Language

Personal Data Breach Incident Notification under the PIPL


Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: March 16, 2022

 

Introduction

Let’s suppose you are a Data Protection Officer (“DPO”) of a multinational corporation. It’s 4AM in the morning. Your phone is buzzing. That is your head of Incident Response Team in China calling you and saying:

“Hi Boss, sorry to wake you up. Our system has been hacked and personal data of more than 100,000 customers living in China have been leaked to the hacker”.

You realize something worse than a nightmare is actually happening and actions should be taken.

What should you do?

Reading this article might be helpful in case you did receive such a wake-up call somewhere down the road.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users or have other legitimate basis in order to collect/process the users’ data. The PIPL also imposes on a data collector/processor the obligation of immediate notification of data breaches to the relevant supervisory authorities. In certain circumstances, the affected individuals should be notified of the data breaches as well.

This article primarily discusses the notification requirements for personal data breach incidents under the PIPL and the supplementary regulation or specification.

 

What constitutes a Personal Data Breach Incident?

For purposes of the PIPL, a “Personal Data Breach Incident” means where leakage, tampering or loss of personal data transmitted, stored or otherwise processed by a data collector/processor occurs or may occur.

 

Under this definition, even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, it might still constitute a reportable Personal Data Breach Incident.

 

Data breach incidents can occur as a result of a hacker attack (as in the example demonstrated in the above), an intentional operation by an individual currently or previously employed by a business, or an unintentional loss or exposure of data due to carelessness of employees or malfunctioning of a business’ data management, retention and destruction system.

 

Who should be notified?

 

1) The Supervisory Authorities

Wherever there is a Personal Data Breach Incident affecting more than a certain number[1] of identified or identifiable individuals living in China, it needs to be notified to the competent Supervisory Authorities in China.

The company who is encountering the Personal Data Breach Incident must notify the competent Supervisory Authorities without undue delay and, where feasible, no later than 8 hours[2] immediately after becoming aware of the Personal Data Breach Incident. If the company’s report is submitted late, it must also set out the reasons for the delay.

The notification to the Supervisory Authorities must include:

·         the types of personal information leaked, tampered with, or lost;

·         the causes for the personal data breach incident;

·         the damages that have/may have been caused;

·         the remedial measures taken by the company;

·         the measures available to individuals to mitigate the damages; and

·         the contact information of the company.

After the Personal Data Breach Incident has been resolved, the company who is encountering the Personal Data Breach Incident should submit a second report as a follow-up to the Supervisory Authorities within 5 working days[3].

 

2) The Affected Individuals

Where the company who is encountering the Personal Data Breach Incident is able to adopt measures to effectively avoid harm caused/may have been caused by the Personal Data Breach Incident, this will relieve the company of the duty to notify the affected individuals. However, if the competent Supervisory Authorities consider that the Personal Data Breach Incident might still cause harm to the affected Individuals, then the Supervisory Authorities may require the company to communicate, as soon as practically possible, the Personal Data Breach Incident to the affected individuals and to provide them with at least the following information[4]:

·         a description of the nature of the Personal Data Breach Incident;

·         the name and contact details of the company;

·         a description of the likely consequences of the Personal Data Breach Incident;

·         a description of the measures taken, or to be taken, by the company to address the Personal Data Breach Incident and mitigate its possible adverse effects;

·         suggestions for the affected individuals to prevent and reduce risks independently; and

·         remedial measures to be provided for the affected individuals.

 

The affected individuals shall be informed of the relevant information of the Personal Data Breach Incident in a timely manner by email, letter, phone, or push notification, etc.  When it is difficult to inform the affected individuals on a one-by-one basis, a reasonable and effective method should be adopted to release about the warning information relevant to the Personal Data Breach Incident, such as posting a public notification on the company’s website.

 

What else should be done?

 

After detecting a Personal Data Breach Incident, the company who is encountering the incident shall take the following remedial measures[5] in addition to notifying the Supervisory Authorities and/or the affected individuals:

 

·         record the content of the incident, including but not limited to the time and place of the incident, the person who identifies the incident, the number of individuals affected by the incident, the name of the system involved, the impacts on other connected systems, and whether the law enforcement agency or a relevant department has been contacted

·         assess the possible impact of the incident;

·         take necessary measures to control the development of the incident; and

·         eliminate hidden threats.

 

Which are the Competent Supervisory Authorities?

Unlike most EU countries, China does not have a dedicated and independent data protection authority that monitors and supervises, through investigative and corrective powers, the application of the data protection law. It therefore poses a difficult question as to which authorities should be notified when a company is encountering a Personal Data Breach Incident.

According to the PIPL, at the national level, the Cyberspace Administration of China (the “CAC”) is primarily responsible for the overall supervision and management of personal data protection. In addition, sectorial authorities, such as the National Health Commission, the People's Bank of China, the China Banking and Insurance Regulatory Commission, etc., also supervise and enforce personal data protection of regulated institutions within their respective sector of regulation.

