Zscaler and China’s Data Protection Laws
Last Updated: September 18, 2023
Introduction
China’s first comprehensive data protection law, the Personal Information Protection Law (“PIPL”), became effective November 1, 2021. The PIPL aligns with the EU’s General Data Protection Regulation (“GDPR”) in many respects. Key provisions of the PIPL include the following:
• Definition of personal information. Personal information is broadly defined to include “any information (such as video, voice, or image data) relating to any identified or identifiable natural person, notwithstanding whether it is in an electronic form or any other form, exclusive of any anonymized information.” Personal information defined as “sensitive” is subject to additional requirements for processing.
• Legal basis for processing. Like the GDPR, the PIPL requires that there be a legal basis for processing personal information. Express consent of the individual is one such basis. In addition, personal information can be processed under certain other circumstances – e.g., for performance under a contract or necessary to comply with legal responsibilities or obligations.
• Individual rights. Like the GDPR, the PIPL provides individuals with broad rights over their personal information, including: (1) the right to access, correct, erase, object to and restrict the processing of the individual’s data; (2) the right to data portability; (3) the right not to be subject to automated decision-making; (4) the right to withdraw consent; and (5) the right to lodge a complaint with the data protection supervisory authority.
• Security measures. PIPL requires processors of personal information to adopt certain security measures to prevent personal information from being subject to loss or unauthorized disclosure.
• Security breach requirements. PIPL requires that in the event of a security breach, organizations must take “immediate” remediation actions and notify the relevant agencies and affected individuals.
• Extraterritorial scope. The PIPL applies to both (1) data processing activities within China and (2) processing of China residents’ personal information outside of China, if the purpose is to provide products or services to China residents or for analytics or evaluation of behavior of China residents.
China has two other important laws regarding data protection: the Cybersecurity Law, which went into effect June 1, 2017, and the Data Security Law, which went into effect September 1, 2021. In addition, China has issued a number of implementing regulations and guidelines.
Restrictions on Cross-Border Data Transfers
The PIPL includes restrictions on cross-border transfers of personal information. In particular, an organization that meets the definition of a “critical information infrastructure operator” (relating to infrastructure that might seriously endanger China national or public interests if damaged) are required to store within China any personal information that is domestically collected or generated. Similar localization requirements will apply to organizations that process a certain threshold of personal information, to be defined by the Cyberspace Administration of China (“CAC”).
For other transfers of personal information outside of China, certain conditions must be met, which may include entering into a standard data transfer agreement (to be formulated by the CAC), similar to the concept of standard contractual clauses under the GDPR.
Zscaler Compliance with China’s Data Protection Laws
In its role as a processor of customer data that may be subject to China’s data protection laws, Zscaler is committed to meeting its compliance obligations, including as follows:
1. Legal basis for personal information processing. Zscaler ensures that it satisfies the requirements of the PIPL for personal information processing, including by requiring its customers to obtain all necessary consents and only processing personal information for the purpose of providing its services and products to the customer. Zscaler does not process “sensitive personal information” as defined under the PIPL.
2. Other principles for personal information processing. Zscaler recognizes and complies with the other data processing principles stipulated under the PIPL, including data minimization, storage limitation, transparency and accuracy.
3. Security measures. As required by the PIPL, Zscaler has adopted security measures to protect personal information, including establishing internal personal information management policies and procedures, applying appropriate technical security measures such as cryptography and anonymization, conducting training, and creating contingency plans, to ensure personal information processing is in compliance with relevant laws.
4. Data breaches. In the event of a data breach, Zscaler will promptly notify its customers as well as the Chinese authorities in charge of personal data protection (including but not limited to the CAC) as required under Chinese law. Furthermore, Zscaler will promptly take remedial measures and assist its customers in informing the individuals involved if the damages from the data breach cannot be remediated.
5. Rights of data subjects. Consistent with the requirements of the PIPL, Zscaler assists its customers in fulfilling their obligations to allow data subjects to exercise their data protection rights, including rights of access, correction, and deletion of personal information.
6. Cross-border transfers. Zscaler is not a “critical information infrastructure operator” as defined under the Cybersecurity Law, so Zscaler is not subject to the data transfer restrictions imposed on such operators. Zscaler is not currently subject to any other data localization requirements under Chinese law. If and when the CAC issues standard contractual clauses applicable to cross-border transfers of the personal information of Chinese residents, Zscaler will enter into such clauses with its customers as necessary to comply with Chinese law.
7. Audits. Zscaler regularly undertakes data audits.
Because China’s data protection laws are still evolving, and further regulatory guidance from the Chinese authorities is anticipated in the months ahead, Zscaler will be carefully monitoring developments to ensure Zscaler remains compliant with China’s data protection requirements.
Helpful Links Regarding China Data Protection Laws
Text of the PIPL: http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml (in Chinese)
Text of the Cybersecurity Law: http://www.cac.gov.cn/2016-11/07/c_1119867116.htm (in Chinese)
NOTE: While this site is designed to help organizations understand China’s data protection laws in connection with Zscaler's services and products, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under China’s data protection laws.
