Data Privacy Regulations That Are Applicable to Cloud Computing in China
In the area of data and privacy regulation, PRC law currently has the following major sources: (i) national laws, (ii) administrative regulations and rules, and (iii) national standards.
At the level of national laws, the Cyber Security Law of the PRC (CSL), the Data Security Law of the PRC (DSL), and the Personal Information Protection Law of the PRC (PIPL), are three fundamental laws regulating data and privacy issues, which are applicable to cloud computing and relevant data processing activities in the PRC.
Those three national laws are implemented mainly by administrative regulations, rules and regulatory documents issued by the competent regulatory governmental agencies. For example, the Measures on Assessing the Security of Cloud Computing Services specifies the security requirements of the Cyber Security Law and the Data Security Law in the scenario where the cloud computing services are provided to the administration agencies, the operators of Critical Information Infrastructure (CII) and the party offices.
In addition, the national standards, compulsory and recommended, also play an important role in implementing those three laws from the perspective of technical, organisational and law-fulfilling measures. The compulsory standards establish the minimum requirements for legal compliance, while the recommended standards showcase best practices. For example, the Information security technology – Security guidance for cloud computing service (GB/T 31167-2023) provides recommendations and guidance on security management and technical measures to protect data on the cloud through its life cycle.
Another unique security requirement applicable to the cloud services hosted in China is the Multi-Layer Protection Scheme (MLPS). MLPS is a requirement imposed in accordance with Article 21 of the CSL and focuses on the infrastructure security of the cloud service that facilitates the protection of the data and personal information processed in the cloud service.
Definition of Personal Data and Sensitive Data
Note that in this guide, personal data and personal information, sensitive data and sensitive personal information are used interchangeably with the same meaning.
According to Article 4 of the PIPL, personal data refers to all types of information of identified or identifiable individuals recorded in electronic or other means, excluding anonymous information.
According to Article 28 of the PIPL, sensitive personal data refers to personal data, the leakage or illegal use of which could easily result in damage to the dignity of an individual, or harm to personal body and property, including biometric information, religion, specific identities, medical and health information, financial accounts, location tracking data, as well as the personal data of minors under the age of 14.
Requirements for Processing Personal Data in the Cloud
The data processor under the PIPL is the counterpart of the data controller under the GDPR, and the processing contractor of a data processor is the counterpart of the data processor under the GDPR. As it is inevitable to distinguish the data controller and the data processor in the cloud environment, for convenience of non-PRC readers, we are using the terms “data controller” and “data processor” of the GDPR in this guide in our responses to the questions about the PRC law.
Therefore, in this article, we are using “data controller” to refer to the “personal information processor” that can autonomously decide the purpose and method of processing data under the PRC law; and “data processor” to refer to the “processing contractor” that is processing data upon the request of the controller.
Chinese laws and regulations do not provide special requirements for processing personal data in the cloud. Processing personal data in the cloud is subject to the same requirements provided in the PIPL for processing personal data in general.
Under the PIPL, the primary requirement for processing personal data is consent or separate consent. There are also legally defined exceptional processing scenarios where no consent or separate consent is required.
Consent and the requirement
Under Article 13 of the PIPL, processing personal data should have a proper legal basis, including consent, or other legal bases that may allow for consent to be waived as illustrated below. To ensure informed consent is obtained, before processing their personal data, a controller must inform individuals truthfully, accurately, and fully of the following information in a prominent way and in clear and plain language:
Separate consent and the requirement
Under the PIPL, there are several processing activities that require separate consents, including processing sensitive personal data, cross-border transfers of personal data, providing personal data to a third party, publicly disclosing personal data, etc. While the PIPL itself lacks a precise definition of “separate consent”, practical guidance can be found in the recommended national standard GB/T 42574-2023 (Information security technology – Implementation guidelines for notices and consent in personal information processing). This standard clarifies that separate consent signifies a specific, explicit agreement given by the individual solely for a particular processing activity concerning their personal data. Crucially, it does not encompass blanket consent given for multiple processing purposes simultaneously.
