Hi privacy pros. Happy September. While the summer heat is easing, the data privacy landscape in greater China remains as hot and dynamic as ever, with several key regulatory developments taking shape.
On 30 Aug., China's Network Data Security Management Regulation draft was approved during a State Council meeting chaired by Premier Li Qiang. The draft regulations were first circulated for public consultation in 2021 and contain detailed provisions on personal information protection, security of important data, cross-border data transfers and compliance obligations for internet platform operators.
One notable requirement is the establishment of a data classification and categorization system. Businesses will be required to categorize their data into three categories: general data, important data and core data, with corresponding organizational and technical measures to be applied based on the sensitivity of each category.
Although formally approved by the State Council, the Network Data Security Management Regulation still needs to go through additional legislative procedures before coming into effect, likely within the next three to four months. Now is the time for businesses to begin preparing for these changes.
Following approval of the regulation, the Beijing government released the Beijing Free Trade Zone Negative List for Cross-Border Data Transfers 30 Aug. This offers long-awaited guidance and clarity on the management of important data. Although it applies specifically to the Beijing Free Trade Zone, it can serve as a valuable reference for other FTZs across China.
In March 2024, China introduced the Regulations on Promoting and Regulating Cross-Border Data Transfers, which significantly relaxed compliance requirements for data transfers out of the country. Under these new regulations, certain data transfer scenarios are exempt from regulator-led security assessment, standard contractual clauses, or third-party certification.
Even in cases where exemptions don't fully apply, the thresholds for compliance have been eased, resulting in simpler procedures and faster timelines for completing cross-border data transfer processes.
One key feature of the March Regulations is that FTZs are empowered to develop local rules that provide additional flexibility beyond the national framework. FTZs in Shanghai and Tianjin have already led the way by issuing their own CBDT White and Negative Lists, with Beijing's Negative List being the most recent development in this area.
Compared to the lists from Shanghai and Tianjin, Beijing's CBDT Negative List marks a significant advancement. Taking a phased and practical approach, Beijing has prioritized five pilot industries: automotive, aviation, pharmaceuticals, retail/modern services and artificial intelligence. The Beijing List provides detailed and practical descriptions of various data transfer scenarios, including automotive research and development, connected vehicle information services, clinical trials, pharmacovigilance, aviation repairs, membership management, and large language model training.
The recent advancements in China's FTZs clearly demonstrate the country's intent to strike a balance between promoting the digital economy and addressing data security and personal information protection.
Significant developments in personal data protection have also occurred in Hong Kong. On 22 Aug., the Office of the Privacy Commissioner for Personal Data issued updated versions of the Code of Practice on the Identity Card Number and Other Personal Identifiers, along with the Compliance Guide for Data Users and an information leaflet titled "Your Identity Card Number and Your Privacy."
These resources aim to help businesses meet compliance requirements under the code regarding the collection, accuracy, retention, use and security of identity card numbers, copies of ID cards, and other personal identifiers.
The updated compliance guide and information leaflet offer practical examples and clear insights to help businesses better understand their obligations under the code, ensuring more effective protection of HKID card information as personal data. While the collection of HKID card numbers or copies is permitted for certain purposes under the code, it is essential to handle this sensitive data with care. Proper management not only strengthens trust with customers but also significantly reduces the risk of data breaches.
Until next time.
Barbara Li, CIPP/E, is a partner at Reed Smith.