Language

Personal Data Breach Incident Notification under the PIPL


Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: March 16, 2022

 

Introduction

Let’s suppose you are a Data Protection Officer (“DPO”) of a multinational corporation. It’s 4AM in the morning. Your phone is buzzing. That is your head of Incident Response Team in China calling you and saying:

“Hi Boss, sorry to wake you up. Our system has been hacked and personal data of more than 100,000 customers living in China have been leaked to the hacker”.

You realize something worse than a nightmare is actually happening and actions should be taken.

What should you do?

Reading this article might be helpful in case you did receive such a wake-up call somewhere down the road.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users or have other legitimate basis in order to collect/process the users’ data. The PIPL also imposes on a data collector/processor the obligation of immediate notification of data breaches to the relevant supervisory authorities. In certain circumstances, the affected individuals should be notified of the data breaches as well.

This article primarily discusses the notification requirements for personal data breach incidents under the PIPL and the supplementary regulation or specification.

 

What constitutes a Personal Data Breach Incident?

For purposes of the PIPL, a “Personal Data Breach Incident” means where leakage, tampering or loss of personal data transmitted, stored or otherwise processed by a data collector/processor occurs or may occur.

 

Under this definition, even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, it might still constitute a reportable Personal Data Breach Incident.

 

Data breach incidents can occur as a result of a hacker attack (as in the example demonstrated in the above), an intentional operation by an individual currently or previously employed by a business, or an unintentional loss or exposure of data due to carelessness of employees or malfunctioning of a business’ data management, retention and destruction system.

 

Who should be notified?

 

1) The Supervisory Authorities

Wherever there is a Personal Data Breach Incident affecting more than a certain number[1] of identified or identifiable individuals living in China, it needs to be notified to the competent Supervisory Authorities in China.

The company who is encountering the Personal Data Breach Incident must notify the competent Supervisory Authorities without undue delay and, where feasible, no later than 8 hours[2] immediately after becoming aware of the Personal Data Breach Incident. If the company’s report is submitted late, it must also set out the reasons for the delay.

The notification to the Supervisory Authorities must include:

·         the types of personal information leaked, tampered with, or lost;

·         the causes for the personal data breach incident;

·         the damages that have/may have been caused;

·         the remedial measures taken by the company;

·         the measures available to individuals to mitigate the damages; and

·         the contact information of the company.

After the Personal Data Breach Incident has been resolved, the company who is encountering the Personal Data Breach Incident should submit a second report as a follow-up to the Supervisory Authorities within 5 working days[3].

 

2) The Affected Individuals

Where the company who is encountering the Personal Data Breach Incident is able to adopt measures to effectively avoid harm caused/may have been caused by the Personal Data Breach Incident, this will relieve the company of the duty to notify the affected individuals. However, if the competent Supervisory Authorities consider that the Personal Data Breach Incident might still cause harm to the affected Individuals, then the Supervisory Authorities may require the company to communicate, as soon as practically possible, the Personal Data Breach Incident to the affected individuals and to provide them with at least the following information[4]:

·         a description of the nature of the Personal Data Breach Incident;

·         the name and contact details of the company;

·         a description of the likely consequences of the Personal Data Breach Incident;

·         a description of the measures taken, or to be taken, by the company to address the Personal Data Breach Incident and mitigate its possible adverse effects;

·         suggestions for the affected individuals to prevent and reduce risks independently; and

·         remedial measures to be provided for the affected individuals.

 

The affected individuals shall be informed of the relevant information of the Personal Data Breach Incident in a timely manner by email, letter, phone, or push notification, etc.  When it is difficult to inform the affected individuals on a one-by-one basis, a reasonable and effective method should be adopted to release about the warning information relevant to the Personal Data Breach Incident, such as posting a public notification on the company’s website.

 

What else should be done?

 

After detecting a Personal Data Breach Incident, the company who is encountering the incident shall take the following remedial measures[5] in addition to notifying the Supervisory Authorities and/or the affected individuals:

 

·         record the content of the incident, including but not limited to the time and place of the incident, the person who identifies the incident, the number of individuals affected by the incident, the name of the system involved, the impacts on other connected systems, and whether the law enforcement agency or a relevant department has been contacted

·         assess the possible impact of the incident;

·         take necessary measures to control the development of the incident; and

·         eliminate hidden threats.

 

Which are the Competent Supervisory Authorities?

Unlike most EU countries, China does not have a dedicated and independent data protection authority that monitors and supervises, through investigative and corrective powers, the application of the data protection law. It therefore poses a difficult question as to which authorities should be notified when a company is encountering a Personal Data Breach Incident.

