China Releases Draft Guideline for Closure of Internet Platforms
Published 15 August 2024
Xia Yu
On 7 August 2024, the secretariat of China’s National Technical Committee on Cybersecurity of Standardization Administration (“Secretariat”) released a draft data processing guideline for shutting down internet platforms (“Draft Guideline”) for public comments until 22 August 2024. It is stipulated according to Cybersecurity Law of the People’s Republic of China, Data Security Law of the People’s Republic of China, and China’s Personal Information Protection Law, and provides general requirements for the processing of data, and specific processing requirements for personal information and key data when shutting down internet platforms.
According to the Draft Guideline, an internet platform refers to a carrier with interactive rules that uses network information technology to provide products or services, including websites, Apps, and mini-programs, and shut down refers to a situation where an internet platform operator no longer provides products or services due to mergers, divisions, dissolutions, bankruptcy, etc. Generally, the Draft Guideline requires the internet platform operator to promptly dispose of Apps and mini-programs that have not provided services for a long time. After shutting down an internet platform, it shall immediately stop collecting any personal information and key data, protect existing data, classify them into core data, key data, or general data according to the national standard of GB/T43697, and classify them into sensitive personal information or personal information according to the national standard of sensitive personal information. Furthermore, for personal information involving minors, it is necessary to ensure that minors and their guardians can review, copy, correct, supplement, and delete the information. In addition, for data to be transferred due to the shutdown of an internet platform, a clear transfer plan should be formulated, and affected users should be notified by phone, text message, email, or announcement.
Regarding personal information, the Draft Guideline requires that the internet platform operator whose internet platform is shut down should publish a personal information disposal announcement for 30 days within 30 days after the date of the shutdown, actively delete personal information, and promptly handle reasonable requests from individuals to review, copy, correct, supplement, and delete their personal information. During the announcement, the operator shall notify immediately individuals of the sensitive personal information related to their transactions, payments, and financial accounts. Meanwhile, the announcement released by the operator shall disclose the following information: 1. The specific time of the shutdown and the services or functions to be shut down;2. The time limit and method for accessing, copying, downloading, transferring, and deleting personal information;3. The scope and type of personal information to be transferred, as well as the recipient’s basic information and security management measures taken by the recipient;4. Personal information that has been transferred or deleted, and the impact of the personal information to be transferred or deleted on personal rights and interests.
After the expiration of the announcement, the internet platform operator can transfer personal information to a third party, which can provide products or services related to the internet platform operator’s business, continually comply with the internet platform’s privacy policy, fulfill its obligations to protect personal information and re-obtain the individuals’ consent. Under special circumstances, such as insurance sales, payment, trust registration, providing products or services in advance, or fulfilling statutory duties and obligations, the internet platform operator can continue to save personal information under the condition that the personal information shall be stored separately and protected by encryption measures. If a third party has been entrusted to process personal information before shutdown, the internet platform operator shall notify the third party to return or delete the entrusted personal information within 15 working days before the date of shutdown. Then, the third party shall dispose of the entrusted personal information promptly, and return or delete them within 15 working days before the date of shutdown.
The key data in the Draft Guideline is defined as those that may directly endanger national security, economic operation, social stability, public health, and safety once they are leaked, tampered with, or damaged. These data may belong to specific fields, specific groups, or specific regions, or reach a certain accuracy and scale. According to the Draft Guideline, the internet platform operator who holds key data or personal information of more than 10 million people, in addition to meeting the above requirements for processing personal information, should also report its data disposal plan within 45 working days before the date of shutdown, delete the data, and entrust a third party to evaluate the effect of the data deletion. The data disposal plan should include the basic situation of the internet platform and the recipient, relevant key data or personal information, and the risk of tampering, destruction, leakage, loss, and illegal use after transfer to the recipient.
