Data breaches in China are on the rise despite the country’s comprehensive legislation and aggressive regulatory action. The trend is concerning to lawmakers, who are responding by imposing increasingly onerous rules. A 2023 report by Threat Hunter LLC reported more than 19,500 credible data breach incidents affecting 20 industries including finance, logistics, aviation, e-commerce, and automotive. The financial sector was the worst affected; the fastest rising industry was aviation, which made its first appearance in the top 3 during 2023.Data breaches continue to proliferate in China, despite the general public becoming more savvy about data security and rising cybersecurity spending by organizations. A 2021 report by the China Academy of Information and Communications Research said the number of data breaches in 2020 alone exceeded the combined number for the 15 previous years, and that China is in a data security “crisis.” Experts see the crisis deepening in future years even despite widespread recognition.
Contents
Data Breach Notification Policy Requirements
Your Liability for a Data Breach
Regulatory Reporting Threshold Requirements
Data Breach Notification Policy Requirements
Under Chinese law, A data breach notification policy is the process whereby businesses must provide a legal notification to affected individuals and to regulatory agencies that a data breach occurred. The purpose of this practice is to protect affected individuals’ right to privacy and data protection by giving them an opportunity to mitigate risk or damage. The reporting requirement enables regulatory agencies to provide oversight in the event of data breach incidents and to hold businesses accountable.
The policy requires businesses affected by a data breach to proactively provide notification to affected individuals and to Chinese regulatory agencies with information about the affected data, causes, risks, mitigation steps underway, what individuals can do to protect their privacy, and how to contact the business. The notification must be delivered using an “effective” means, such as email, SMS, phone, or snail mail; a written incident report must be filed with the regulatory agency pursuant to law.
The Information Security Technology – Personal Information Security Standards further recommend businesses individually contact individuals by mail or other reasonable ways to distribute the response information. The China Personal Information Protection Act also provides exemptions from its notification requirements. However, businesses should be cautious when complying with regulatory requirements because there is no meaningful definition for “effectively preventing harm.”
The China Personal Information Protection Act § 57 requires a data controller to take technical or business measures to remedy a breach, and imposes additional liability for failure to fix the issue and for failure to notify. There is no penalty arising from providing notice: the Act also provides businesses that property provide notification are excused from such liability.
The legislative intent for this liability waiver gives considerations to Chinese cultural phenomenon where businesses fear being punished for following through with data breach notification policy. Policymakers see their reticence as undesirable, because it incentivizes inaction to resolve the problem and allows the data breach to worsen. Thus, following the Act’s rules about your data breach notification policy will significantly reduce losses not just for your users or employees in China, but for the business as well.
As can be seen, there are long and detailed written standards governing data privacy in China, and deep unwritten legislative and regulatory expectations about your duty to protect the privacy of Chinese consumers, business partners, and employees. To navigate these challenges, consider getting help from CBL.
Your Liability for a Data Breach
The CAC Cybersecurity Incident Reporting Administrative Procedures (Draft Version) classify all breaches of data and personal information as a “major cybersecurity incident.” Whenever a data breach occurs, or merely likely to have occurred, the business’s notification obligation is triggered. China’s personal information protection and cybersecurity laws both require data controllers to notify the lead agency and users in the event of a breach.
Recall that Chinese legislators decided a data breach incident in itself is not a violation of law, because that would render the data breach notification policy pointless and even discourage it from being followed. Instead, the law imposes a separate duty to provide notification that is isolated from data security obligations. This concept is confusing, but it is similar to the GDPR’s approach where a breach in itself is not automatically illegal. Despite common misconceptions, it’s a keystone in China’s approach to data privacy.
The following are the four fact patterns for when legal liability is imposed under Chinese law after a data breach:
- Performs both data breach notification and data security assurance obligations = no liability
- Performs data breach notification but does not perform data security assurance = liability for not performing data security assurance
- Does not perform data breach notification but does perform data security assurance = liability for not providing notice
- Does not perform either data breach notification or data security assurance = liability for failure to provide notice and failure to perform data security assurance.