Exceptional consent-waiving processing
In addition to consent, the PIPL allows data controllers to process personal data based on several alternative legal grounds:
Under these processing conditions, consent can be waived.
Obligations for Data Controllers and Processors in the Cloud Environment
Under PRC law, data controllers should undertake primary legal responsibilities regarding processing personal data, and data processors shall provide necessary assistance for compliance. That is because, in cloud services, data controllers are the customers (cloud tenants or platform users), and their technical capability to comply with the law will be subject to the technical limit provided by the cloud service providers (as data processor).
Data controller’s obligations
According to the PIPL, data controllers using the cloud services are subject to the following key obligations:
In the cloud environment, data controllers may expect data processors to provide data compliance measures or offer the technical mechanisms or flexibility to allow them to implement such measures independently. Therefore, cloud service providers, as data processors, may need to understand and anticipate such potential requirements in advance.
Data processor’s obligations
Data processors, usually the cloud service providers, are responsible for processing personal data on behalf of data controllers. Their obligations should be geared toward supporting the controller’s compliance efforts and ensuring data protection standards are upheld, including:
CSL, DSL, and PIPL provide a general framework for cross-border data transfers. In addition to those three fundamental laws, a recent regulation, the Provisions on Promoting and Regulating Cross-border Data Flows, has been in effect since March 2024, further facilitating the cross-border transfer of personal data and other types of data outside of China. These laws apply to cross-border data transfers in the cloud environment as well.
According to the above laws, data controllers should undertake the legal obligation concerning cross-border data transfers in the cloud, and data processors should comply with data controllers’ instructions concerning cross-border transfers (for example, the instruction of not transferring personal data outside of China).
Below is a summary of the key PRC laws with respect to cross-border data transfers:
Cloud providers as data processors must collaborate with data controllers to ensure that the data transfer arrangements meet Chinese regulatory requirements. This involves aligning cloud security protocols with Chinese standards and providing support for assessments that should be completed by the data controller under the regulatory mechanism. Data controllers are advised to include specific clauses in their contracts with cloud service providers to address cross-border data transfer obligations. Please see details in 3. Data Ownership and Control.
Chinese data privacy laws do not impose penalties specifically for data controllers and data processors in the cloud environment. In practice, the penalties vary depending on the role of the legal entities. Below are penalties applicable to each role under Chinese laws and regulations.
Penalties for Data Controllers
Data controllers bear primary responsibility for ensuring the legality, security, and transparency of personal data processing activities. The penalties for non-compliance include administrative penalties, civil liabilities, and criminal liabilities in severe cases.
Penalties for Data Processors
Data processors, usually cloud service providers, are responsible for processing personal data according to the instructions of the data controllers. Processors can also face significant penalties for non-compliance.
Security Measures Required by the PRC Law for Data Stored in the Cloud
The security of the cloud computing environment is jointly safeguarded by cloud service providers and their customers. The CSL requires operators to take security measures to protect the security of the cloud and services derived from it hosted in China and the data stored in the cloud:
The PIPL requires personal data controllers to take technical measures to ensure the security of personal data. Legal requirements in the PIPL apply to processing activities of personal data stored in the cloud, which are summarised below:
The Measures on Assessing the Security of Cloud Computing Services stipulates measures that cloud service providers should comply with when they are providing services to the government and party offices, and the operators of CII. Article 3 of the Measures provides that the security assessment of such cloud services should concentrate on, inter alia: (i) the security of the cloud platform technology, products and supply chain; (ii) the ability to manage security effectively and the strength of the cloud platform’s security protection measures; (iii) the feasibility and ease with which customers can transfer their data; and (iv) the business continuity of the cloud service provider.
