LEGISLATION STRUCTURE

One Federal Law on Personal Dataapplies to all data

processing operations

1

Specific rules regarding employee data, financial institutions, IT security, and some other issues are specified in several other regulatory acts.

Cybersecurity Law

Regulations

National Standards

legislation hierarchy

The fundamental law in Chinese legislation structure and the one with the highest legislation hierarchy is the Cybersecurity Law, which is supplemented by a series of regulations issued by the State Council and Ministries, and national standards.

Personal Information

&Important

Data

China's legislation on the cybersecurity establishes a number of new legal systems and sets up several new obligations for enterprises, which mainly include: p the multi-level protection scheme for cyber security,p a series of obligations of cyber security protection for network operators,p obligations on the identification of the critical information infrastructure (“CII”) and

the cyber security protection,p protection of personal information and user information,p data localization and security assessment of cross-border data transfer,p security examination of network products and services, andp the Catalog of Key Network Equipment and Specific Network Safety Products and the

system of security certification and security examination.p Pursuant to the above legal requirements, the non-compliance business operations

of network operators or big data companies may result in civil infringement, administrative sanctions and even criminal liabilities.

LEGISLATION STRUCTURE1

APPLICABLE SCOPE2Critical

Information Infrastructure

Operator

Critical Information Infrastructure (CII) refers to the critical information infrastructure in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government, and other critical information infrastructure that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, peoples’ livelihood and public interests.

Network owner, administrator and service provider.

Network Operator

u Russian Personal Data Law applies to the data operators

u The data operator alone or jointly with others organizes and/or conducts personal data processing, as well as determines data processing purposes, scope of processed data, actions (operations) with personal data

3Personal data means any information relating to a directly or indirectly identified or identifiable natural person (the data subject).

One-size-fits-all approach

Cybersecurity LawPersonal information refers to various information which is recorded in electronic or any other form and used alone or in combination with other information to identify a natural person.

Personal Information Security Specification(National Standard)Personal Information refers to all information that is recorded electronically or otherwise, can be used solely or in combination with other information to identify a natural person or reflect the activities of certain natural persons.

DEFINITION OF PERSONAL DATA

DEFINITION OF PERSONAL DATA3Sensitive data:

u Race

u Ethnical origin

u Political views

u Religious beliefs and philosophical views

u Statement of health

u Intimacy

u Convictions

Personal Sensitive Information:the personal information that, once leaked, unlawfully provided or abused, may cause harm to personal or property security, or is very likely to result in damage to an individual’s personal reputation or physical or mental health or give rise to discriminatory treatmentp Identification cards numbersp Personal biometric informationp Bank accountsp Records and content of communicationsp Property informationp Credit reference informationp Whereabouts and tracksp Hotel accommodation informationp Information concerning health and physiologyp Information of transactionsp Personal information of children under the age of 14

Rules for Collection and Use of Personal Info3Basic Principles: Informed ConsentNetwork operators, when collecting or using personal information, shall ensure such information is legal, justified and necessary, declare collection & use rules, notify the purpose, method and scope, and seek user consent. Exceptions: no informed consent is needed where the collection and use arep in relation to the performance of legal obligations by the personal information subject p in direct relation to State security or national defense securityp in direct relation to the public security, public sanitation, or major public benefitsp in direct relation to investigations into crimes, prosecutions, court trials, execution of rulings, etc.p for the sake of safeguarding significant legal rights and interests, such as the life and property, of personal

information subjects or other individuals, but it is difficult to obtain their consentp of the information voluntarily published by personal information subjects before the general publicp necessary for executing and performing contracts as required by personal information subjectsp of the information collected from information that has been legally and publicly disclosedp necessary for ensuring the safe and stable operation of personal information controller’s products or servicesp conducted by news agency being the personal information controller and the collection and use are necessary for

releasing news reports in a legal mannerp conducted by academic institute being the personal information controller and are necessary for conducting

statistical programs or academic research for the sake of the general public, and the inforamtion is subject to de-identification while announcing these results to the general public

DEFINITION OF IMPORTANT DATA3

Important data refers to the kind of data, if divulged, may directly affect national security, economic security, social stability and public health and security, such as undisclosed government information, large-scale population, genetic health, geography and mineral resources, etc. Important data shall usually not include information related to the production and operation and internal management of enterprises or personal information, etc.Industries or categories that may involve important data include without limitation:p Oil and gas: information regarding pricing, production volume, sales volumep Coal: basic industry information, information regarding the purchase, production, sales and investment in the industryp Petroleum and chemical: economic and technical indexes in the industry planning, annul import planningp Electricity: coal or water consumption by power plants, operation information of electrical power systemsp Steel: prediction and monitoring of the steel industry, information of the advanced steel needed for State economyp Finance: development plan of new products, customer lists, internal security regulationsp Credit Reporting: effective court rulings and enforcement of the same, default records

DATA LOCALIZATION REQUIREMENT4

Data operators must ensure recording, systematization, accumulation, storage, change and extraction of personal data of Russian citizens with the use of data centers located in the territory of the Russian Federation in the course of collection of relevant personal data of individuals, including via the Internet (with several exceptions)

Cybersecurity LawThe CIIO shall store within the territory of China personal information and important data collected and generated during its operation within the territory of China. Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft)Personal information and important data collected and generated by network operators during their operations in China should be stored within China.

