Language

Personal Data Breach Incident Notification under the PIPL


Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: March 16, 2022

 

Introduction

Let’s suppose you are a Data Protection Officer (“DPO”) of a multinational corporation. It’s 4AM in the morning. Your phone is buzzing. That is your head of Incident Response Team in China calling you and saying:

“Hi Boss, sorry to wake you up. Our system has been hacked and personal data of more than 100,000 customers living in China have been leaked to the hacker”.

You realize something worse than a nightmare is actually happening and actions should be taken.

What should you do?

Reading this article might be helpful in case you did receive such a wake-up call somewhere down the road.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users or have other legitimate basis in order to collect/process the users’ data. The PIPL also imposes on a data collector/processor the obligation of immediate notification of data breaches to the relevant supervisory authorities. In certain circumstances, the affected individuals should be notified of the data breaches as well.

This article primarily discusses the notification requirements for personal data breach incidents under the PIPL and the supplementary regulation or specification.

 

What constitutes a Personal Data Breach Incident?

For purposes of the PIPL, a “Personal Data Breach Incident” means where leakage, tampering or loss of personal data transmitted, stored or otherwise processed by a data collector/processor occurs or may occur.

 

Under this definition, even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, it might still constitute a reportable Personal Data Breach Incident.

 

Data breach incidents can occur as a result of a hacker attack (as in the example demonstrated in the above), an intentional operation by an individual currently or previously employed by a business, or an unintentional loss or exposure of data due to carelessness of employees or malfunctioning of a business’ data management, retention and destruction system.

 

Who should be notified?

 

1) The Supervisory Authorities

Wherever there is a Personal Data Breach Incident affecting more than a certain number[1] of identified or identifiable individuals living in China, it needs to be notified to the competent Supervisory Authorities in China.

The company who is encountering the Personal Data Breach Incident must notify the competent Supervisory Authorities without undue delay and, where feasible, no later than 8 hours[2] immediately after becoming aware of the Personal Data Breach Incident. If the company’s report is submitted late, it must also set out the reasons for the delay.

The notification to the Supervisory Authorities must include:

·         the types of personal information leaked, tampered with, or lost;

·         the causes for the personal data breach incident;

·         the damages that have/may have been caused;

·         the remedial measures taken by the company;

·         the measures available to individuals to mitigate the damages; and

·         the contact information of the company.

After the Personal Data Breach Incident has been resolved, the company who is encountering the Personal Data Breach Incident should submit a second report as a follow-up to the Supervisory Authorities within 5 working days[3].

 

2) The Affected Individuals

Where the company who is encountering the Personal Data Breach Incident is able to adopt measures to effectively avoid harm caused/may have been caused by the Personal Data Breach Incident, this will relieve the company of the duty to notify the affected individuals. However, if the competent Supervisory Authorities consider that the Personal Data Breach Incident might still cause harm to the affected Individuals, then the Supervisory Authorities may require the company to communicate, as soon as practically possible, the Personal Data Breach Incident to the affected individuals and to provide them with at least the following information[4]:

·         a description of the nature of the Personal Data Breach Incident;

·         the name and contact details of the company;

·         a description of the likely consequences of the Personal Data Breach Incident;

·         a description of the measures taken, or to be taken, by the company to address the Personal Data Breach Incident and mitigate its possible adverse effects;

·         suggestions for the affected individuals to prevent and reduce risks independently; and

·         remedial measures to be provided for the affected individuals.

 

The affected individuals shall be informed of the relevant information of the Personal Data Breach Incident in a timely manner by email, letter, phone, or push notification, etc.  When it is difficult to inform the affected individuals on a one-by-one basis, a reasonable and effective method should be adopted to release about the warning information relevant to the Personal Data Breach Incident, such as posting a public notification on the company’s website.

 

What else should be done?

 

After detecting a Personal Data Breach Incident, the company who is encountering the incident shall take the following remedial measures[5] in addition to notifying the Supervisory Authorities and/or the affected individuals:

 

·         record the content of the incident, including but not limited to the time and place of the incident, the person who identifies the incident, the number of individuals affected by the incident, the name of the system involved, the impacts on other connected systems, and whether the law enforcement agency or a relevant department has been contacted

·         assess the possible impact of the incident;

·         take necessary measures to control the development of the incident; and

·         eliminate hidden threats.

 

Which are the Competent Supervisory Authorities?

Unlike most EU countries, China does not have a dedicated and independent data protection authority that monitors and supervises, through investigative and corrective powers, the application of the data protection law. It therefore poses a difficult question as to which authorities should be notified when a company is encountering a Personal Data Breach Incident.

According to the PIPL, at the national level, the Cyberspace Administration of China (the “CAC”) is primarily responsible for the overall supervision and management of personal data protection. In addition, sectorial authorities, such as the National Health Commission, the People's Bank of China, the China Banking and Insurance Regulatory Commission, etc., also supervise and enforce personal data protection of regulated institutions within their respective sector of regulation.