In addition, there are a few recommended national standards concerning cloud computing services that specify security measures for cloud services. For example, the standard Information Security Technology – Security Capability Requirements for Cloud Computing Services (GB/T 31168-2023) highlights the security technical measures that cloud service providers need to deploy. There are eleven types of security measures in total, including system development and supply chain, system and communication protection, access control, data protection, management of configuration, operational maintenance, emergency response, audit, risk assessment and continuous monitoring, security management and personnel, and physical and environmental security. The goal of those measures is to ensure the confidentiality, integrity, and availability of data stored in the cloud.
Encryption Standards for Data in Transit and at Rest in the Cloud
Access Controls in the Cloud Environment
Handling of Security Accidents and Breaches in the Cloud
Data Ownership and Control in Cloud Agreements
As a basic principle in a typical cloud business, data in the cloud is owned and controlled by the cloud service customers unless otherwise agreed. The cloud service providers and the cloud service customers are recommended to specify in the cloud agreement that:
Data Subjects’ Rights Over Their Data
In the cloud environment, personal data subjects have rights to their personal data as defined in the PIPL, including the right to know and the right to decide how their personal data is processed, unless otherwise provided by the laws and regulations.
Specifically, the data subjects have the following rights:
How Can Data Subjects Exercise Their Rights to Access, Rectify, or Delete Their Data
Data subjects need to submit their requests directly to the controller. PIPL requires the data controller to establish a convenient mechanism for accepting and processing requests from personal data subjects in a timely manner.
In the cloud environment, cloud service customers may need support from cloud service providers to fulfil the data subjects’ requests concerning their personal data; for example, the right to access, rectify and delete their personal data stored in the cloud. Therefore, in the cloud agreement, the cloud service customer and the cloud service provider may specify the mechanism and procedures to deal with the personal data subjects’ requests in detail, as well as Standard Operation Procedures (SOP) that must be followed by both parties.
Article 45 of the PIPL provides data subjects with a data portability right: Where an individual requests to transfer his/her personal data to a personal data controller designated by him/her that meets the conditions stipulated by the CAC, the personal data controller shall provide a way for the transfer. The PIPL and its relevant laws have not provided details regarding how to respond to the data portability request in the cloud.
The recommended national standards, GB/T 35273-2020 Information security technology – Personal information security specification, provides the best practices regarding data portability. Upon request from the data subject, the data controller should provide a method for the data subject to obtain copies of the following types of personal data or, where technically feasible, directly transfer copies of the following types of personal data to a third party designated by the data subject: (i) basic personal information and identity information, and (ii) health and physiological information, educational and employment information.
To ensure that the right to data portability is respected, both the cloud customer and the cloud service provider are advised to clearly define in the cloud agreement how such requests will be handled.
The general legal requirement provided in the PIPL concerning data retention and deletion applies to processing in the cloud.
Conducting thorough due diligence is crucial to ensuring compliance with Chinese laws and regulations, particularly those related to data security, cybersecurity, and personal information protection. The following is a short, high-level checklist for basic due diligence based on applicable Chinese legal requirements:
A cloud service agreement is critical to ensure data protection in the cloud environment. The cloud service agreement may include the following data protection requirements. Details regarding data processing can be found in 4.3 Data Processing Agreements and the Cloud.
Article 21 of the PIPL provides the necessary coverage of a data processing agreement (DPA), which should include: the purpose, time limit and method of processing personal data, type of personal data and protection measures, as well as the rights and obligations of both parties, and mechanisms for supervising the data processor’s personal data processing activities.
According to the above law, national standards, and mainstream market practice in the PRC, a well-structured DPA should define the responsibilities of both parties. Here is an overview of how DPAs are typically structured in a cloud business in the PRC:
The recommended national standard GB/T 31167-2023 Information security technology – Security guidance for cloud computing services in its Article 9 provides guidance on how to determine proper exist strategies and data migration in practice, including:
The CSL, DSL, and PIPL stipulate the reporting obligations in the event of data breaches. In addition to these general legal requirements, the CAC, China’s data protection regulator, further refines specific reporting requirements through its regulatory rules. There are two sets of different requirements regarding personal data breaches and cybersecurity incidents, which are detailed below.
