Language

Personal Data Breach Incident Notification under the PIPL


Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: March 16, 2022

 

Introduction

Let’s suppose you are a Data Protection Officer (“DPO”) of a multinational corporation. It’s 4AM in the morning. Your phone is buzzing. That is your head of Incident Response Team in China calling you and saying:

“Hi Boss, sorry to wake you up. Our system has been hacked and personal data of more than 100,000 customers living in China have been leaked to the hacker”.

You realize something worse than a nightmare is actually happening and actions should be taken.

What should you do?

Reading this article might be helpful in case you did receive such a wake-up call somewhere down the road.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users or have other legitimate basis in order to collect/process the users’ data. The PIPL also imposes on a data collector/processor the obligation of immediate notification of data breaches to the relevant supervisory authorities. In certain circumstances, the affected individuals should be notified of the data breaches as well.

This article primarily discusses the notification requirements for personal data breach incidents under the PIPL and the supplementary regulation or specification.

 

What constitutes a Personal Data Breach Incident?

For purposes of the PIPL, a “Personal Data Breach Incident” means where leakage, tampering or loss of personal data transmitted, stored or otherwise processed by a data collector/processor occurs or may occur.

 

Under this definition, even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, it might still constitute a reportable Personal Data Breach Incident.

 

Data breach incidents can occur as a result of a hacker attack (as in the example demonstrated in the above), an intentional operation by an individual currently or previously employed by a business, or an unintentional loss or exposure of data due to carelessness of employees or malfunctioning of a business’ data management, retention and destruction system.

 

Who should be notified?

 

1) The Supervisory Authorities

Wherever there is a Personal Data Breach Incident affecting more than a certain number[1] of identified or identifiable individuals living in China, it needs to be notified to the competent Supervisory Authorities in China.

The company who is encountering the Personal Data Breach Incident must notify the competent Supervisory Authorities without undue delay and, where feasible, no later than 8 hours[2] immediately after becoming aware of the Personal Data Breach Incident. If the company’s report is submitted late, it must also set out the reasons for the delay.

The notification to the Supervisory Authorities must include:

·         the types of personal information leaked, tampered with, or lost;

·         the causes for the personal data breach incident;

·         the damages that have/may have been caused;

·         the remedial measures taken by the company;

·         the measures available to individuals to mitigate the damages; and

·         the contact information of the company.

After the Personal Data Breach Incident has been resolved, the company who is encountering the Personal Data Breach Incident should submit a second report as a follow-up to the Supervisory Authorities within 5 working days[3].

 

2) The Affected Individuals

Where the company who is encountering the Personal Data Breach Incident is able to adopt measures to effectively avoid harm caused/may have been caused by the Personal Data Breach Incident, this will relieve the company of the duty to notify the affected individuals. However, if the competent Supervisory Authorities consider that the Personal Data Breach Incident might still cause harm to the affected Individuals, then the Supervisory Authorities may require the company to communicate, as soon as practically possible, the Personal Data Breach Incident to the affected individuals and to provide them with at least the following information[4]:

·         a description of the nature of the Personal Data Breach Incident;

·         the name and contact details of the company;

·         a description of the likely consequences of the Personal Data Breach Incident;

·         a description of the measures taken, or to be taken, by the company to address the Personal Data Breach Incident and mitigate its possible adverse effects;

·         suggestions for the affected individuals to prevent and reduce risks independently; and

·         remedial measures to be provided for the affected individuals.

 

The affected individuals shall be informed of the relevant information of the Personal Data Breach Incident in a timely manner by email, letter, phone, or push notification, etc.  When it is difficult to inform the affected individuals on a one-by-one basis, a reasonable and effective method should be adopted to release about the warning information relevant to the Personal Data Breach Incident, such as posting a public notification on the company’s website.

 

What else should be done?

 

After detecting a Personal Data Breach Incident, the company who is encountering the incident shall take the following remedial measures[5] in addition to notifying the Supervisory Authorities and/or the affected individuals:

 

·         record the content of the incident, including but not limited to the time and place of the incident, the person who identifies the incident, the number of individuals affected by the incident, the name of the system involved, the impacts on other connected systems, and whether the law enforcement agency or a relevant department has been contacted

·         assess the possible impact of the incident;

·         take necessary measures to control the development of the incident; and

·         eliminate hidden threats.

 

Which are the Competent Supervisory Authorities?

Unlike most EU countries, China does not have a dedicated and independent data protection authority that monitors and supervises, through investigative and corrective powers, the application of the data protection law. It therefore poses a difficult question as to which authorities should be notified when a company is encountering a Personal Data Breach Incident.

