Recently several companies inquired whether they are obligated to set up positions including cybersecurity officer, personal information protection officer and data security officer pursuant to PRC Cybersecurity Law, PRC Personal Information Protection Law and PRC Data Security Law, as well as the requirements and legal liabilities of these positions. Furthermore, several foreign invested enterprises have also offered to engage law firms or lawyers to hold these positions, as under the GDPR an external DPO is feasible.

We hereby compare among the aforesaid positions under PRC law and the DPO under the GDPR in the table below, from the perspectives of the responsibilities, mandatory positions or not, the requirements and possible personal legal liabilities.

The table above indicates the main characteristics of the aforesaid positions under the relevant laws:

1. Most enterprises as the network operator are obligated to appoint a cybersecurity officer. The definition of network operator is broad, including network owners, managers and network service providers.

2. Only enterprises that meet certain conditions are obligated to appoint a head of cybersecurity management, a personal information protection officer or a data security officer. In detail, the operator of a critical information infrastructure shall appoint a person in charge and set up a dedicated security management body; relevant national standards stipulate that the personal information handler who process personal information of more than 1 million persons or sensitive personal information of more than 100,000 persons shall designate a person in charge of personal information protection; processors of important data shall specify the person and the management body responsible for data security.

3. If relevant positions should be set up, failing so the enterprise may be imposed on administrative penalties such as warnings and a fine.  In detail, we have observed the cases in which enterprises were administratively sanctioned for not appointing the above-mentioned cybersecurity officer; the Personal Information Protection Law does not directly stipulate the legal consequences of failing to set up a personal information protection officer, while the enterprise may be deemed as failing to fulfill personal information protection obligations and therefore may assume the liabilities; the Data Security Law stipulates severe penalties for important data processors who fail to appoint the person and the management body responsible for data security.

4. These positions have certain requirements and generally external engagement may not be feasible. Relevant laws stipulate that the candidates of all the above positions should have professional knowledge and relevant work experience.  Although it is not specified directly, we tend to believe that these positions are not allowed to be hired externally, which is different from DPO.

5. If the enterprises violate relevant laws, the officers holding these positions of such enterprises may assume personal legal liabilities. While the relevant laws stipulate the administrative liabilities of illegal enterprises, they also provide that the direct head and other direct officers of the enterprise shall be subject to administrative penalties, such as fines. We tend to believe that the above positions are likely to be identified as "the direct head and other direct officers".

It can be seen from the above that enterprises meeting certain conditions should indeed set up relevant positions in accordance with the laws to meet the compliance requirements. Meanwhile, enterprises should carefully select competent candidates, considering that there are certain requirements for these positions and these positions may also face personal legal liabilities.  For individuals who hold these positions, the best way for them to avoid personal liabilities is to perform their duties correctly pursuant to relevant laws and regulations.

Due to space limitations, this article does not elaborate further.  If you are interested in this topic, we have prepared a detailed introduction of each of the above positions.  You are welcome to contact us for further information.