series of implementation regulations, rules, as well as national or industrial standards were released for public consultation or formally promulgated in 2023. These measures offer more practical guidance on compliance, further enhancing data and cyber governance and enforcement efforts in China.

Part Two: Personal Information Protection

I. Regulatory developments

1. Cross-border data transfer mechanisms

Under the current effected laws, three safeguarding approaches are available for specific data export scenarios respectively according to the PIPL, which are:

1. Passing the governmental assessment organised by the Cyberspace Administration of China (“CAC”) (Click here to read our comments on the governmental assessment);
2. Entering into a standard contract (“SCC”) with the overseas recipient and file the executed SCCs along with the report of personal information protection impact assessment with the CAC at provincial level (“SCCs Filing”) (Click here to read our comments on the SCCs Filing); or
3. Obtaining a personal information protection certification (“PI Certification”) issued by a professional institution appointed by the CAC (Click here and here to read our comments in the PI Certification regime).

With the regulations and guidance for governmental assessment maturing in 2022, the CAC unveiled the regulation on SCCs Filing in February 2023 (for our comments on this regulation, please click here and here), which took effect on 1 June 2023 and gives the personal information exporters in China six months to implement the regulation. On 30 May 2023, the CAC released the guidelines for filing the SCCs, two days before the regulation for the Chinese SCCs Filing took effect on 1 June.

Meanwhile, the National Information Security Standardisation Technical Committee (“TC260”) published draft national standards on Certification Requirements for Cross-border Transmission of Personal Information on 16 March 2023, with the intention to elevate the legal effect of the PI Certification from a low-level technical guidance document to non-mandatory national standards. As such, most requirements concerning PI Certification remain unchanged.

However, as a game changer, on 28 September 2023, the CAC released the Draft Data Export Regulations, proposing substantial changes to the current cross-border data transfer regime, which sought to relax a number of cross-border data transfer obligations. For instance, for personal information handlers (refers to who may independently decide the means and purposes of personal information processing) who provide their employers’ personal information overseas for human resources management purpose, its situation might fall under one of the necessity exemptions. In addition, the Draft Data Export Regulations exempts the obligations to adopt any of the three safeguarding measures for exporting personal information where the number of individuals’ personal information falls below the numerical threshold –10,000 individuals within a year. (Click here to read our comments on the Draft Data Export Regulations.)

That said, the Draft Data Export Regulations provides no specific coverage for GBA data flows since 29 June 2023, the CAC and the Innovation, Technology and Industry Bureau (the “ITIB”) of the Hong Kong Government signed the “Memorandum of Understanding on Facilitating Cross-boundary Data Flow within the Guangdong-Hong Kong-Macao Greater Bay Area” with the intentions to establish a secure mechanism for cross-border data flow in the GBA, meanwhile, under the national management framework for safeguarding the security of cross-border data transfers.

Echoing to such intention, on 1 November 2023, the TC260 issued the Network Security Standard Practice Guide—Guangdong-Hong Kong-Macao Greater Bay Area Cross-Border Personal Information Protection Requirements (Draft for Comment), provides protection standards for cross-border data flow in the GBA, as the basis for the GBA personal information protection certification (“GBA Certification”). (Click here to read our comments on the GBA Certification.)

In addition, on 13 December 2023, the Implementation Guidelines for Standard Contract for the Cross-boundary Flow of Personal Information Within the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland, Hong Kong) (“GBA SCC Guidelines”), was jointly issued by the CAC and ITIB of the Hong Kong Government, further fills the gap by providing an alternative route for cross-border data transfers within the GBA by entering into the GBA SCCs on a voluntary basis. (You may see details from here and here.)

2. Personal information protection audits

The PIPL mandates audits of personal information processing activities (“PI Audit”) to be conducted by personal information handlers. However, the specifics of how these audits should be conducted remained unclear until recently.