The Draft Guideline is one of the practice guidelines on cybersecurity developed by the secretariat, which aims to provide standardized practice guidance around topics of hot spots and events in terms of cybersecurity laws, regulations, policies, standards, and cybersecurity. The promulgation of the Draft Guideline can be used to guide the internet platform data processors in carrying out data security protection work, and can also provide a reference for competent regulatory authorities to implement security supervision or security assessments.
According to the Draft Guideline, an internet platform refers to a carrier with interactive rules that uses network information technology to provide products or services, including websites, Apps, and mini-programs, and shut down refers to a situation where an internet platform operator no longer provides products or services due to mergers, divisions, dissolutions, bankruptcy, etc. Generally, the Draft Guideline requires the internet platform operator to promptly dispose of Apps and mini-programs that have not provided services for a long time. After shutting down an internet platform, it shall immediately stop collecting any personal information and key data, protect existing data, classify them into core data, key data, or general data according to the national standard of GB/T43697, and classify them into sensitive personal information or personal information according to the national standard of sensitive personal information. Furthermore, for personal information involving minors, it is necessary to ensure that minors and their guardians can review, copy, correct, supplement, and delete the information. In addition, for data to be transferred due to the shutdown of an internet platform, a clear transfer plan should be formulated, and affected users should be notified by phone, text message, email, or announcement.
Regarding personal information, the Draft Guideline requires that the internet platform operator whose internet platform is shut down should publish a personal information disposal announcement for 30 days within 30 days after the date of the shutdown, actively delete personal information, and promptly handle reasonable requests from individuals to review, copy, correct, supplement, and delete their personal information. During the announcement, the operator shall notify immediately individuals of the sensitive personal information related to their transactions, payments, and financial accounts. Meanwhile, the announcement released by the operator shall disclose the following information: 1. The specific time of the shutdown and the services or functions to be shut down;2. The time limit and method for accessing, copying, downloading, transferring, and deleting personal information;3. The scope and type of personal information to be transferred, as well as the recipient’s basic information and security management measures taken by the recipient;4. Personal information that has been transferred or deleted, and the impact of the personal information to be transferred or deleted on personal rights and interests.
After the expiration of the announcement, the internet platform operator can transfer personal information to a third party, which can provide products or services related to the internet platform operator’s business, continually comply with the internet platform’s privacy policy, fulfill its obligations to protect personal information and re-obtain the individuals’ consent. Under special circumstances, such as insurance sales, payment, trust registration, providing products or services in advance, or fulfilling statutory duties and obligations, the internet platform operator can continue to save personal information under the condition that the personal information shall be stored separately and protected by encryption measures. If a third party has been entrusted to process personal information before shutdown, the internet platform operator shall notify the third party to return or delete the entrusted personal information within 15 working days before the date of shutdown. Then, the third party shall dispose of the entrusted personal information promptly, and return or delete them within 15 working days before the date of shutdown.
The key data in the Draft Guideline is defined as those that may directly endanger national security, economic operation, social stability, public health, and safety once they are leaked, tampered with, or damaged. These data may belong to specific fields, specific groups, or specific regions, or reach a certain accuracy and scale. According to the Draft Guideline, the internet platform operator who holds key data or personal information of more than 10 million people, in addition to meeting the above requirements for processing personal information, should also report its data disposal plan within 45 working days before the date of shutdown, delete the data, and entrust a third party to evaluate the effect of the data deletion. The data disposal plan should include the basic situation of the internet platform and the recipient, relevant key data or personal information, and the risk of tampering, destruction, leakage, loss, and illegal use after transfer to the recipient.
The Draft Guideline is one of the practice guidelines on cybersecurity developed by the secretariat, which aims to provide standardized practice guidance around topics of hot spots and events in terms of cybersecurity laws, regulations, policies, standards, and cybersecurity. The promulgation of the Draft Guideline can be used to guide the internet platform data processors in carrying out data security protection work, and can also provide a reference for competent regulatory authorities to implement security supervision or security assessments.