DATA LOCALIZATION REQUIREMENT4

ChinaRussian Law

Russian citizen

Main hostingLocal DB

Roscomnadzor

Specify the location of the local DB in the data processing notice

First, save all Russian data hereExtract the data from the local DB and copy to the main server. The actual processing takes place here.

Head OfficeRussian Office

DATA LOCALIZATION REQUIREMENT4

Data operators must ensure recording, systematization, accumulation, storage, change and extraction of personal data of Russian citizens with the use of data centers located in the territory of the Russian Federation in the course of collection of relevant personal data of individuals, including via the Internet (with several exceptions)

Cybersecurity LawThe CIIO shall store within the territory of China personal information and important data collected and generated during its operation within the territory of China. Measures for the Security Assessment of Personal Information and Important Data to be Transmitted Abroad (Exposure Draft)Personal information and important data collected and generated by network operators during their operations in China should be stored within China.

DATA LOCALIZATION REQUIREMENT4In addition to personal information and important data, there are localization requirements for special business data, including without limitation:p Credit datap Personal financial informationp Map datap Essential tech equipment required for online publication servicep Data & information related to car hailing servicep Health informationp Insurance data, fiscal data

CROSS-BORDER DATA FLOWS5Adequacy decision:

u Parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108)

u Other countries shortlisted by the Russian Data Protection Authority (Roscomnadzor), such as South Korea, Japan, Australia, etc.

No adequacy decision:

All other countries, including China and the US

Security AssessmentMeasures for Security Assessment for Cross-border Transfer of Personal Information (Draft for Comment)Before the cross-border transfer of personal information, network operators shall apply to the local cyberspace administrations at the provincial level for security assessment for cross-border transfer of personal information.Administrative Measures on Data Security (Exposure Draft)Network operators shall assess the potential security risks prior to releasing, sharing or selling important data or transferring such data abroad, and shall report to the competent regulatory department for approval. If the competent regulatory department is unclear, network operators shall report to the cyberspace administrations at the provincial level for approval.

DATA FLOW: à5Under Russian law, cross-border transfer is possible on the ground of a written consent of the data subject or a derogation.

Derogations:

u Performance of a contract to which a data subject is a party

u When so prescribed by international treaties

u When so prescribed by the Russian laws (public security, transportation security, etc.)

u Protection of life, health and other vital interests of a data subject or any other person if it is impossible to obtain his/her consent in writing

No standard contractual clauses

or similar safeguards

DATA FLOW: à5

15

Network Operator

Provincial Cyberspace Authority

Apply

Application materials: 1. the application form2. the contract executed between the network operator and the receiver3. a report analyzing security risks of the contemplated transfer and security measures implemented4. any other materials required by the state cyberspace authority

Focus of the Assessment1. Does the transfer comply with relevant State laws, regulations and policies 2. Can the contract terms fully protect the rights of the personal information subjects concerned3. Can the contract be effectively carried out4. Whether the network operator or receiver has a history of infringing on the rights of personal information subjects or has had a major cybersecurity incident in the past5. Whether the network operator obtained the personal information at issue in a legal and legitimate manner6. Any other matters to be assessed

Notify the conclusion

State Cyberspace Authority

Report the conclusion

Appeal the conclusion in case of disagreement

The security assessment is to be completed within 15 working days and may be extended in complicated cases

LIABILITY6Illegal providing network data overseas

u Administrative fines on company and responsible persons

u a fine of no less than CNY50,000 but no more than CNY500,000;

u as for the persons directly in charge or other directly responsible persons, a fine of no less than CNY10,000 but no more than CNY100,000 shall be imposed.

u suspend relevant business/stop business for rectification/close down the website/revoke the relevant business permits or business licenses;

u Administrative fines on company and responsible managers. (CEO, DPO, etc.)