On 3 August 3 2023, the CAC issued the Administrative Measures for Personal Information Protection Compliance Audit (Draft Measures), provides a clear roadmap for organisations on how to navigate PI Audits. Moreover, the draft document specifies that personal information handlers must conduct PI Audits.  However, entrusted parties that process personal information solely under the instructions of handlers are exempt from PI Audits. If an organisation acts as both a handler and an entrusted party, it only needs to conduct audits for activities performed as a handler. (Click here to read our comments on the PI Audit.)

Although the draft document specifies the frequency of PI Audits shall depend on the number of individuals’ personal information processed, it indicates the normalisation of PI Audits for personal information handlers.

3. Strengthen on governance of APPs and in-app mini programs

Local regulators released guidelines and conducted a number of enforcement activities accordingly on personal information protection concerning APPs and mini programs. For instance, Shanghai released Guidelines for Online Food Ordering Services for Compliance of Shanghai Consumers' Personal Information Protection, which put forward further action requirements on how APPs collect personal information under the PIPL. A well-known international coffee brand was ordered to rectify its excessive collection of consumers’ personal information while offering its online food ordering services. In 2023, we are witnessing the standardisation of legislation and the active enforcement for APPs and mini programs across various fields.

4. Minors’ rights protection

On 24 October 2023, China issued the Regulations on the Protection of Minors in Cyberspace, which will take effect on 1 January 2024, sets out a number of different requirements based on the nature of the products or services and the data processing behaviour of providers of network products and services, handlers of personal information, and manufacturers and sellers of intelligent terminal products. (Click here to read our views on minors’ rights protection.)

In terms of aligning with higher-level laws, this regulation imposes stricter provisions than the PIPL regarding the exercise of personal information rights by minors. For instance, if a personal information handler rejects a minor or their guardian’s request to exercise rights, they must provide written notification to the applicant along with an explanation, however, the PIPL does not specifically mention this method concerning this written notification. This document provides further protection on minors’ personal information in cyberspace.

II. Enforcement development

2023 saw strengthened administrative law enforcement in data security, cyber security, and personal information protection in China. Multiple measures were implemented to bolster the security of critical information infrastructure and safeguard personal information. The supervision and management of internet products such as APPs were intensified, which demonstrates the trend of normalised APP and mini program governance. In addition, via the enforcement cases during 2023, we saw investigations involving various fields, from construction to real estate, catering, and other industries, due to non-compliance of the PIPL. This reflected a trend of decentralised enforcement on small and medium-sized enterprises. The Supreme People’s Procuratorate, and procuratorates at all levels carried out several public interest litigations and criminal enforcement actions, protecting personal information rights and promoting the protection of minors in cyberspace. Overall, substantial progress was made in advancing the rule of law in cyber and data security.

III. Outlook for 2024

In 2024, we anticipate that certain regions will be subject to regulations that aim to balance data security and international business operations. However, there are still uncertainties regarding the implementation and enforcement of newly introduced obligations. As a result, we expect to see legislative and enforcement trends that actively address these uncertainties, to actively –

• finalising the Draft Data Export Regulations, and providing more predictable exemptions about several data export scenarios for personal information handlers who conducting cross-border data transfers;
• clarifying certain key concepts and procedural requirements under the newly released GBA SCC Guidelines and finalising the GBA Certification;
• strengthening the supervision and law enforcement of games, especially since minors are a large audience of online platforms and online game products, we have seen enforcement cases and regulation implementation in 2023 to better protect minors’ rights in the online entertainment environment, more exploration might be carried out according to the Measures for the Management of Online Games (Draft for Solicitation of Comments) released on December 22 to tighten the supervision on games industry;
• finalising several critical drafts proposed in 2023 such as the Administrative Measures for Personal Information Protection Compliance Audit (Draft Measures) to provide legal basis for personal information protection from various dimensions and promote normalised governance of personal information protection; and
• increasing civil lawsuits and public interest litigations against personal information protection infringement, brought by the people’s procuratorates, consumer associations, and individuals.