On 10 June 2021, China promulgated its Data Security Law (DSL), introducing a number of important data-related regulatory initiatives, such as the development of a national big data strategy and the development of data security standards. In a number of ways the Shenzhen Data Regulation takes forward a number of key parts of the DSL’s regulatory framework, with specific implementation for the Shenzhen Special Economic Zone. For example, the DSL includes general provisions calling for the establishment of a “data transaction market” to facilitate the free flow of data in line with China’s strategic aims. As discussed below, the Shenzhen Data Regulation introduces a specific framework for data markets in Shenzhen.
Similarly, there has been much national level focus on the pending implementation of China’s Personal Information Protection Law (PIPL). Expected later this year, the PIPL will be the mainland’s first comprehensive data protection regulation. A number of the measures under the Shenzhen Data Regulation have touchpoints with the PIPL, drawing from Shenzhen’s specific context as a hotbed for technological innovation.
It will also be interesting to see if aspects of the Shenzhen Data Regulation will set new benchmarks for national data protection laws in China, such as the potential for introducing “legitimate interests” processing.
Background – China’s Greater Bay Area Initiative
The Shenzhen Data Regulation is closely linked to China’s ambitions to further develop its Greater Bay Area initiative.
In February 2019, the State Council of the People’s Republic of China, together with the Central Committee of the Communist Party of China, published the Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area, which proposes to jointly develop a Greater Bay Area big data center as well as provide a platform for international innovation.
On 11 October 2020, the two offices jointly released the Implementation Plan for the Comprehensive Pilot Reform in Shenzhen to Build the City into a Pilot Demonstration Zone of Socialism with Chinese Characteristics (2020-2025), which earmarks Shenzhen to take the lead in a number of initiatives, including improving the data property rights system, exploring new mechanisms for data property rights protection and utilization, establishing a data privacy protection system, promoting open sharing of government data, supporting the construction of a data platform for the Guangdong-Hong Kong-Macao Greater Bay Area, and laying the groundwork for establishing a data trading market in the area.
The Shenzhen Municipal Government issued the first draft of the Shenzhen Data Regulation on 16 December 2020, with a second draft released on 31 May 2021 by the Standing Committee of People’s Congress in Shenzhen.
In this briefing, we highlight the following key points:
Summarize and clarify requirements for personal data processing activities
The Shenzhen Data Regulation follows existing data-related definitions found under the DSL and the 2016 Cyber Security Law (CSL) and in the pending PIPL, emphasizing five essential requirements for processing personal data, namely, lawfulness and legitimacy of processing, data minimization, notice and consent, accuracy and integrity, and data security, going into further detail than has been seen in the national laws. Generally, the Shenzhen Data Regulation follows the existing compliance path of authorized consent and anonymization in China, affirming that the consent of natural persons is one of the valid data right bases. In line with the high-level obligations of data processors under the most recent draft of the PIPL, the Shenzhen Data Regulation elaborates that data processors shall develop or take de-identification or anonymization measures for personal data, sensitive personal data and important data specified by the state.
Moreover, where the data processors provide personal data to others, it is required under the Shenzhen Data Regulation to conduct de-identification measures and anonymize such data as specifically required by laws and regulations or as agreed with data subjects.
Processing without data subject consent
Under the most recent draft of the PIPL, data processors may process public personal data within reasonable range without data subject consent as prescribed by the PIPL.
The Shenzhen Data Regulation further sets up an exemption of consent for employers’ to process employees’ data for certain purposes, a step further to consider the data processor’s “legitimate interests,” in addition to “processing public available personal data within a reasonable scope.” It specifies both “human resource management” and “trade secret protection” as basis for data processors to process their employees’ personal data without consent, provided that such data processing is essential and will be limited to a reasonable range.
The protection of sensitive personal data
Notably, the Shenzhen Data Regulation does not require a separate consent in dealing with sensitive personal data, etc., and explicit consent is sufficient. This is different from the most recent draft of the PIPL.
One step further against the most recent draft of the PIPL, the Shenzhen Data Regulation requires a more prominent reminder notice or other equivalent methods to notify the necessity of processing sensitive personal data and the impact on individuals. When handling sensitive personal data, it is required to establish data security management agencies, arrange a data security management responsible person, and implement special technical protection. Moreover, data processors shall take encrypted storage, authorized access, or other more stringent security protection measures towards sensitive personal data.
The protection of biometric data
The Shenzhen Data Regulation includes a specific definition for "biometric data,” defining it as personal data that can identify a natural person by processing physical, physiological, behavioral, and other biological characteristics of the person, including the individual's genes, fingerprints, voiceprint, palm prints, facial features, and other identifying characteristics.
The Shenzhen Data Regulation requires that processors of biometric data provide individuals with alternatives to the collection of biometric data and not process biometric data unless it is necessary for the relevant purposes. Biometric data is not to be processed for any purpose other than the specific purpose for which it has been collected without the data subject’s express consent.
All of these requirements echo the requirements of the Guangdong Social Credit Ordinance, which explicitly prohibits the collection of biometric information such as genes and fingerprints of natural persons by relevant data processors in the collection of market credit information. The Shenzhen Data Regulation also states that the Shenzhen Municipal Government will separately promulgate specific measures for the management of biometric data.
Partial withdrawal of consent
Other Chinese data protection laws and regulations have not provided for a concept of “partial withdrawal of consent.” The Shenzhen Data Regulation states that data subjects are entitled to request a partial withdrawal of their consent. In view of different stages of personal data processing, we understand that partial withdrawal of consent refers to the withdrawal of consent for one or more steps of collection, storage, use, production, transfer, provision, and disclosure, with the data processor being permitted to continue to process the data for purposes in relation to which consent has not been withdrawn [or another lawful basis for processing is available].
