Zscaler and China’s Data Protection Laws
Last Updated: September 18, 2023
China’s first comprehensive data protection law, the Personal Information Protection Law (“PIPL”), became effective November 1, 2021. The PIPL aligns with the EU’s General Data Protection Regulation (“GDPR”) in many respects. Key provisions of the PIPL include the following:
• Definition of personal information. Personal information is broadly defined to include “any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information.” Personal information defined as “sensitive” is subject to additional requirements for processing.
• Legal basis for processing. Like the GDPR, the PIPL requires that there be a legal basis for processing personal information. Express consent of the individual is one such basis. In addition, personal information can be processed under certain other circumstances – e.g., for performance under a contract or necessary to comply with legal responsibilities or obligations.
• Individual rights. Like the GDPR, the PIPL provides individuals with broad rights over their personal information, including: (1) the right to access, correct, erase, object to and restrict the processing of the individual’s data; (2) the right to data portability; (3) the right not to be subject to automated decision-making; (4) the right to withdraw consent; and (5) the right to lodge a complaint with the data protection supervisory authority.
• Security measures. PIPL requires processors of personal information to adopt certain security measures to prevent personal information from being subject to loss or unauthorized disclosure.
• Security breach requirements. PIPL requires that in the event of a security breach, organizations must take “immediate” remediation actions and notify the relevant agencies and affected individuals.
• Extraterritorial scope. The PIPL applies to both (1) data processing activities within China and (2) processing of China residents’ personal information outside of China, if the purpose is to provide products or services to China residents or for analytics or evaluation of behavior of China residents.
China has two other important laws regarding data protection: the Cybersecurity Law, which went into effect June 1, 2017, and the Data Security Law, which went into effect September 1, 2021. In addition, China has issued a number of implementing regulations and guidelines.
Restrictions on Cross-Border Data Transfers
The PIPL includes restrictions on cross-border transfers of personal information. In particular, an organization that meets the definition of a “critical information infrastructure operator” (relating to infrastructure that might seriously endanger China national or public interests if damaged) are required to store within China any personal information that is domestically collected or generated. Similar localization requirements will apply to organizations that process a certain threshold of personal information, to be defined by the Cyberspace Administration of China (“CAC”).
For other transfers of personal information outside of China, certain conditions must be met, which may include entering into a standard data transfer agreement (to be formulated by the CAC), similar to the concept of standard contractual clauses under the GDPR.
Zscaler Compliance with China’s Data Protection Laws
In its role as a processor of customer data that may be subject to China’s data protection laws, Zscaler is committed to meeting its compliance obligations, including as follows:
1. Legal basis for personal information processing. Zscaler ensures that it satisfies the requirements of the PIPL for personal information processing, including by requiring its customers to obtain all necessary consents and only processing personal information for the purpose of providing its services and products to the customer. Zscaler does not process “sensitive personal information” as defined under the PIPL.
2. Other principles for personal information processing. Zscaler recognizes and complies with the other data processing principles stipulated under the PIPL, including data minimization, storage limitation, transparency and accuracy.
3. Security measures. As required by the PIPL, Zscaler has adopted security measures to protect personal information, including establishing internal personal information management policies and procedures, applying appropriate technical security measures such as cryptography and anonymization, conducting training, and creating contingency plans, to ensure personal information processing is in compliance with relevant laws.
4. Data breaches. In the event of a data breach, Zscaler will promptly notify its customers as well as the Chinese authorities in charge of personal data protection (including but not limited to the CAC) as required under Chinese law. Furthermore, Zscaler will promptly take remedial measures and assist its customers in informing the individuals involved if the damages from the data breach cannot be remediated.
5. Rights of data subjects. Consistent with the requirements of the PIPL, Zscaler assists its customers in fulfilling their obligations to allow data subjects to exercise their data protection rights, including rights of access, correction, and deletion of personal information.
6. Cross-border transfers. Zscaler is not a “critical information infrastructure operator” as defined under the Cybersecurity Law, so Zscaler is not subject to the data transfer restrictions imposed on such operators. Zscaler is not currently subject to any other data localization requirements under Chinese law. If and when the CAC issues standard contractual clauses applicable to cross-border transfers of the personal information of Chinese residents, Zscaler will enter into such clauses with its customers as necessary to comply with Chinese law.
7. Audits. Zscaler regularly undertakes data audits.
Because China’s data protection laws are still evolving, and further regulatory guidance from the Chinese authorities is anticipated in the months ahead, Zscaler will be carefully monitoring developments to ensure Zscaler remains compliant with China’s data protection requirements.
ZSCALER’S COMPLIANCE WITH CHINA’S DATA PROTECTION LAWS:
FREQUENTLY ASKED QUESTIONS
Updated September 14, 2023
With China’s adoption in 2021 of the Personal Information Protection Law (“PIPL”) and the Data Security Law (“DSL”), as well as its approval June 1, 2023 of standard contractual clauses for cross-border data transfers, China has created a data protection regime that bears many similarities to the EU’s GDPR. In important respects, however, China’s data protection laws are unique, and details regarding how these laws will be implemented and enforced are still evolving.
Zscaler is providing this document to answer frequently asked questions about how Zscaler complies with China’s data protection requirements and to assist Zscaler’s customers in assessing their own compliance when using Zscaler’s services in China.
NOTE: Zscaler is aware of the new Catalogue of Network Security Products that was issued by the Cybersecurity Administration of China (CAC) and made effective on July 3, 2023 (the “Catalogue”). The Catalogue will replace the old catalogue issued by the same regulators in 2017 to work under the new network security product certification / testing regime stipulated under the China Cybersecurity Law. Zscaler is reviewing the applicability of this Catalogue to its products and services. However, at this time, the CAC has not made any updates in the implementation of the network product security certification / testing rules, including the ability for companies like Zscaler to file for any such license. Zscaler will continue to monitor any developments with our outside counsel in China.