Helpful guidance on some previously uncertain areas of China data protection compliance programmes have been provided by the Administrative Measures for Personal Information Protection Compliance Audit (Draft for Comment) (“Draft Measures”), which were published for public consultation on 3 August 2023 by the Cyberspace Administration of China (“CAC”).
The Draft Measures propose to introduce or flesh out other compliance requirements contained in the PIPL. For example:
- Automated Decision-Making: where a data controller uses personal data to conduct any automated decision making, it must proactively inform data subjects in advance the types of data processed and the potential impact of the automated decision making. It must also conduct security and ethical assessment on the algorithm and parametric models, record all the manual intervention involved in the annotation management and model training processes to prevent manipulation, and enable data subjects to amend or delete customized tags to opt out. This will, therefore, require more in-depth privacy notices than businesses may be used to providing in China.
- Publicly Available Data: where a data controller processes personal data obtained from public resources, it must stop the processing (even if the processing is comparable with the original purpose) once it receives the data subjects’ objection. As such, data controllers shall be more conservative when relying on the lawful basis of “publicly available data” for processing. Assessing the original purpose for which the data was published becomes critical. This is important to note for any data scraping activities.
- Monitoring of overseas data recipients/processors: when determining whether a data controller has taken sufficient measures to ensure its overseas data recipients have satisfied the PIPL data protection standards, the following factors shall be considered: whether the data controller has conducted proper due diligence to check the data protection capability of the overseas recipients, whether the data controller has clearly informed the PIPL requirements and standards to the overseas recipients, whether there are sufficient contractual obligations imposed on the overseas recipients to comply with PIPL requirements, and whether the data controller conducts periodical audits and keeps monitoring the overseas recipients’ processing activities. This aligns with controls to monitor recipients under C2C and C2P transfers in other data protection laws.
- Governance: a data controller must establish a proper internal data protection framework. Must-have supporting policies and procedures include at least: data classification policy, data incident responsive policy, personal information impact assessment policy, data subject request handling procedures and data protection training plans. International businesses should already have tweaked such existing global policies for China purposes.
- Data incident notification: it is clarified that data incidents must be reported to the internal data protection departments or teams within 72 hours, which seems to suggest that the data controller may have a longer time to report incidents to the CAC than under other data protection frameworks.
- Role of the DPO: although the Draft Measures still do not clarify the processing threshold that requires a data controller to appoint a DPO, it provides the that a DPO must have the authority to coordinate the work of data protection team and other internal data protection stakeholders, have the right to raise suggestions and comments before the data controller makes any major decisions concerning data processing activities, and have the power to request suspension of non-compliance processing activities and order internal remediation measures. All these indicate that DPO should be a relatively senior position within an organization.
The public consultation on the Draft Measures closes on 2 September 2023