ZSCALER’S COMPLIANCE WITH CHINA’S DATA PROTECTION LAWS:
FREQUENTLY ASKED QUESTIONS
Updated September 14, 2023
With China’s adoption in 2021 of the Personal Information Protection Law (“PIPL”) and the Data Security Law (“DSL”), as well as its approval June 1, 2023 of standard contractual clauses for cross-border data transfers, China has created a data protection regime that bears many similarities to the EU’s GDPR. In important respects, however, China’s data protection laws are unique, and details regarding how these laws will be implemented and enforced are still evolving.
Zscaler is providing this document to answer frequently asked questions about how Zscaler complies with China’s data protection requirements and to assist Zscaler’s customers in assessing their own compliance when using Zscaler’s services in China.
Yes. See this link for an overview of how Zscaler complies with the PIPL.
No, Zscaler is not a CIIO. CIIOs are organizations whose services relate to infrastructure that might seriously endanger China’s national or public interests if damaged. Zscaler’s services do not meet the definition of CIIO under China’s Critical Information Security Protection Regulations.
No, Zscaler is not subject to any of China’s data localization laws or regulations. Data localization requirements apply to CIIOs and certain other special categories of operators; they are not applicable to Zscaler. Data localization requirements also may apply to controllers that process a certain quantity of Chinese personal data or that handle “important data.” Zscaler does not act as a controller in China, and so Zscaler would not be required to localize data based on any restrictions applicable to controllers.
When a Zscaler customer makes Chinese personal data available to Zscaler in connection with Zscaler’s services, it is likely that a “transfer” takes place under Chinese law.
China’s Guidelines for Data Cross-Border Transfer Security Assessment define a “transfer” to include (i) when data generated in China is stored outside of China, (ii) when a copy of data is provided to an individual or organization not under the jurisdiction of or not registered in China, or (iii) when data stored in China can be accessed and viewed by an individual or organization outside of China.
Since Zscaler at a minimum will have “access” to Chinese personal data as specified above, such access would appear to constitute a “transfer.”
Similar to GDPR requirements, transfers of Chinese personal data abroad require that adequate safeguards are in place. The standard contractual clauses (“SCCs”) released by the Cyberspace Administration of China, effective June 1, 2023, provide an approved cross-border data transfer mechanism. However, they may only be used by a data exporter that satisfies the following conditions:
· Data exporter is not a CIIA.
· Data exporter has not processed personal data exceeding 1 million individuals.
· Data exporter has not made aggregated transfers of personal data exceeding 100,000 individuals since January 1 of the preceding year.
· Data exporter has not made aggregated transfers of sensitive personal data exceeding 10,000 individuals since January 1 of the preceding year.
In the case of any Zscaler customer that satisfies these conditions, Zscaler will enter into SCCs to permit the transfer of Chinese personal data to Zscaler. According to the regulations that accompanied the SCC release (“SCC Regulations”), similar to the EU SCCs, no changes to the China SCCs are permitted, although supplementary terms may be added if they do not conflict with the SCCs.
Note that, while the SCCs became effective June 1, 2023, there is a grace period of six months (ending on November 30, 2023) to take remedial actions for international data transfer activities and revise data transfer agreements to be based on the SCCs. Any new cross-border data transfer agreements entered into after June 1, 2023 must be based on the SCCs.
Yes, Zscaler will. Under the SCC Regulations, the data exporter (in this case, Zscaler’s customer) must conduct an impact assessment and prepare an impact assessment report before entering into the SCCs. This report must be filed with the provincial office of the Cyberspace Administration of China (within 10 working days after the SCCs become effective, along with the SCCs themselves). The impact assessment must consider such factors as:
· The validity, necessity and appropriateness of the data transfer;
· The obligations undertaken by the overseas recipient of the data, including the recipient’s technical and organizational measures to protect the data; and
· The data protection laws and regulations of the foreign destination countries.
Zscaler will provide its own transfer impact assessment and other documents and information reasonably necessary for its customers to satisfy their obligations to assess data transfers under the SCCs.
No, Zscaler does not process any Chinese sensitive personal data.
The PIPL defines “sensitive personal data” as any that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal or property safety once leaked or illegally used. The scope of that definition includes the types of data defined under GDPR Art. 9 as “special categories” of personal data as well as the personal data of minors under the age of 14.
No personal data that Zscaler processes in providing its services would fall within this definition of sensitive data.
No, China’s data protection laws do not require Zscaler to perform a security assessment. The Cyberspace Administration of China only requires a security assessment of CIIOs and of data exporters that do not otherwise satisfy the conditions for using the SCCs as a cross-border data transfer mechanism.
No, Zscaler is not required to obtain any certifications in order to comply with China’s data protection laws. Like the security assessment referred to in FAQ 8 above, certification provides a means for data exporters that do not otherwise satisfy the conditions for using the SCCs to transfer Chinese personal data abroad. Draft certification requirements were released by the Chinese government on March 16, 2023 for public feedback but have not yet been finalized.
NOTE: Zscaler is aware of the new Catalogue of Network Security Products that was issued by the Cybersecurity Administration of China (CAC) and made effective on July 3, 2023 (the “Catalogue”). The Catalogue will replace the old catalogue issued by the same regulators in 2017 to work under the new network security product certification / testing regime stipulated under the China Cybersecurity Law. Zscaler is reviewing the applicability of this Catalogue to its products and services. However, at this time, the CAC has not made any updates in the implementation of the network product security certification / testing rules, including the ability for companies like Zscaler to file for any such license. Zscaler will continue to monitor any developments with our outside counsel in China.