According to the PIPL, at the national level, the Cyberspace Administration of China (the “CAC”) is primarily responsible for the overall supervision and management of personal data protection. In addition, sectorial authorities, such as the National Health Commission, the People's Bank of China, the China Banking and Insurance Regulatory Commission, etc., also supervise and enforce personal data protection of regulated institutions within their respective sector of regulation.

At the local government level, the Cyberspace Administration of “municipal-level and higher” and other in-charge authorities are responsible for performing personal data protection duties as conferred by the relevant regulations.

It can be concluded that when a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact for a company to fulfill its notification obligations to the Supervisory Authorities.

 

Key Takeaways

·         Even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, the business who is encountering the incident might still have a reportable Personal Data Breach Incident.

·         For businesses to stay compliant with the PIPL, despite the scale and consequences of the Personal Data Breach Incident, regulatory and professional opinions have to be consulted.

·         When a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact at the Supervisory Authorities for a business to fulfill its notification obligations.

·         If you are a DPO of a business handling large amounts of personal data with subsidiaries in different time zones, you should keep your phone fully charged and never turn it off. This will prevent you from missing the 8-hour window of notification under the PIPL when encountering a Personal Data Breach Incident related to China.

 

Conclusion

In the event of a Personal Data Breach Incident, businesses are running against a ticking clock to take remedial measures and to fulfill their notification obligations both to the Supervisory Authorities and/or to the affected individuals. Having a well-rehearsed data incident response plan in place, with clear and workable processes and workflows would be especially helpful and timesaving (and a lifesaver too) in such a situation.

For businesses with everlasting commitments to data security and users’ personal data privacy, they should have a highly organized, well-tailored, constantly evolving data protection program to address the data breach risks they face, which will in time build up users’ trust and loyalty, empower employees, and produce a competitive edge for the businesses in the long run.

 

 



[1] The threshold number is yet to be confirmed by a binding law. For reference, Article 11 of the Draft Network Data Security Management Regulation (a supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions, sets the threshold as “more than 100,000 individuals (are affected)”.

[2] See Article 11 of the Draft Network Data Security Management Regulation (supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions.

[3] Ibid.

[4] See Article 10.2 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).

[5] See Article 10.1 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).


  • Related information More
  • 点击次数: 1000004
    2024 - 10 - 11
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: October 12, 2024 IntroductionUnder the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), “sensitive personal information” (the “SPI”)  is defined as “the kind of ‘personal information’ (the “PI”)  that the leakage or illegal use of which could easily lead to the violation of personal dignity of data subject or harm to the data subject’s personal or property safety, including, but not limited to, information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, etc., and the PI of minors under the age of fourteen1.” Only PI hand...
  • 点击次数: 1000006
    2024 - 07 - 26
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: July 24, 2024With the flourishing of AI technology, works created by AI could outpace and exceed those done by humans in many aspects, as AI is being trained using deep learning algorithms to analyze vast amounts of data and to learn patterns, styles, and structures, while human brains normally cannot compete in that depth of training. While people around the world are enthusiastic about the continued pushing-back of boundaries for literary and artistic creations by AI, in the copyright realm, some fundamental questions remain to be answered-Who is the author of the works generated by AI? Who owns the copyright to the AI generated content? Currently, those ques...
  • 点击次数: 1000019
    2024 - 02 - 23
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: February 21, 2024Introduction There is a motto that you might be told as a kid: no one is born a winner; everyone is born a chooser-making choices as to who you want to be. However, when you grow up, you find that, sometimes with great frustration, this motto might not be true because some people are born with a sliver spoon in mouth while others are not as lucky. In the commercial world, there are products who are born winners-those with a Geographical Indication (hereinafter, the “GI”) which is a sign that identifies products that originate from a specific geographic location and possess certain qualities or reputation due to their origin. Some examples of domestic GIs in China are Kweichow Mo...
  • 点击次数: 1000023
    2024 - 01 - 18
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnPublished: January 17, 2024China has a multiagency system for protecting geographical indication (GI) products. GIs can be registered as collective or certification trademarks before the China National Intellectual Property Administration (CNIPA). GI products can also gain protection from the former General Administration of Quality Supervision, Inspection and Quarantine. Primary products produced through farming can be protected as GIs of agricultural products before the Ministry of Agriculture and Rural Affairs. This multiagency system has proven to be burdensome, inconvenient, and sometimes confusing, especially to foreign GIs.To address resounding calls for reform, on September 18, 2023, CNIPA released...
× WeChat official account
Beijing Mingdun www.mdlaw.cn
Copyright 2008 - 2024 MingdunRhino Cloud Provides Enterprise Cloud Services
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开