The data breach notification policy is a mechanism that triggers information about the breach to be shared, and its purpose is to ensure that all stakeholders have an opportunity to take action to respond to the hazard.
Since a data breach creates major risks, the legal policy underlying the notification requirement is to enable people to take action to prevent even more serious harm from occurring, and removes any incentives to cover up the incident.
Chinese legislators’ desired result of widespread adoption of data breach notification policies is that the undesirable consequences of data breaches are greatly reduced, and that breaches are treated as everyday risks that are jointly controlled by government, business, users, and professional service firms. Policymakers want to avoid creating a vicious cycle where businesses only take action when they have been exposed, or where incidents are never exposed but damage occurs.
Data Breach Response Plans
In addition to notification, Chinese law has requirements for security incident prevention and response with an eye to legal and regulatory trends. China’s data privacy statutes and Reporting Procedures requires businesses to prevent data breach incidents by having in place response plans and risk assessments; the response plan is essential for businesses to quickly address data security incidents. These rules are highly detailed and local, so business must adapt their global data privacy policies to satisfy local jurisdiction requirements.
As further assurance, businesses must periodically conduct simulated emergency response exercises so that their staff are familiar with the response procedure and that problems with the plan can be identified and corrected. An incident response plan must address resolution and mitigation and have a process for its activation depending on the incident classification and grading. (The applicable China national standards are: the Information Security Technology – Cybersecurity Incident Grading and Classification Guidelines and Information Security Technology – Cybersecurity Incident Response Plan Standards)
Regulatory Reporting Threshold Requirements
Prior law has been unclear about incident response requirements and in principle every data security incident must be reported to regulators.
However, the China National Cybersecurity Incident Response Plan states businesses must provide notice whenever a data security incident substantially threatens national security or the public interest. Here, businesses can assess whether their case passes the reporting threshold by assessing the type of data, number and kind of people affected, and implicated financial damage.
While the statutory rules are hazy on this subject, in practice the China Cyberspace Affairs Commission is the regulatory agency that usually takes reports from businesses. Other appropriate agencies include the China Ministry of Industry and Information Technology, Ministry of Emergency Management, and the regulator for the affected industry. Criminal violations occurring in connection with a security incident must be reported to a law enforcement agency. Interagency cooperation processes have not been defined yet, therefore, businesses should check with each government agency individually to see if a report to that agency is required and strictly follow regulatory officials’ directions.
The Reporting Procedures § 5 requires businesses to individuals to draft an incident overview, and they must assist with an investigation by reporting on the systems and platforms involved, doing incident analysis, and assessing other possible impacts, further you must preserve evidence. The Draft Procedures require using a standardized reporting form. The statutory law requires “promptly” reporting an incident following a data breach, and the Draft Procedures define this further by requiring a report to be made within one hour of when the “major” data breach incident is discovered.
Although the rules remain in draft status through 2025, businesses should have in place an incident response plan for their compliance staff to utilize, under which they must rapidly collect incident information and work with the regulatory office at the city level within that time frame. A key reason for doing so is that China’s national standards for its data privacy industry already incorporate these practices.
To avoid being seen as problematic by Chinese regulators, the Information Security Technology – Personal Information Security Standards Section 10.1 have useful best practices for making improvements and making corrective action; this is done by reviewing incident records, identifying problems for incident prevention and response, and applying learnings from incidents to improve security measures. In practice, you’ll need a skilled local privacy professional who knows how things work in China—to navigate these challenges, consider getting help from CBL.
Conclusion
The penalty for violating China’s statutory data security assurance and incident response law is 50 million CNY or 5% of annual turnover. Directly responsible executives can be fined up to 1 million CNY. Chinese government agencies are looking closely for data security incidents caused by organizational failure to fully comply with data protection law. Therefore, make sure you are in full compliance with data protection and incident response laws, have an incident prevention controls in place and a response plan, and following an incident, comply with the law on response procedures.