At the local government level, the Cyberspace Administration of “municipal-level and higher” and other in-charge authorities are responsible for performing personal data protection duties as conferred by the relevant regulations.

It can be concluded that when a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact for a company to fulfill its notification obligations to the Supervisory Authorities.

 

Key Takeaways

·         Even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, the business who is encountering the incident might still have a reportable Personal Data Breach Incident.

·         For businesses to stay compliant with the PIPL, despite the scale and consequences of the Personal Data Breach Incident, regulatory and professional opinions have to be consulted.

·         When a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact at the Supervisory Authorities for a business to fulfill its notification obligations.

·         If you are a DPO of a business handling large amounts of personal data with subsidiaries in different time zones, you should keep your phone fully charged and never turn it off. This will prevent you from missing the 8-hour window of notification under the PIPL when encountering a Personal Data Breach Incident related to China.

 

Conclusion

In the event of a Personal Data Breach Incident, businesses are running against a ticking clock to take remedial measures and to fulfill their notification obligations both to the Supervisory Authorities and/or to the affected individuals. Having a well-rehearsed data incident response plan in place, with clear and workable processes and workflows would be especially helpful and timesaving (and a lifesaver too) in such a situation.

For businesses with everlasting commitments to data security and users’ personal data privacy, they should have a highly organized, well-tailored, constantly evolving data protection program to address the data breach risks they face, which will in time build up users’ trust and loyalty, empower employees, and produce a competitive edge for the businesses in the long run.

 

 



[1] The threshold number is yet to be confirmed by a binding law. For reference, Article 11 of the Draft Network Data Security Management Regulation (a supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions, sets the threshold as “more than 100,000 individuals (are affected)”.

[2] See Article 11 of the Draft Network Data Security Management Regulation (supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions.

[3] Ibid.

[4] See Article 10.2 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).

[5] See Article 10.1 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).


  • Related information More
  • 点击次数: 1000015
    2024 - 02 - 23
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: February 21, 2024Introduction There is a motto that you might be told as a kid: no one is born a winner; everyone is born a chooser-making choices as to who you want to be. However, when you grow up, you find that, sometimes with great frustration, this motto might not be true because some people are born with a sliver spoon in mouth while others are not as lucky. In the commercial world, there are products who are born winners-those with a Geographical Indication (hereinafter, the “GI”) which is a sign that identifies products that originate from a specific geographic location and possess certain qualities or reputation due to their origin. Some examples of domestic GIs in China are Kweichow Mo...
  • 点击次数: 1000018
    2024 - 01 - 18
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnPublished: January 17, 2024China has a multiagency system for protecting geographical indication (GI) products. GIs can be registered as collective or certification trademarks before the China National Intellectual Property Administration (CNIPA). GI products can also gain protection from the former General Administration of Quality Supervision, Inspection and Quarantine. Primary products produced through farming can be protected as GIs of agricultural products before the Ministry of Agriculture and Rural Affairs. This multiagency system has proven to be burdensome, inconvenient, and sometimes confusing, especially to foreign GIs.To address resounding calls for reform, on September 18, 2023, CNIPA released...
  • 点击次数: 1000018
    2024 - 01 - 10
    Author: James LiuMain Trademark Legislation in China in 2023 1. The Standard for the Circumstances for Suspension of Review cases 2. Pre-filing of administrative litigation cases against review of refusals grant the plaintiff 12 months (not extendable)3. Measures for the Implementation of the Provisions on the Administration of Enterprise Name Registration 4. Convention on the Abolishment of the Legalization Requirements for Foreign Public Documents will come into effective in China5. Notice on comprehensively implementing online filing for opposition cases6. Draft Amendments to Chinese Trademark Law in 2023  1. On June 13, 2023, the Trademark Office under the CNIPA published the Interpretation on the Standard for the Circumstances for Suspension of Revie...
  • 点击次数: 9
    2023 - 10 - 20
    Author: jia chang ZhangIntroductionWith the development of science and technology, the patentability of biotechnology, especially human genes, has always been in dispute. Proponents argue that human genes should be patented without restriction, and that any possible challenges and concerns can be addressed by patent standards. This article will first analyz patent systems in the United States and Europe to examine the patentability of genes, and the role of patent standards in protecting human genetic development. Then focus on evaluating the legitimate concerns raised by opponents about human gene patents and assesses whether the three criteria for patents can fully solve existing problems. Finally, by introducing the unique licensing system in Canada, a new solution to the problem of hum...
× WeChat official account
Beijing Mingdun Law Firm www.mdlaw.cn
Copyright 2008 - 2020 Beijing Mingdun Law FirmRhino Cloud Provides Enterprise Cloud Services
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开