In 2023, countries worldwide continued to strengthen their cybersecurity capabilities and systems in response to their national needs, using regulatory means to enhance their cybersecurity management. Based on continuous tracking and research, NSFOCUS summarized the development of global cybersecurity regulations and policies in 2023, hoping to provide valuable insights and guidance for stakeholders, policymakers, and cybersecurity professionals navigating this dynamic landscape.
The series includes four aspects: “Network Security,” “Data Security,” “Privacy Protection,” and “Tech Development and Governance,” with content organized in chronological order.
This article summarizes regulations and policies related to the protection of privacy protection, which cover topics such as the management of personal information exit, mechanisms for personal information audits, protection of special groups, and regional mechanisms for cross-border sharing of personal information.
In recent years, China has placed significant emphasis on the security protection of personal information exiting the country. Article 38 of the “Personal Information Protection Law” clearly outlines the relevant conditions for the exit of personal information. These conditions include security assessments organized by the National Internet Information Department, personal information protection certification, and the establishment of standard contracts with overseas recipients.
The Methods complement the previously released “Methods for Data Exit Security Assessment” and “Implementation Rules for Personal Information Protection Certification,” collectively forming a comprehensive system for the security protection of personal information leaving the country.
The Cyberspace Administration of China released the Guidelines for Filing Standard Contracts for the Exit of Personal Information (First Edition), marking the actual initiation of the filing work for standard contracts for the exit of personal information.
This is the first supporting document issued after the introduction of the “Methods for Standard Contracts for the Exit of Personal Information.” The Guidelines provide detailed provisions on the scope of application and declaration materials for standard contracts for the exit of personal information. They also reflect the increasingly strict supervision of personal information exit.
The release of the Guidelines indicates that the filing work for standard contracts for the exit of personal information is ready on both the regulatory and operational sides, entering the practical initiation phase.
Since President Biden took office, the U.S. government has consistently strengthened the protection of cross-border transmission of personal data, issuing a series of policies and regulations. This includes the June 2021 executive order signed by Biden, “Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries,” the June 2022 U.S. Senate proposal for the “Health and Location Data Protection Act of 2022,” and the “Protecting Americans’ Data from Foreign Surveillance Act of 2022.”
The “Protecting Americans’ Data from Foreign Surveillance Act of 2023” primarily adds restrictions on data brokers, intermediaries, and data transmission activities of companies like TikTok. This legislative approach not only clarifies regulatory requirements but also specifies the scope of regulation for key regulatory targets.
In recent years, the United States and the European Union have been exploring bilateral mechanisms for cross-border data transfer. However, due to differences in legislative systems, previous agreements such as Safe Harbor and the Privacy Shield were rejected by the European Court of Justice. In March 2022, the U.S. and the EU reached a preliminary agreement on the new EU-U.S. Data Privacy Framework. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ to implement the U.S. commitments under the EU-U.S. Data Privacy Framework. The formal adoption of the EU-U.S. Data Privacy Framework by the European Commission marks the third formal collaboration on cross-border data transfer between Europe and the United States. The Framework’s ongoing operation will undergo regular reviews by EU and U.S. authorities to verify whether the relevant commitments are fully implemented and effectively practiced within the U.S. legal framework
The Cyberspace Administration of China publicly solicited opinions on the Management Measures for Compliance Audit of Personal Information Protection (Draft), to promote the standardization of compliance audit activities for personal information protection.
Personal information protection is crucial in network and data security. China has previously introduced regulations and policies in the field of personal information protection, such as the “Personal Information Protection Law” and the “Methods for Standard Contracts for the Exit of Personal Information.” It has also carried out various special actions for the protection of personal information. Unlike previous efforts, the focus of the Measures is on the proactive prevention of personal information protection, emphasizing the regular compliance audit of personal information handlers.
The legal basis for the Measures is Article 54 of the “Personal Information Protection Law,” which states that “personal information handlers shall regularly conduct compliance audits of their processing of personal information to ensure compliance with laws and administrative regulations.” The goal is to establish a sound compliance audit system for personal information protection in China. This has significant practical significance for personal information handlers and third-party professional organizations engaged in compliance audit activities.
With the widespread development of mobile internet, the proportion of minors using the internet has rapidly increased. Meanwhile, traditional internet security issues, such as cyber-attacks and misuse of personal information, have accelerated their spread to the minor population. Previously released policies and regulations, such as the Law of the P.R.C. on the Protection of Minors,” “Opinions on Regulating Online Live Rewards and Strengthening the Protection of Minors,” and the “Guidelines for the Construction of Mobile Internet Modes for Minors (Draft for Comments),” have all made corresponding requirements for the protection of minors on the internet. The newly introduced Regulations further refines the protection requirements in the form of administrative regulations.
Compared to the “Draft of the Regulations on Minors’ Internet Protection” released in March 2022, the Regulations have three main modifications. First, it further clarifies the management system and basis, such as clearly authorizing the formulation of the definition measures of “Network Platform Service Providers.” Second, it strengthens the connection with higher-level laws, such as provisions like “Network product and service providers shall not engage in commercial marketing to minors through automated decision-making methods.” Third, it enhances the application of emerging technologies, requiring network product and service providers to strengthen the identification and monitoring of online bullying information through a combination of artificial intelligence, big data, and manual review.
Cross-border data flow is a core area of regulation in EU data security and personal privacy protection. In recent years, the EU has been exploring bilateral mechanisms with other countries for cross-border data flows, such as the Adequacy decision for the EU-U.S. Data Privacy Framework, the EU-New Zealand trade agreement, and the EU-UK Trade and Cooperation Agreement, all of which include rules related to cross-border data flows.
The EU’s establishment of a “data security whitelist” through the formulation of bilateral agreements significantly reduces compliance costs for enterprise data transfers, promoting the exchange and development of the digital economy between the parties.
This bilateral approach to eliminating certain barriers to cross-border data flows is an exception to the general principles of controlling cross-border data flows. The provisions in the EU’s bilateral agreements on the scope and conditions of cross-border flow of data are worth studying and continuously observing.
The Cyberspace Administration of China issued the Implementation Guidelines for Standard Contracts for the Cross-Border Flow of Personal Information in the Guangdong-Hong Kong-Macao Greater Bay Area (Mainland and Hong Kong)
Currently, China’s supervision of cross-border personal information mainly employs three methods: the organization of cross-border security assessments by the National Internet Information Department, personal information security certification by professional institutions for personal information handlers, and the signing of cross-border standard contracts with subsequent filing. The differences in the application of these three methods mainly depend on the importance and scale of the personal information data.
As an important carrier of China’s regional economic development, the Guangdong-Hong Kong-Macao Greater Bay Area has also become an important experimental zone for the management of cross-border personal information. The Greater Bay Area has previously initiated special management mechanisms for the protection of personal information, such as standard contracts for the cross-border flow of personal information and cross-border certification for personal information.
Currently, the application scope of the relevant cross-border management mechanisms in the Greater Bay Area is limited to internal use, and the protection and management of personal information between the Greater Bay Area and other external regions are based on China’s existing laws and regulations related to personal information protection.