Personal Data Breaches
In the event of personal data breaches, the PIPL requires the personal data controller to notify the competent authorities in a timely manner. This enables the authorities to understand the situation at the outset and take accurate and effective regulatory measures. The specific matters to be reported are detailed in 5.3 Notifying Data Breaches.
According to Article 66 of the PIPL, personal data controllers failing to fulfil reporting obligations will be subject to administrative penalties. The penalties start with orders to rectify, warnings, confiscation of illegal gains, and orders to suspend or terminate relevant application services; refusal to correct will result in fines of up to RMB1 million. For more severe violations, higher fines may be imposed, along with suspension of business operations or revocation of relevant business licenses or permits.
Cybersecurity Incidents
In the event of cybersecurity incidents, in a proposed draft, the CAC detailed the reporting procedures and contents in Administrative Measures for the Reporting of Cybersecurity Incidents (Draft for Comments) (the “Draft”):
The Draft stipulates that network operators failing to report cybersecurity incidents as required may face legal liabilities under CSL, DSL, and PIPL, which could include orders to rectify, warnings, and fines. If competent authorities consider the circumstances severe, heavy fines or even business suspension/termination may be imposed. However, the Draft also provides that if a company has taken reasonable and necessary protective measures to minimise the harm of data breaches and proactively reported as required, liability may be exempted or mitigated accordingly. Otherwise, the personal data subjects must be notified.
While the exact timeframe for the Draft’s finalisation and implementation remains uncertain, its content and regulatory approach signal the government’s preferred handling of data breach response and reporting for network operators (including cloud service providers and customers) based or operating in the PRC.
The CSL requires network operators to formulate emergency response plans for cybersecurity incidents. When the incident happens, network operators must immediately activate the emergency response plans, take remedial measures, and report to the competent authorities.
Therefore, for cloud service providers and customers, developing an emergency response plan is crucial for investigations and remediation upon a data breach that occurred in the cloud. More information regarding data breaches can be found in 2.1 Data Security and the Cloud and 4.1 Due Diligence.
Notification Obligations Under the PIPL
Article 57 of the PIPL sets out a general notification mechanism of notification, which includes the two aspects detailed below.
Notifying personal data subjects and regulatory authorities
As a default rule under the PIPL, the personal data controller has the obligation to notify affected subjects and authorities. Notification to the authorities is mandatory, whereas notification to the personal data subjects is not.
Article 57 provides that if the personal data controllers take measures that can effectively prevent harm from the breach, they can be exempt from notifying the affected personal data subjects, unless specifically required by the authorities. The PIPL does not explicitly define a clear threshold for when notification becomes necessary. Nor does it outline specific timelines for such notifications.
Information to be notified
The notification should include information such as: (i) the categories of personal data that have been or may be leaked, altered, or lost, the causes for such incidents, and the potential harm they may cause; (ii) the remedial measures taken by the personal data controllers and the mitigation measures that personal data subjects may take; and (iii) the contact information of the personal data controller.
Key Considerations
It is important to note that the above is only a high-level legal requirement provided by the PIPL. In practice, regulators may request more extensive information based on their working rules and specific cases. Cloud service customers may want to consider the following in handling data breach notification matters:
Please refer to details in 1.2 Data Privacy and Cloud Computing.
PRC law does not have a generally applicable and absolute data localisation requirement. However, the CSL, DSL, and PIPL impose localisation requirements on certain specific types of data and outline the administrative requirements for cross-border transfers of such data.