u In most cases, around EUR 1 000 or less

u New fines for breaching the database localization requirement:

u First-time breach:

u up to approx. EUR 85 000 on company; and/or

u up to approx. EUR 3 000 on the responsible manager

u Repeated breach:

u up to approx. EUR 255 000 on company; and/or

u Up to approx. EUR 11 000 on the responsible manager

u Civil and criminal actions are possible in certain cases

Administrative Punishmentp Rectificationp Warningp Penalty (against the entity and

individual), up to 10 times of illegal income or RMB 1,000,000

p Detentionp Winding up for rectificationp Cease of business operation

(including shutdown of website, suspend concerned system, cease of system update, suspend of users registration)

p Revocation of business license

LIABILITY6 Criminal Liabilities: Infringement of Citizens’ Personal Information

p Illegally obtain, sell or provide more than 50pieces of information on whereabouts, communication, credit information, property information;

p Illegally obtain, sell or provide more than 500pieces of accommodation information, communication records, health and physiological information, transaction information and other personal information that may affect personal and property safety;

p Illegally acquire, sell or provide more than 5,000 pieces of personal information other than the personal information provided above.

St. Petersburg

Krasnodar

Kazan

Ekaterinburg

Perm

Kiev Moscow

Samara

N. Novgorod

Tekhnopark“Sarov"

Vladivostok

Dubna

NovosibirskUfa

430professionals

Practicing since 1959

GORODISSKY & PARTNERS: 14 OFFICES IN

RUSSIA AND UKRAINE

Stanislav Rumyantsev, PhD, CIPP/E

Senior Lawyer, Gorodissky & Partners

Phone: +7 (495) 937-6116Fax: +7 (495) 937-6104 Email: RumyantsevS@gorodissky.com

20

Founded in 1993, Zhong Lun is one of the largest law firms providing a complete spectrum of legal services in China. Zhong Lun, with over 450 partners and over 3000 professionals working in fifteen offices in Beijing, Shanghai, Shenzhen, Guangzhou, Wuhan, Chengdu, Chongqing, Qingdao, Hangzhou, Tokyo, Hong Kong, London, New York, Los Angeles and San Francisco is capable of providing our clients with high-quality legal services across a wide range of fields by virtue of appropriate specialization and close teamwork.

Introduction of Zhong Lun

Beijing Law Firm of The Year，Managing Partner of The Year(Asian LegalBusiness China Law Awards 2019)

The PRC Firm with the most practice areas and lawyers recommended(Chambers Asia Pacific 2019)Dispute Resolution - PRC Law Firm of the Year(Chambers Asia-Pacific Awards2019)

Zhong Lun has been the PRC law firm with the most practice areas andlawyers recommended as well as the most practice areas rated Band 1 byChambers for many consecutive years. In the latest rankings, Zhong Lun has28 practice areas obtaining rankings, of which 18 have received Band 1recommendations and 57 lawyers have been rated leading lawyer(Chambers Asia Pacific, 2018)

Dispute Resolution China PRC Law Firm of the Year (Chambers, 2017)

Corporate and Finance - PRC Law Firm of the Year (Chambers, 2015)Zhong Lun highly recommended in 7 practice areas: Capital Markets, M&A,Project Development, Private Equity, Banking and Finance, Competition,Investment Funds (IFLR1000, 2018)

National Law Firm of the Year (IFLR, 2015 & 2017)

Zhong Lun highly recommended as Top Tier Firm in 11 practice areas: RealEstate and Construction, Private Equity/Venture Capital, Corporate andM&A, Banking and Finance, Dispute Resolution, Intellectual Property,WTO/International Trade, Antitrust and Competition, Projects and Energy,Labor and Employment, TMT (The Legal 500 Asia Pacific, 2018)

Zhong Lun’s Credentials

21

Education Background

Masters of Laws & Bachelor of Science

Practice Area

Data Protection, Cybersecurity, IT, Advertising, Inbound and Outbound Investment,Antitrust, Anti-unfair CompetitionProfessional Qualifications

Bar admissions in PRCWorking Languages

Chinese , EnglishRepresentative Matters

u Advised Swiss Reinsurance Company Ltd. on data protection, data cross-border transfer, cybersecurity and cloud computing issues

u Advised Softbank on legal due diligence regarding data protection and cybersecurity

u Advised Tencent on data compliance and cyber security compliance issues

u Advised Cisco on cyber security compliance and value-added telecom compliance issues

u Advised Microsoft on data compliance and cyber security compliance issues

u Advised Oracle on data compliance and value-added telecom compliance issues

u Advised AT&T on telecom compliance and data protection issues

u Advised P&G on Personal Information collection, data transfer and data processing issues

u Advised Epson on data protection, cross-border data transfer and cybersecurity issues

u Advised British Telecom on commercial encryption regulatory issues, telecom licensing, and corporate matters in China

u Advised McDonald on data protection compliance issues

u Advised Toyota on data protection, data compliance audit, privacy policy issues

Lu (Sophia) HANSenior Lawyer,Zhong Lun Law Firm

Tel : +86 10 5780 8466Fax: + 86 10 6568 1022Email: hanlu@zhonglun.com

22