At the local government level, the Cyberspace Administration of “municipal-level and higher” and other in-charge authorities are responsible for performing personal data protection duties as conferred by the relevant regulations.

It can be concluded that when a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact for a company to fulfill its notification obligations to the Supervisory Authorities.

 

Key Takeaways

·         Even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, the business who is encountering the incident might still have a reportable Personal Data Breach Incident.

·         For businesses to stay compliant with the PIPL, despite the scale and consequences of the Personal Data Breach Incident, regulatory and professional opinions have to be consulted.

·         When a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact at the Supervisory Authorities for a business to fulfill its notification obligations.

·         If you are a DPO of a business handling large amounts of personal data with subsidiaries in different time zones, you should keep your phone fully charged and never turn it off. This will prevent you from missing the 8-hour window of notification under the PIPL when encountering a Personal Data Breach Incident related to China.

 

Conclusion

In the event of a Personal Data Breach Incident, businesses are running against a ticking clock to take remedial measures and to fulfill their notification obligations both to the Supervisory Authorities and/or to the affected individuals. Having a well-rehearsed data incident response plan in place, with clear and workable processes and workflows would be especially helpful and timesaving (and a lifesaver too) in such a situation.

For businesses with everlasting commitments to data security and users’ personal data privacy, they should have a highly organized, well-tailored, constantly evolving data protection program to address the data breach risks they face, which will in time build up users’ trust and loyalty, empower employees, and produce a competitive edge for the businesses in the long run.

 

 



[1] The threshold number is yet to be confirmed by a binding law. For reference, Article 11 of the Draft Network Data Security Management Regulation (a supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions, sets the threshold as “more than 100,000 individuals (are affected)”.

[2] See Article 11 of the Draft Network Data Security Management Regulation (supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions.

[3] Ibid.

[4] See Article 10.2 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).

[5] See Article 10.1 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).


  • Related information More
  • 点击次数: 8
    2023 - 10 - 20
    作者:张嘉畅IntroductionWith the development of science and technology, the patentability of biotechnology, especially human genes, has always been in dispute. Proponents argue that human genes should be patented without restriction, and that any possible challenges and concerns can be addressed by patent standards. This article will first analyz patent systems in the United States and Europe to examine the patentability of genes, and the role of patent standards in protecting human genetic development. Then focus on evaluating the legitimate concerns raised by opponents about human gene patents and assesses whether the three criteria for patents can fully solve existing problems. Finally, by introducing the unique licensing system in Canada, a new solution to the problem of human genetic patent...
  • 点击次数: 1000022
    2023 - 09 - 01
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: August 30, 2023Introduction The China Standard Contractual Clauses (hereinafter the “China SCCs”) as well as the application rules have been promulgated by the Cyberspace Administration of China (hereinafter the “CAC”) on February, 24, 2023, and have become effective on June 1, 2023.The CAC offers a six-month grace period for personal information handlers [1](hereinafter the “PI Handlers”) to take necessary measures to comply with the requirements for their cross-border transfer of Personal Information (hereinafter the “PI”), which will end on November 30, 2023, therefore only three months are left to incorporate the China SCCs into the current data transfer provisions, and the clock is tic...
  • 点击次数: 19
    2023 - 07 - 06
    Author: Wenjuan(Judy) Liu; Danqing(Belinda) ZhaoIn the trademark authorization procedures, in order to overcome the prior cited mark, a common strategy would be to take action against the earlier mark via opposition, non-use cancellation, or invalidation. However, examination results of the trademark application or the review of refusal will very often come out before the counter-action is decided, thus leaving the owner to either continue to file costly appeals or refile an application for their own trademark. To reduce the amount of unnecessary administrative litigation caused by the unstable status of prior mark citations, and to reduce the applicant’s burden on re-filing, the China National Intellectual Property Administration (CNIPA) and the Beijing Intellectual Property Court is...
  • 点击次数: 31
    2023 - 05 - 17
    Author: Judy (Wenjuan) LiuDefensive trademark registration protection in related classes for important core trademarks has become a common strategy adopted by trademark right holders. Despite the increasing efforts to combat trademark squatting in bad faith, defensive trademark registration is still undoubtedly the most economical and effective way. However, 'defensive trademark' is not a 'special statutory right of' trademark under the Trademark Law of Republic of China (hereunder refers to PRC Trademark Law). Its registration protection is still subject to the PRC Trademark Law and other relevant laws and regulations. The most prominent thing is that defensive trademarks must also meet the requirements of the Trademark Law for the use of registered trademarks. Articl...
× WeChat official account
Beijing Mingdun Law Firm www.mdlaw.cn
Copyright 2008 - 2020 Beijing Mingdun Law FirmRhino Cloud Provides Enterprise Cloud Services
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开