What is it?
The Personal Information Security Specification governs the collection and use of the personal data of Chinese residents by “network operators”. These are entities that own and manage a network. This can be for internal company use or for “domestic operations”, i.e. doing business in China.
Kontainers is a GDPR compliant company. The current China standards are modelled on GDPR with some small differences.
- Whereas the EU law upholds personal rights and freedoms, the Chinese law forms part of the Cybersecurity law of 2017, a comprehensive framework governing information and communication technology in China. Data privacy therefore operates under the umbrella of national security
- Under GDPR, consent is explicit; in China it is looser, and may even be “implied”. This makes the notion of consent more like America’s, and less like Europe’s.
- There are two “exemptions to obtaining consent” under China data law. These are to fulfil a contract (with a broader scope than in GDPR), and to maintain a safe and stable operation of a product or service. Under this definition, adding PII to the Kontainers platform does not require specific consent.
- The term “network operator” is defined to include any person or entity that owns and manages any network and also network service providers. If a company uses its internal network for its internal company operations and uses its company website to provide information to its customers and this system and website are owned and managed by its foreign parent, the foreign parent company is a network operator. Kontainers is the Network Operator for China Customers under this definition.
CSL and critical information infrastructure operators (CIIOs)
- China’s Cybersecurity law requires critical information infrastructure operators (CIIOs) to store personal information and important data collected and generated within the territory of the PRC.
- Whether a network operator is a CIIO typically depends on its industry and on how much a data breach would harm the public interest. Network operators in industries like public communication and information service providers, energy, finance, and public services are more likely to be considered CIIOs. Under the current definition, Kontainers is not a CIIO.
CSL and Cross Border Data
Kontainers is required to support China’s cross-border data transfer requirements:
- A foreign network operator that is not registered in China but provides products or services to customers in China is engaged in domestic operation will be subject to China’s cross-border data transfer requirements.
- The factors that will lead to such a finding include using the Chinese language (Kontainers does this), settling payments with RMB (Kontainers can process payments in RMB), and delivering or distributing products or services to China citizens or companies
- Cross-border transfers are allowed for valid business needs, as long the data subjects have provided their consent (see 'Consent and transferring personal information across borders' below) and the operator has passed a security assessment.
Data Controllers (China based Customers of Kontainers)
Data Controllers are required to carry out a Data Security Assessment when dealing with Foreign Network Operators
- China Data Controllers will be required to conduct a security assessment before engaging in any cross-border transfer of personal information and important data.
- Report of such assessment shall be kept for at least two years.
- If required, Kontainers can assist and support China customers with their security assessment.
Consent and transferring personal information across borders
- Consent can be implied in certain circumstances, such as making international calls, sending an email internationally, international instant messaging, and conducting cross-border transactions via the Internet. Under this definition, Personal Information can be stored on Kontainers systems and transferred across borders without specific permission.
Copyright © Kontainers.com. All Rights Reserved.