On 30 December 2022, China Cybersecurity Industry Alliance (CCIA) released the final form of the Guidance on Social Responsibility of Data Security and Personal Information Protection (Guidance). The Guidance addresses data compliance, covering key requirements under the Data Security Law and the Personal Information Protection Law, on the "social" aspect of ESG. It will become effective from 1 February 2023.
Compared with the September draft the final form does not contain many substantial changes, retaining a focus on the following five topics:
(1) organisational governance and management;
(2) compliance, innovation and value;
(3) fair operation, competition and cooperation;
(4) consumer rights protection; and
(5) participation in public welfare and social development.
The 24 sub-topics under these five topics are also largely the same (as described in our previous note here). However, a few changes are worth noting, including the introduction of a new appendix comprising a template report for data security and personal information protection social responsibility as a user-friendly tool to guide members on the practical preparation of their social responsibility reports.
The CCIA is an industry non-governmental organisation formed by institutions and enterprises in the cybersecurity industry and corporate users of cybersecurity products and services. Its members include household names like Baidu, Tencent, Alibaba and 360, among which Baidu and Tencent participated in the drafting of the Guidance. CCIA also receives "business guidance" and "supervision management" from the Network Security Coordination Bureau of the Cyberspace Administration of China, meaning that the standards that it publishes are normally compliant with, if not strictly represent, the regulators' requirements.
In terms of the scope of application of the Guidance, we understand the Guidance only applies among CCIA members for the moment due to the nature of CCIA. CCIA has carried out a trial implementation of the Guidance and its corresponding evaluation activities among its members internally. The evaluation results will be published at a later stage to encourage CCIA members to carry out their social responsibilities. It remains to be seen how more broadly the scope of application may be expanded in the future, as more businesses may consider using the Guidance to help further their ESG goals and practices.