China’s Shenzhen City Enacted Regional Data Regulation
China Data Protection Alert
Shenzhen, the leading financial and production center for China and home of many Chinese internet and tech giants such as Huawei, Tencent and DJI, enacted its regional data protection law, 'Data Regulation of the Shenzhen Special Economic Zone' (Shenzhen Data Regulation) on June 29, 2021. Shenzhen Data Regulation will become effective as of January 1, 2022.
In 2020, Shenzhen was authorized by the National People’s Congress (China’s top legislative body) to explore the data property, data privacy, government data sharing and data transactions systems. As the milestone of such exploration, here comes the Shenzhen Data Regulation, the first comprehensive legislation for data protection in China. In this article, we provide you with the highlights of this regulation.
1. Data Rights. Shenzhen Data Regulation clarified that a natural person has personality rights and interest to his/her personal data, which include the right to informed consent, supplement, rectify, delete, access, copy, etc. his/her personal data. In the meantime, the regulation confirmed that a natural person, legal person and non-legal person organization has property right to the data products and services they created through data processing activities, which allows the transactions of such data products and services as long as the data are obtained with lawful authorization.
2. Data Processing Criteria. Shenzhen Data Regulation has provided comprehensive rules for data processing activities, which has cited the existing laws and regulations (e.g. Civil Code, Cybersecurity Law), the recommended national standards, and also the draft Personal Information Protection Law (PIPL, which is expected to be enacted in 2021). Same as the national laws, the regulation provided that the processing of personal data shall have clear and justified purpose, adopt lawful methods and follow the principle of data minimization. Having said so, the regulation has made several important developments worth noticing:
(1) Five Data Minimization Tests. Shenzhen Data Regulation requires that the personal data processing shall be limited to the minimum scope necessary for realizing the processing purpose, shall adopt the method has minimum impact to personal rights and interest, and shall not perform personal data processing irrelevant to the processing purpose. To further explain such data minimization principle, the regulation provided following five specific tests through which data minimization can be achieved:
- The category and scope of personal data shall have direct relation with the processing purpose, that is, the purpose will not be achieved without processing such personal data;
- The amount of the personal data processed shall be the minimum amount required to achieve the processing purpose;
- The frequency of data processing shall be the lowest frequency required to achieve the processing purpose;
- The time of personal data storage shall be the minimum required to achieve the processing purpose. In case the time limit is expired, the personal data shall be deleted or anonymized, unless it is otherwise stipulated in the laws and regulations or the data subject’s consent is obtained;
- The access control strategy with minimum authorization is established to only allow the authorized person to access minimum amount of personal data limited to his/her responsibilities, and persons shall only be authorized to access the minimum amount of personal data as required to fulfill his/her responsibilities.
(2) Privacy Notice. Shenzhen Data Regulation enhanced the “informed consent” requirement by further expanding the scope of privacy notice any data processor must provide to the data subjects before the data processing. In addition to the information required by the national laws in the privacy notice, the regulation also requires a data processor to inform data subjects the data security risk of personal data processing activities and the data security measures data processor has adopted for the personal data.
(3) Lawful Processing Grounds. The regulation has specified that processing of HR data within a reasonable scope for HR management or trade secret protection purposes is not subject to data subject’s consent.
(4) Special Categories of Personal Data. Shenzhen Data Regulation also established special rules for certain special categories of personal data, such as processing of children’s data, biometric data[1], etc. For example, the regulation requires that the data processor shall provide alternative solution to the solution based on processing of biometric data.
(5) Restrictions on Data Profiling. Data profiling is allowed to provide customized goods and services. However, data processor is not allowed to offer customized products or services based on data profiling to minors below 14 years old, unless it is to protect their legitimate interests and parents’ express consent is secured. Shenzhen Data Regulation prohibited market entities from performing discriminatory treatment to customers by using data profiling (except in limited circumstances). It is noted that the regulation has not expressly regulated automated decision making using methods other than data profiling.
3. Data Security: Shenzhen Data Regulation has provided rules for the technical and organizational measures to be adopted by the data processor for the data security purpose, including technical measures such as anonymization, pseudonymization, data categorization, encryption, disaster recovery backup and organizational measures such as third party agreement, security risk assessment, contingency plan. Moreover, the regulation has imposed extra obligations on the data processors who process sensitive personal data[2] or important data[3] as follows:
(1) Processor of sensitive personal data and important data shall set up data security governance body, appoint a data security responsible person, and adopt special technical protection measures.
(2) The Cyber Administration of Shenzhen City has been required to coordinate with other relevant authorities to provide enhanced protection on the important data.
(3) It required data processors to adopt de-identification (pseudonymization) or anonymization on sensitive personal data and important data.
(4) Processor of sensitive personal data or important data shall perform regular risk assessment and submit the risk assessment report to the in-charge authority.
4. International Data Transfer: Shenzhen Data Regulation also specified that data processor shall apply for cross-border data transfer security review and national security review when transferring personal data or important data overseas. Unlike the national laws, it seems that the data localization and international transfer requirements are equally applicable to ordinary data processors and the operator of Critical Information Infrastructure (CIIO). This may imply a potential expansion of the application scope of the cross-border data transfer security review and national security review from CIIO to all the data processors, which is more restrictive than the current national laws.
5. Legal Liabilities. Regarding the Shenzhen Data Regulation has generally cited the national laws and regulations on the legal liabilities of violation to the personal data protection and data security rules. Taking into account that the administrative fine could be up to 5% of turnover and no more than CNY 50 million, it has provided enough motivation for companies to ensure their legal compliance to the regulation. In addition, since Shenzhen Data Regulation has provided much detailed rules, it will also enable the law enforcement authorities to be more efficient in detecting and investigating the violations and also in the delivering of penalties.
We recommend companies that have operations in Shenzhen or have other business ties with Shenzhen to pay special attention on Shenzhen Data Regulation (and, in particular, its differences with national laws) to ensure the compliance to both national and Shenzhen’s data protection laws and regulations. For other companies do not have business ties with Shenzhen, the regulation is also a good example to learn the latest legal trend of the Chinese data protection law.
[1] According to Shenzhen Data Regulation, Biometric Data refers to the personal data that can identify the unique identification of natural person, including gene, fingerprint, voiceprint, palm print, auricle, iris, facial recognition features, etc.
[2] According to Shenzhen Data Regulation, Sensitive Personal Data refers to the personal data, once being leaked, illegally provided or abused, may cause discrimination to the natural person, or severe threat to the safety of health or assets of natural person. According to the draft PIPL, Sensitive Personal Data includes race, ethnic group, religious, biometric data, medical and health data, financial accounts, personal locations, etc.
[3] According to the Data Security Law, the Chinese cybersecurity administration authority is authorized to further provide the list of important data and regional authority and sectoral regulatory authorities may provide the list of important data applicable to specific region or sector.
Contact