Zscaler and China’s Data Protection Laws
Introduction
China’s first comprehensive data protection law, the Personal Information Protection Law (“PIPL”), became effective November 1, 2021. The PIPL aligns with the EU’s General Data Protection Regulation (“GDPR”) in many respects. Key provisions of the PIPL include the following:
- Definition of personal information. Personal information is broadly defined to include “any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information.” Personal information defined as “sensitive” is subject to additional requirements for processing.
- Legal basis for processing. Like the GDPR, the PIPL requires that there be a legal basis for processing personal information. Express consent of the individual is one such basis. In addition, personal information can be processed under certain other circumstances – e.g., for performance under a contract or necessary to comply with legal responsibilities or obligations.
- Individual rights. Like the GDPR, the PIPL provides individuals with broad rights over their personal information, including: (1) the right to access, correct, erase, object to and restrict the processing of the individual’s data; (2) the right to data portability; (3) the right not to be subject to automated decision-making; (4) the right to withdraw consent; and (5) the right to lodge a complaint with the data protection supervisory authority.
- Security measures. PIPL requires processors of personal information to adopt certain security measures to prevent personal information from being subject to loss or unauthorized disclosure.
- Security breach requirements. PIPL requires that in the event of a security breach, organizations must take “immediate” remediation actions and notify the relevant agencies and affected individuals.
- Extraterritorial scope. The PIPL applies to both (1) data processing activities within China and (2) processing of China residents’ personal information outside of China, if the purpose is to provide products or services to China residents or for analytics or evaluation of behavior of China residents.
China has two other important laws regarding data protection: the Cybersecurity Law, which went into effect June 1, 2017, and the Data Security Law, which went into effect September 1, 2021. In addition, China has issued a number of implementing regulations and guidelines.
Restrictions on Cross-Border Data Transfers
The PIPL includes restrictions on cross-border transfers of personal information. In particular, an organization that meets the definition of a “critical information infrastructure operator” (relating to infrastructure that might seriously endanger China national or public interests if damaged) are required to store within China any personal information that is domestically collected or generated. Similar localization requirements will apply to organizations that process a certain threshold of personal information, to be defined by the Cyberspace Administration of China (“CAC”).
For other transfers of personal information outside of China, certain conditions must be met, which may include entering into a standard data transfer agreement (to be formulated by the CAC), similar to the concept of standard contractual clauses under the GDPR.
Zscaler Compliance with China’s Data Protection Laws
In its role as a processor of customer data that may be subject to China’s data protection laws, Zscaler is committed to meeting its compliance obligations, including as follows:
- Legal basis for personal information processing. Zscaler ensures that it satisfies the requirements of the PIPL for personal information processing, including by requiring its customers to obtain all necessary consents and only processing personal information for the purpose of providing its services and products to the customer. Zscaler does not process “sensitive personal information” as defined under the PIPL.
- Other principles for personal information processing. Zscaler recognizes and complies with the other data processing principles stipulated under the PIPL, including data minimization, storage limitation, transparency and accuracy.
- Security measures. As required by the PIPL, Zscaler has adopted security measures to protect personal information, including establishing internal personal information management policies and procedures, applying appropriate technical security measures such as cryptography and anonymization, conducting training, and creating contingency plans, to ensure personal information processing is in compliance with relevant laws.
- Data breaches. In the event of a data breach, Zscaler will promptly notify its customers as well as the Chinese authorities in charge of personal data protection (including but not limited to the CAC) as required under Chinese law. Furthermore, Zscaler will promptly take remedial measures and assist its customers in informing the individuals involved if the damages from the data breach cannot be remediated.
- Rights of data subjects. Consistent with the requirements of the PIPL, Zscaler assists its customers in fulfilling their obligations to allow data subjects to exercise their data protection rights, including rights of access, correction, and deletion of personal information.
- Cross-border transfers. Zscaler is not a “critical information infrastructure operator” as defined under the Cybersecurity Law, so Zscaler is not subject to the data transfer restrictions imposed on such operators. Zscaler is not currently subject to any other data localization requirements under Chinese law. If and when the CAC issues standard contractual clauses applicable to cross-border transfers of the personal information of Chinese residents, Zscaler will enter into such clauses with its customers as necessary to comply with Chinese law.
- Audits. Zscaler regularly undertakes data audits.
Because China’s data protection laws are still evolving, and further regulatory guidance from the Chinese authorities is anticipated in the months ahead, Zscaler will be carefully monitoring developments to ensure Zscaler remains compliant with China’s data protection requirements.
Helpful Links Regarding China Data Protection Laws
Text of the PIPL: http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml (in Chinese)
Text of the Cybersecurity Law: http://www.cac.gov.cn/2016-11/07/c_1119867116.htm (in Chinese)
NOTE: While this site is designed to help organizations understand China’s data protection laws in connection with Zscaler's services and products, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under China’s data protection laws.