Data localisation requirements have a direct effect on the compliance of cloud computing services. The slow and ambiguous identification of Important Data raises concerns regarding data transfers in and out of the PRC. Cloud service providers and users need to have a data compliance strategy in place that allows them to address the concern of data localisation requirements in the PRC.
Among cross-border data transfers, it is not uncommon for legal systems or judicial procedures of different jurisdictions to clash. For instance, in cross-border litigation, a US governmental agency may require a company in China to present data information in its routine regulatory check or special investigation. However, under the DSL and PIPL, submitting personal information or data stored in China to foreign law enforcement authorities is subject to prior approval from the competent Chinese regulatory authority. The approval process in China may be complex and time-consuming, making it difficult to meet the demands of the foreign law enforcement authority in a timely fashion. The conflicts of laws between different jurisdictions may therefore increase compliance costs and legal risks for multinational companies.
Addressing such an issue requires clearly understanding the nature and type of the data request from the foreign authority, and the scope and procedure of the PRC data cross-border approval. Although potentially complex and time-consuming, successful resolution involves collaboration between PRC counsel well-versed in Chinese law and foreign counsel familiar with the requesting country’s law enforcement procedures.
In China, the personal data processing compliance audit was introduced in the PIPL in 2021, and regulatory requirements related to it have been gradually taking shape since then. In 2023, the CAC released the draft Administrative Measures for Compliance Audit of Personal Information Protection (the “Audit Measures”) for public comment, but to date it has not come into effect. The Audit Measures draft applies to personal data processing activities conducted by personal data controllers in all scenarios, including cloud-based processing.
In July 2024, the national recommended standard Data Security Technology- Personal Information Protection Compliance Audit Requirements (the “Standard”) was introduced for public comment, which provides more comprehensive and practical guidance based on the Audit Measures.
Cloud service providers and cloud service customers should comply with the above in their personal data processing once they become final and effective. The following is a summary of the key aspects of personal information protection compliance audits in the Audit Measures and the Standard.
Occurrence of Compliance Audit
As an independent supervisory mechanism to confirm and ascertain a personal data controller is processing personal data in accordance with the law, a compliance audit is mandatory. Companies that process personal data are required to conduct audits on a regular basis (every one or two years, as the case may be). Audits can be performed internally by the company itself or by engaging third-party professional agencies.
Additionally, if the regulatory authorities find that there is a significant risk in the processing of personal data or if a personal data breach occurs, the authorities may require the personal data controller to engage a third-party agency for a compliance audit. This is a type of audit process triggered by regulators.
A compliance audit generally involves several processes, including audit preparation, audit implementation, audit reporting, issue rectification, and archive management.
Key Areas of Compliance Audit
The scope of a compliance audit can be very broad, covering almost all aspects of personal data processing activities and the obligations provided by the PIPL. Key areas include, but are not limited to the following:
Independence, Fairness, and Comprehensiveness of Compliance Audit
The Standard provides an essential guide to understanding and complying with the principles of independence, fairness and comprehensiveness of a compliance audit, covering aspects such as the audit process, implementation management, evidence management, qualifications of auditors, etc.
In terms of evidence management, the Standard requires that the audited party must ensure the authenticity, completeness, and validity of the evidence provided. Only evidence that meets both formal and substantive requirements can be accepted and used in the audit report.
Implementation of Compliance Audit Findings and Recommendations
The Standard highlights that once the audit report is completed and delivered, the audited party should address the identified issues within a specified timeframe. Auditors have the right to confirm the status of rectification.
Penalties for Non-compliance
Personal data controllers who fail to conduct compliance audits as required or improperly perform such audits will be subject to administrative penalties under Article 66 of the PIPL. In cases where the violation is even more severe and constitutes a crime, criminal liability may also be imposed.
36th Floor
Shanghai One ICC
No. 999 Middle Huaihai Road
Xuhui District
Shanghai 200031
China
(8621) 2310 8288
(8621) 2310 8299
vincentwang@glo.com.cn www.glo.com.cn