According to the PIPL, at the national level, the Cyberspace Administration of China (the “CAC”) is primarily responsible for the overall supervision and management of personal data protection. In addition, sectorial authorities, such as the National Health Commission, the People's Bank of China, the China Banking and Insurance Regulatory Commission, etc., also supervise and enforce personal data protection of regulated institutions within their respective sector of regulation.

At the local government level, the Cyberspace Administration of “municipal-level and higher” and other in-charge authorities are responsible for performing personal data protection duties as conferred by the relevant regulations.

It can be concluded that when a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact for a company to fulfill its notification obligations to the Supervisory Authorities.

 

Key Takeaways

·         Even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, the business who is encountering the incident might still have a reportable Personal Data Breach Incident.

·         For businesses to stay compliant with the PIPL, despite the scale and consequences of the Personal Data Breach Incident, regulatory and professional opinions have to be consulted.

·         When a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact at the Supervisory Authorities for a business to fulfill its notification obligations.

·         If you are a DPO of a business handling large amounts of personal data with subsidiaries in different time zones, you should keep your phone fully charged and never turn it off. This will prevent you from missing the 8-hour window of notification under the PIPL when encountering a Personal Data Breach Incident related to China.

 

Conclusion

In the event of a Personal Data Breach Incident, businesses are running against a ticking clock to take remedial measures and to fulfill their notification obligations both to the Supervisory Authorities and/or to the affected individuals. Having a well-rehearsed data incident response plan in place, with clear and workable processes and workflows would be especially helpful and timesaving (and a lifesaver too) in such a situation.

For businesses with everlasting commitments to data security and users’ personal data privacy, they should have a highly organized, well-tailored, constantly evolving data protection program to address the data breach risks they face, which will in time build up users’ trust and loyalty, empower employees, and produce a competitive edge for the businesses in the long run.

 

 



[1] The threshold number is yet to be confirmed by a binding law. For reference, Article 11 of the Draft Network Data Security Management Regulation (a supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions, sets the threshold as “more than 100,000 individuals (are affected)”.

[2] See Article 11 of the Draft Network Data Security Management Regulation (supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions.

[3] Ibid.

[4] See Article 10.2 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).

[5] See Article 10.1 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).


  • Related information More
  • 点击次数: 23
    2022 - 11 - 25
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: November 23, 2022OverviewMany of our clients have unique product designs that enable them to stay on top of the market and achieve huge commercial success. However, while enjoying the fruits of their creativity, they are also tasting the bitter part of success-they are highly plagued by various copycats in the industry who produce “look-alike” version of product designs with only minor changes and then steal away market shares and customers.Under the current IP laws and anti-unfair competition laws of China, product designers/creators might, according to the specific circumstances, choose to protect their product design via design patent if their design has not been commercialized so as to lose novel...
  • 点击次数: 8
    2022 - 11 - 23
    When an enterprise prepares to explore the market in China but finds that its own trademark has been registered by others, if it cannot solve the problem of preemptive registration as soon as possible, it will directly lead to the loss of commercial interests in China. Recently, Mingdun Law Firm (hereinafter referred to as Mingdun) won an administrative lawsuit on the invalidation of preemptive trademark registration for a client who encountered such difficulties. It successfully cracked down on preemptive trademark registration and safeguarded the rights and interests of the client. The key to win this case lies in the use of prior copyright against the exclusive right of the trademark. This article will use this case to introduce the key points of cracking down on the preemptive reg...
  • 点击次数: 30
    2022 - 08 - 25
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: August 24, 2022 IntroductionEach of us is being bombarded by unsolicited calls on a daily basis, if not hourly. Most of these calls were from people in legitimate businesses who wanted to tele-market something, for example, houses, training courses, bank loans, etc., and some were from frauds or scammers who wanted to set people up through scam calls. Even after the effectiveness of the Personal Information Protection Law of the People’s Republic of China (the “PIPL”)[1] since November 1st, 2021, people still see no end in sight of getting these unwanted calls, which are increasingly driving people crazy.One cannot help wondering: is there a solution available? This article is mainly discussing ...
  • 点击次数: 27
    2022 - 06 - 20
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: June 15, 2022 Introduction Intellectual Property Rights (“IPRs”) empower their owners with a privilege to exclude unauthorized parties from use of the relevant subject matter under protection (for example, trademarks, patents, copyrights). However, exercising IPRs might sometimes generate tensions with other sectors of law, such as the civil code, the anti-unfair competition law, the antitrust law, etc. According to the China Supreme People’s Court’s interpretation of the Civil Code of the People’s Republic of China, where a person exercises any civil right (including IPRs) mainly for the purpose of injuring the national interest, the public interest, or the lawful rights and interests of a...
× WeChat official account
Beijing Mingdun Law Firm www.mdlaw.cn
Copyright 2008 - 2020 Beijing Mingdun Law FirmRhino Cloud Provides Enterprise Cloud Services
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开