With the implementation of the Cybersecurity Law of the People’s Republic of China (“PRC”) as of 1st June 2017, as well as a series of supporting rules and regulations which have been or will be issued in the near future, a significant impact will be taken on the owners and operators of network, as well as the network service providers, with respect to the liabilities arising from personal data protection. In this context, business operators and service providers, in particular the operators of multi-national companies, in the senior and health care industry are inevitably regulated by the legislation. Therefore, it is advisable to embrace it by taking action sooner rather than later.
Strengthened Protection of Personal Data
Like most countries in the world, China have set the rule to protect personal data. Organizations can only obtain personal data in a legitimate way and are prohibited from obtaining the same by stealing or in any other illegal ways. According to the Cybersecurity Law of PRC, collectors of personal data should follow the principles of legality, legitimacy and necessity, expressly stating the purpose, method and scope of collection and use of personal data. For the senior care industry, it is noteworthy that a person with full civil capacity has the right to grant authorization for disposal of his/her personal data, whilst the authorization for the data of any elderly who suffers dementia and thus loses all or part of his/her civil capacity should be granted by his/her guardian.
Furthermore, the PRC legislators have recently also updated both the Criminal Law and Civil Law to strengthen personal data protection from different dimensions. The newly published General Principles of Civil Law provides that the personal data of individuals is protected by the law against illegal collection, use, processing, transmission, transfer, provision and publication, which offers explicit legal basis for infringed parties to seek remedies. On the other hand, the PRC Criminal Law has also, through its 9th Amendment, intensified the crackdown of crimes that sell, illegally provide and procure personal data of citizens.
Emphasized Protection for Personal Health Data
Unlike the personal ID-related data, personal health data is more strictly protected through various laws and regulations. Personal health data principally include the medical and health data, e.g. personal e-medical records and health records, maintained by medical organizations and health management service organizations. Such data does not involve any national secrets, which however is still defined as the important data by the legislators as such data is closely associated with national security, economic development and public interest.
According to the existing regulation, personal health data, upon collection by authorization, should be stored in Mainland China. Storage of such data in the servers outside China is prohibited, and operators are also not allowed to have servers hosted or rent servers outside China. In case any operator authorizes an organization to store and maintain personal health data, such operator should be liable for management and security of the health data and should prevent such organization from collecting, developing or using the health data beyond the scope of authorization.
Multinationals, in particular those who have just entered into the China senior and health care market, cannot afford to ignore such requirement of onshore storage. For many experienced overseas operators, often times, their China business starts from a small task, such as providing consultancy services, conducting a planning and market research for domestic projects, at which stage the data protection system has not been established; however, most of the work may be carried out by the team members of the overseas parent companies using data materials sent from China. If the said requirement under the PRC laws is ignored at this stage, which then results in improper handling of the personal health data collected in China, operators will be highly likely to expose themselves to the compliance risks.
Stricter Regulations towards CII Operators
A new word was brought to the attention of operators by the PRC Cybersecurity Law, i.e. Critical Information Infrastructure (“CII”). CII refers to the information system or industry control system providing network information services to the public or supporting operation of the important industries e.g. energy, communication, finance, traffic and utilities, which, in case of a network security accident, will endanger the normal operation of the important industries and cause severe losses to the national politics, economy, science, society, culture, national defense and the lives and wealth of the citizens. Thus, the legislators require CII operators to assume more liabilities and obligations with respect to the network and data security.
As part of the public facilities and according to the specific subdivided industries, main business and scale, as well as the extent to which network will play in supporting the core business, some organizations in the medical and healthcare industry will fall within the scope of CII. China is currently promoting construction of the senior care system with “a combination of medical and senior care services”. The business model of many senior care services is based on the combination of medical services and senior care services, which also generates many online to offline services. The “9073” policy has also facilitated the close cooperation among institutions, communities and home care service providers. Through the course, clients’ health data could be shared among and used by the parties, and any organization or service provider involved in any senior-care-related services may be deemed as a CII operator.
Stricter regulation on CII is also reflected in the administrative supervision on it throughout the entire process of “planning, construction, operation, maintenance, use, and security and protection of CII in China”. At the same time, the law also imposes comparatively wide restrictions on cross-border transfer of information and data by CII operators, whether general ID data or health data.
Requirement on Cross-border Transfer
As a basic principle, collected personal data should be stored in the territory of PRC. Where, for business needs, it is necessary to transfer the data overseas, the collector should notify the person as the data subject of the purpose, scope, recipient and the place or country where the recipient is located, and the authorization of such person for the cross-border transfer is also required before any personal date can be transferred overseas. In addition, collectors should also conduct security assessment before any data is transferred overseas, including the need to transfer the data overseas, the personal data involved, the quantity, scope and sensitivity of the data, proper offshore storage and use of the data, and possible damages to the national security, public interest, personal legal rights arising from such transfer, etc.
According to the Draft Guidelines for Security Assessment of Cross-border Transfer of Personal Data and Important Data which is currently under review and discussion, for most cross-border transferred data that may affect national security and public interest, including health data, personal data and important data transferred overseas by CIIs, certain excessive data (e.g. where personal data of more than 500,000 individuals is contained or aggregated, or the volume of data exceeds 1,000GB), etc., security assessment should be conducted by the industry authority or regulatory department.
Data Desensitization Measures
Although the legislation is being increasingly strict on personal data protection, one exception is provided to balance between personal data protection and reasonable use of data, i.e. utilizing data after data desensitization.
In recent years, China has actively promoted collection and storage of health and medical big data, with an aim to make key technological breakthrough on clear mass data storage, analysis and digging and security and protection of privacy, facilitate deep merger of medical services and big data technologies, and enhance the collaborative cooperation among medical service industry, elderly care industry and housekeeping service industry. Therefore, although the law stipulates that the collected personal data should not be disclosed to others unless the consent from the person as the data subject is obtained, such data may be more widely used if it is specially processed and cannot be recovered or be used to identify the specific individual (which is known as data desensitization after which it is impossible to match such information with any specific individual).
Undoubtedly, when the big data technology is used in other industries, it happens that some information, seemingly irreversible after data desensitization by its operator, may still be able to reflect the identification of the individual after combined and processed with the data from other resources. In such event, the data desensitization turns out to be a mere formality. We expect further clarification and regulation in this respect from the legislation in future.
With reference to the legislation and practices of other countries, the PRC personal data protection regime is spreading out through a top-down move to provide guidance and regulations for network operators. Whilst the implementing rules of many laws and regulations are still under drafting, the service providers and the operators in the senior and health care industry should be aware that the policies for protection of personal data and the data related to national security and public interest are being well developed in China, like what has happened in many other countries.
To cope with the industry opportunities and challenges in the big data wave, operators of the senior and health care industry should take all necessary dispositions as early as possible. Our recommendation is that your China business arm should review the necessity to set up the internal control and compliance rules on data protection and take the following measures as soon as possible: conduct assessment on whether your company falls into the CII regime, set up data layering rules in due time, update the legal documents related to personal data and privacy protection at your earliest convenience, actively deploy the hardware, software and technologies for data protection, and maintain communications with the industry authorities, regulatory departments and external lawyers to keep a close eye on the progress of legislations in this area.
By: Michael Qu & Vivian Jin
Shanghai Law View Partners