Author: Yingying Zhu, Partner of Beijing MingDun Law Firm
Email: zhu.yingying@mdlaw.cn
Date: March 16, 2022
Introduction
Let’s suppose you are a Data Protection Officer (“DPO”) of a multinational corporation. It’s 4AM in the morning. Your phone is buzzing. That is your head of Incident Response Team in China calling you and saying:
“Hi Boss, sorry to wake you up. Our system has been hacked and personal data of more than 100,000 customers living in China have been leaked to the hacker”.
You realize something worse than a nightmare is actually happening and actions should be taken.
What should you do?
Reading this article might be helpful in case you did receive such a wake-up call somewhere down the road.
Background
On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users or have other legitimate basis in order to collect/process the users’ data. The PIPL also imposes on a data collector/processor the obligation of immediate notification of data breaches to the relevant supervisory authorities. In certain circumstances, the affected individuals should be notified of the data breaches as well.
This article primarily discusses the notification requirements for personal data breach incidents under the PIPL and the supplementary regulation or specification.
What constitutes a Personal Data Breach Incident?
For purposes of the PIPL, a “Personal Data Breach Incident” means where leakage, tampering or loss of personal data transmitted, stored or otherwise processed by a data collector/processor occurs or may occur.
Under this definition, even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, it might still constitute a reportable Personal Data Breach Incident.
Data breach incidents can occur as a result of a hacker attack (as in the example demonstrated in the above), an intentional operation by an individual currently or previously employed by a business, or an unintentional loss or exposure of data due to carelessness of employees or malfunctioning of a business’ data management, retention and destruction system.
Who should be notified?
1) The Supervisory Authorities
Wherever there is a Personal Data Breach Incident affecting more than a certain number[1] of identified or identifiable individuals living in China, it needs to be notified to the competent Supervisory Authorities in China.
The company who is encountering the Personal Data Breach Incident must notify the competent Supervisory Authorities without undue delay and, where feasible, no later than 8 hours[2] immediately after becoming aware of the Personal Data Breach Incident. If the company’s report is submitted late, it must also set out the reasons for the delay.
The notification to the Supervisory Authorities must include:
· the types of personal information leaked, tampered with, or lost;
· the causes for the personal data breach incident;
· the damages that have/may have been caused;
· the remedial measures taken by the company;
· the measures available to individuals to mitigate the damages; and
· the contact information of the company.
After the Personal Data Breach Incident has been resolved, the company who is encountering the Personal Data Breach Incident should submit a second report as a follow-up to the Supervisory Authorities within 5 working days[3].
2) The Affected Individuals
Where the company who is encountering the Personal Data Breach Incident is able to adopt measures to effectively avoid harm caused/may have been caused by the Personal Data Breach Incident, this will relieve the company of the duty to notify the affected individuals. However, if the competent Supervisory Authorities consider that the Personal Data Breach Incident might still cause harm to the affected Individuals, then the Supervisory Authorities may require the company to communicate, as soon as practically possible, the Personal Data Breach Incident to the affected individuals and to provide them with at least the following information[4]:
· a description of the nature of the Personal Data Breach Incident;
· the name and contact details of the company;
· a description of the likely consequences of the Personal Data Breach Incident;
· a description of the measures taken, or to be taken, by the company to address the Personal Data Breach Incident and mitigate its possible adverse effects;
· suggestions for the affected individuals to prevent and reduce risks independently; and
· remedial measures to be provided for the affected individuals.
The affected individuals shall be informed of the relevant information of the Personal Data Breach Incident in a timely manner by email, letter, phone, or push notification, etc. When it is difficult to inform the affected individuals on a one-by-one basis, a reasonable and effective method should be adopted to release about the warning information relevant to the Personal Data Breach Incident, such as posting a public notification on the company’s website.
What else should be done?
After detecting a Personal Data Breach Incident, the company who is encountering the incident shall take the following remedial measures[5] in addition to notifying the Supervisory Authorities and/or the affected individuals:
· record the content of the incident, including but not limited to the time and place of the incident, the person who identifies the incident, the number of individuals affected by the incident, the name of the system involved, the impacts on other connected systems, and whether the law enforcement agency or a relevant department has been contacted
· assess the possible impact of the incident;
· take necessary measures to control the development of the incident; and
· eliminate hidden threats.
Which are the Competent Supervisory Authorities?
Unlike most EU countries, China does not have a dedicated and independent data protection authority that monitors and supervises, through investigative and corrective powers, the application of the data protection law. It therefore poses a difficult question as to which authorities should be notified when a company is encountering a Personal Data Breach Incident.
According to the PIPL, at the national level, the Cyberspace Administration of China (the “CAC”) is primarily responsible for the overall supervision and management of personal data protection. In addition, sectorial authorities, such as the National Health Commission, the People's Bank of China, the China Banking and Insurance Regulatory Commission, etc., also supervise and enforce personal data protection of regulated institutions within their respective sector of regulation.
At the local government level, the Cyberspace Administration of “municipal-level and higher” and other in-charge authorities are responsible for performing personal data protection duties as conferred by the relevant regulations.
It can be concluded that when a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact for a company to fulfill its notification obligations to the Supervisory Authorities.
Key Takeaways
· Even though the leakage, tampering or loss of personal data has not actually occurred, if there is a reasonable degree of likelihood that a leakage, tampering or loss of personal data may occur, the business who is encountering the incident might still have a reportable Personal Data Breach Incident.
· For businesses to stay compliant with the PIPL, despite the scale and consequences of the Personal Data Breach Incident, regulatory and professional opinions have to be consulted.
· When a Personal Data Breach Incident does occur, the Cyberspace Administration of “municipal-level and higher” should be the first point of contact at the Supervisory Authorities for a business to fulfill its notification obligations.
· If you are a DPO of a business handling large amounts of personal data with subsidiaries in different time zones, you should keep your phone fully charged and never turn it off. This will prevent you from missing the 8-hour window of notification under the PIPL when encountering a Personal Data Breach Incident related to China.
Conclusion
In the event of a Personal Data Breach Incident, businesses are running against a ticking clock to take remedial measures and to fulfill their notification obligations both to the Supervisory Authorities and/or to the affected individuals. Having a well-rehearsed data incident response plan in place, with clear and workable processes and workflows would be especially helpful and timesaving (and a lifesaver too) in such a situation.
For businesses with everlasting commitments to data security and users’ personal data privacy, they should have a highly organized, well-tailored, constantly evolving data protection program to address the data breach risks they face, which will in time build up users’ trust and loyalty, empower employees, and produce a competitive edge for the businesses in the long run.
[1] The threshold number is yet to be confirmed by a binding law. For reference, Article 11 of the Draft Network Data Security Management Regulation (a supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions, sets the threshold as “more than 100,000 individuals (are affected)”.
[2] See Article 11 of the Draft Network Data Security Management Regulation (supplementary regulation to the PIPL), released on November 14, 2021 to solicit for public opinions.
[3] Ibid.
[4] See Article 10.2 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).
[5] See Article 10.1 of The Information Security Technology—Personal Information Security Specification (GB/T 35273-2020) (effective on Oct.1 2020).