Balance between user choice and personalized recommendation services
Recent years have seen significant focus of China’s data protection laws and regulations on the manner in which mobile app developers and the operators of platforms collect personal data that is considered “non-core” or “non-essential” to the primary function of the app or service, requiring that separate consents be obtained for each such use. These regulatory moves have proposed a significant tightening of China’s internet economy, making it far more difficult for online businesses to monetize user engagement through advertising networks and data sharing arrangements – uses of personal data that are likely to be “non-core” or “non-essential” to the app or service. The Shenzhen Data Regulation affirms the role of user profiling technology in improving product quality and user experience, allowing enterprises to provide personalized services to users through user profiling technology without additional/separate consent. At the same time, the Shenzhen Data Regulation also clarifies that data analysis shall not be generally used to adopt differential treatment to trading counterparties with the same trading conditions, unless otherwise matched to the “legitimate trading customs and industry practices,” “special offer for new users,” and other exceptions expressly allowed by the Shenzhen Data Regulation. While offering some flexibility for data processors, this also leaves some room for judicial discretion to deal with complex and changing scenarios in practice.
In the meantime, the Shenzhen Data Regulation also stipulates that data processors must have clear rules on user profiling and adopt easily accessible means to allow users to choose and reject user profiling and personalized product or service recommendations based on user profiles, so as to balance the needs of data industry development and the demands of personal information protection.
Special Protection for Minors' Data
The Shenzhen Data Regulation reinforces protections for the personal data of minors (below the age of 14) found under other laws by deeming this data to be sensitive personal data.
In addition, in the scenario of user profiling, the Shenzhen Data Regulation prohibits data processors from conducting user profiling and providing personalized recommendations in relation to minors below the age of 14, unless it is for the purpose of safeguarding their lawful rights and the express consent of their guardians has been obtained. However, no provisions have been introduced yet regarding the specific methods that must be used to identify those that have reached the age of majority, and data processors are faced with practical problems such as how to determine whether a user is a minor and the difficulty of verifying the age due to the fraudulent use of another person's account by a child.
Supplementary public remedies
The Shenzhen Data Regulation proposes a variety of remedies aimed at improving standards of data protection, including:
- The municipal cyberspace administration shall, in consultation with other competent authorities, establish an interagency mechanism to investigate and deal with complaints of unlawful personal information usage.
- If breaches of the Shenzhen Data Regulation cause damage to the national interest or public interest, organizations specified under law will be permitted to initiate public interest litigation, including legally established and registered social organizations specially engaged in data protection with good record of operation, based on the previous practice of public interest litigation for environmental or customer protection. The People's Procuratorate may also provide support to such litigation where it finds necessary.
- In addition to general remedies for breaches of data security requirements and non-compliance with fair competition requirements (i.e., using data analysis to adopt differential treatment to trading counterparties with the same trading conditions, or using illegal means to obtain data from other market players, or using such data to provide alternative products or services), infringing the lawful rights and interests of other market players or customers may give rise to a fine that amounts to 5 percent of the turnover of last year (up to a maximum of RMB50 million).
Public data openness and government data procurement system
The Shenzhen Data Regulation provides for the establishment of a comprehensive public data openness system, requiring that certain types of public data should be published without charge in accordance with mechanisms to be introduced under the law. Specifically, the public data shall be categorized as three types according to the extent of its openness: unconditional openness, conditional openness (in a specified manner) and prohibited openness. Per the definition of prohibited openness, it is noted that, public data relating to national security, trade secrets, personal privacy and others that shall be kept confidential as prescribed by the laws and regulations, shall not be published.
In addition, the Shenzhen Data Regulation also provides that public management and service organizations can acquire external data through government procurement, which provides a legal basis for the government to acquire enterprise data. However, it remains to be clarified how to price such external data procured and whether the government can develop government-enterprise data fusion products or commercialize the data in other ways.
Personality rights and rights in personal data
Going beyond the more typical protections and controls concerning data protection, the Shenzhen Data Regulation specifies that individuals enjoy personality rights in their personal data, an innovation that appears to be directed at allowing individuals to control the commercialization of their data. Whether or not data subjects have the right to benefit from data transactions, however, remains to be clarified.
The establishment of a data trading system is one of the highlights of the Shenzhen Data Regulation, with measures focused on the following:
- Clarifying the permitted scope of data trading
The scope of lawful data trading is limited to “data products and services generated from lawful data processing,” with a clear prohibition on transacting in data products and services which contain: 1) personal data obtained without legal authorization; or 2) public data that has not been legally released. Such transactions may also be prohibited in accordance with relevant laws and regulations.
- Establish standards for data trading platforms
Market players may conduct data trading through legally established data trading platforms. Platforms are required to develop rules for data trading and information disclosure, with specific obligations to have a secure, controllable, and traceable trading environment with effective measures to protect personal data, trade secrets, and important data as stipulated by the state.
The second draft of the Shenzhen Data Regulation removed the prescribed penalties for illegal personal data processing activities to be aligned with the superior PIPL, which had provided that any illegal processing of personal data would be subject to rectification orders, confiscation of illegal income, and/or a fine between RMB200-1,000 per individual impacted by misuse of personal data. The Shenzhen Data Regulation adopts the same approach when dealing with penalties for falling to implement the data security protection responsibility.
Upon the final approval of the Shenzhen Data Regulation, it will formally provide a legal framework for multiple emerging and advanced industries such as artificial intelligence technology and open source systems, artificial intelligence financial technology, blockchain technology and trusted computing, industrial intelligent Internet of Things and intelligent robotics, and foster a number of leading international technology enterprises to drive the development of digital economy industry in Shenzhen and the Guangdong-Hong Kong-Macao Greater Bay Area.