China Data Protection Update and Deep Dive (4): Accountability and breach notifications

1. Accountability

Data governance is at the heart of the Draft PI Protection Law. Personal Information processors ("PI Processors") are required to adopt a number of data governance measures to demonstrate compliance with the Draft PI Protection Law and reduce the risks of data breach. The key requirements are:

(a) Data Protection Officer ("DPO") (Article 51)

PI Processors that process a specified volume of personal information are required to appoint a DPO who will be responsible for monitoring data protection compliance of the activities and data protection measures of the PI Processors. In addition, the name and contact details of the DPO should be publicised and reported to the data protection authority.

It appears that, unlike the GDPR where the requirement of a DPO would be based on a number of other considerations, the volume of personal information processed seems to be the only factor for considering whether a DPO is required to be appointed in China. However, there is no further guidance on this threshold amount. In addition, there is currently also no guidance on whether this DPO needs to be a member of staff or a hired contractor, and whether it is a dedicated role. These details are essential for organisations to plan the right resource and expertise to carry out the required duties.

In addition, in circumstances when the Draft PI Law applies to organisations on an extra-territorial basis, PI Processors that do not have a presence in China will be required to appoint a local representative to handle matters relating to personal information processing. For further details please refer to our first newsletter on the Draft PI Protection Law.

(b) Data Protection Impact Assessments (DPIA) (Article 54)

The Draft PI Protection Law legalises the requirements under the existing non-binding national standards on personal information protection (the "PI National Standards") relating to adopting data protection impact assessments ("DPIA") in certain specified circumstances. The aim of DPIAs is to assess, identify and minimise non-compliance risks. Again, this is a concept that is not alien to those already familiar with similar requirements under other data protection regimes, in particular the GDPR, where conducting a DPIA would be mandatory prior to "high risk" processing activities. However, under the Draft PI Protection Law, the circumstances requiring DPIA to be conducted will likely be much broader. In particular, PI Processors are required to conduct a DPIA prior to:

• Processing of sensitive personal information;
• Using personal information for automated decision-making that involves profiling of individuals' behaviour;
• Appointing third party processors for processing of personal information;
• Sharing of personal information with third parties or to the public;
• Transfer of personal information to overseas territories; and
• Other data processing activities that will have significant impact on data subjects.

The requirement to conduct a DPIA in circumstances of any data sharing and appointment of third party processors will increase the burden of PI Processors. In addition, in relation to cross border transfer of personal information, this DPIA seems to be separate from the "security assessment" that needs to be conducted separately for cross border transfer (if required) (see our newsletter on Deep-Dive (1) of the Draft PI Protection Law). Unlike the GDPR, there is no mechanism for consulting with the data protection authority before commencing data processing activities that involves a high level of unmitigated risks, but PI Processors are required to keep records of the DPIA, together with records of such related processing activities, for at least three (3) years.

(c) Records of Processing Activities

It is interesting to note that the Draft PI Protection Law does not legalise the requirement under the PI National Standard for PI Processors to generally maintain Records of Processing Activities ("RPA") (which is required under the GDPR). The only records of processing that needs to be maintained appear to only relate to those processing activities mentioned in (b) above where a DPIA would need to be conducted. It remains to be seen whether a more general RPA obligation may be imposed when the law is finalised but it is nevertheless good data governance practice for PI Processors to keep and maintain an RPA for monitoring data flow and processing.

(d) Data Protection Audits (Article 53)

Separate from a DPIA, which is required to be conducted prior to certain data processing activities, the Draft PI Protection Law requires data protection audits to be conducted after implementation of data processing activities, on a regular basis. This is consistent with the current audit requirement under the PI National Standard, although the Draft PI Protection Law further provides that the data protection authority has the right to request PI Processors to appoint professional organisations to conduct such audit.

There is currently no specific guidance on how frequent the audits would need to be conducted to satisfy the requirement of conducting the audit on a "regular basis". In addition, data protection audits are not limited to only specific types of processing activities but to all data processing activities of a PI Processor in general. This is likely going to create an additional burden on PI Processors given that they are unlikely going to have the expertise nor the resources to conduct the audits internally.

(e) Certification

To demonstrate compliance with data protection obligations, obtaining a "certification of compliance" is likely to be a reliable assurance for PI Processors. The Draft PI Protection Law introduces for the first time a means of obtaining "certification" from professional bodies as one of the grounds for transfer of personal information outside of China (see further discussion in our newsletter on Deep Dive (1) of the Draft PI Protection Law). Related to this is that, as mentioned in (d) above, professional bodies may be appointed to conduct data protection audits. Although currently of limited application, and many questions remain unanswered (e.g. the accreditations for certification bodies and the criteria for certifications are yet to be developed), this is likely going to be an area that will be of much interest to PI Processors seeking to obtain a "seal of compliance" from recognised certification bodies.

2. Breach notifications

For DPOs managing data protection compliance in multinational organisations, understanding the security and breach notification requirements under different data protection regimes and acting upon such requirements are very often the key issues that keep them awake at night. Article 55 of the Draft PI Protection Law provides that in case of an incident involving unauthorised disclosure of personal information, PI Processors should "immediately" conduct remedial measures and notify the data protection authority and relevant affected individuals. Although a PI Processor may choose not to notify the affected individuals if it is able to "effectively" prevent harm caused by the disclosure, the data protection authority may override this determination and nevertheless request the PI Processor to notify the affected individuals if the authority is of the view that the disclosure will cause harm to the affected individuals.

The current draft provisions raise a number of questions. Although there is no prescribed time limit for making notifications (which might come as a relief to many), it is still unclear what standard would be used to determine that remedial actions and notifications have been made "immediately". In addition, it would appear that the notification obligations apply to any unauthorised disclosure of personal information. Unlike the GDPR, even though a PI Processor may make a discretion not to notify the affected individuals if it determines it has taken effective measures to prevent harm caused by the disclosure, a PI Processor would still be required to notify the data protection authority. It also remains to be seen how these provisions will reconcile with the current notification requirements under PI National Standard and related security incident reporting regulations (which provide for "graded" notification obligations depending on severity of breach).

In relation to the content of the notification, this will need to include information relating to the cause of the breach incident, the types of personal information affected and the potential harm caused by the breach, the remedial actions taken by the PI Processor, the measures that affected individuals may take to reduce the harm caused by the breach, and the contact information of the PI Processor. These are very similar to the requirements in other data protection regimes.  

Observations

The accountability obligations under the Draft PI Protection Law mean that organisations will likely be required to place data governance as a core part of their operations. In relation to data breach notification obligations, the current provisions under the Draft PI Protection Law appear to have very wide application even though there is no stringent time bar on the notification requirements. Such obligations will likely pose a burden on organisations that have not previously assigned responsibility and budget for data governance and compliance. However, for those that are already used to adopting such measures (e.g. those that are already complying with the GDPR), most of the obligations set out in the Draft PI Protection Law should come with little surprise, yet a number of clarifications would still be needed on the detailed requirements before organisations will be able to sensibly adapt their operations to meet the local requirements.

Missed our previous newsletters? Click here for the Overview of China’s Draft Personal Information Protection Law and Part 1, Part 2 and Part 3 of our four part Deep Dive series.