China: Privacy, Security and Content Regulation to Increase in 2020

New Internet Content and Governance Regulation

China’s authorities have published a much-anticipated brand new directive on internet content regulation and governance, which will come into force on 1 March 2020. This law will require organizations which host websites in China to make fundamental changes to their website governance frameworks.

The changes specifically introduce the following:

  • Broader scope of prohibited content: in addition to the currently existing categories (e.g., defaming national integrity and unity), the new law prohibits publication of additional categories of content (e.g., materials that may defame “national heroes” and materials which use hyperbolic headlines and exaggerate the gravity of the matter reported, etc.);
  • Mandatory governance mechanism: the new law requires website hosts to put in place a mandatory governance mechanism in order to maintain a “healthy online ecosystem”. This includes the positive obligation to manage online accounts, monitor posts and advertisements, undertake periodic audits of content, and having in place contingency measures in the event that any false or prohibited materials are published; and
  • Appointment of a responsible officer: the new law requires website hosts to appoint a responsible officer within their organization who is responsible for content publishing and monitoring.

Organizations that host websites in China should, therefore, take immediate action to develop or update their internal content monitoring guidelines before March in anticipation of these new obligations.


New Personal Data Protection Law and Data Security Law

China’s authorities have also announced that they will introduce a new Personal Data Protection Law and a new Data Security Law in 2020 as a matter of priority. Specific details about these new laws are not available for the public yet. However, it is anticipated that the new laws will consolidate pre-existing data protection principles in China (e.g., consent, overseas transfers of personal data, privacy and security impact assessments, data breach management, etc.) into a single instrument. Currently, despite the PRC Cybersecurity Law having come into force in 2017 to address cybersecurity and data protection, there remains a lot of uncertainty as to how the PRC Cybersecurity Law will be applied and what practical steps need to be taken to achieve compliance. As a result, new draft guidelines and national standards are published almost on a weekly basis.

It is clear that the regulatory landscape in China continues to evolve, and so organizations operating in China should continue to monitor developments closely and update their compliance programs accordingly.

For further information or to better understand what this means for your organization, please contact the authors of this article (Scott Thiel, Carolyn Bigg or Kenny Tam) or your usual DLA Piper Data Protection contact.