Support Centre

China

Summary

Law: Personal Information Protection Law ('PIPL') (Enforcement date of 1 November 2021)

Regulator: The Cyberspace Administration of China ('the CAC').

Summary: On 20 August 2021 China approved the PIPL, the first comprehensive data protection legislation in the region. The Law entered into effect on 1 November 2021 and established personal information processing rules, data subject rights, and obligations for personal information processors, among other things. In addition to the PIPL, the NPC has also approved, on 10 June 2021, the Data Security Law, which entered into effect on 1 September 2021. The Data Security Law regulates data processing activities associated with personal and non-personal data.

There are also provisions related to personal data protection in several other pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law') which provides certain general requirements, and the regulations for the protection of children's personal information (only available in Chinese here) which contains obligations relating to the processing of children's personal data stipulated. In addition, there are numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification.

Insights

Relevant Chinese data protection supervisory authorities, including the Cyberspace Administration of China ('CAC'), the Ministry of Industry and Information Technology ('MIIT'), and the National Information Security Standardisation Technical Committee ('TC260'), have all been very active with issuing a range of guidelines, measures, and provisions relating to data protection and cybersecurity. Generally, the applicable publications supplement laws such as the Personal Information Protection Law ('PIPL') and the Data Security Law ('DSL') by providing further detail regarding the mechanisms and processes outlined in the legislation. In order to help companies keep up-to-date with the latest guidance, OneTrust DataGuidance has summarised the relevant publications issued in the past year, including any draft documents.

On 26 May 2022, the National Information Security Standardisation Technical Committee ('TC260') released, for public consultation, the draft Requirement for Privacy Agreement of Information Security Technology Internet Platforms and Product and Services ('the Draft Requirements'). The Draft Requirements provide an in-depth picture of the content of privacy policies, methods of access, and procedures relating to updating privacy policies. OneTrust DataGuidance Research provides an overview of the key-developments contained within the Draft Requirements.

As an important part of China's enhanced cybersecurity regulatory regime, Multi-Level Protection Scheme ('MLPS') is not a new concept and can be dated back to multiple administrative rules issued in 1994 and 2007 (generally known as MLPS 1.0 rules), under which a network operator is required classify its information systems into five levels and adopt proper cybersecurity measures. Barbara Li, Partner at PwC Mainland China and Hong Kong, discusses the updated MLPS 2.0 and its requirements.

On 30 June 2022, the Cyberspace Administration of China ('CAC') released the long-awaited draft Personal Information Export Standard Contract ('the Standard Contract'), together with the draft Rules on the Standard Contract ('the Rules'). An analysis of the application and requirements of the Standard Contract to a business' cross-border data transfer strategy is critical as signing a Standard Contract is anticipated to be the most popular approach enabling international transfers of personal information out of mainland China. Alex Roberts and Yang Fan, from Linklaters, and Tiantian Ke, from Zhao Sheng Law Firm, look at key aspects of the latest draft of the Standard Contract and draw comparisons with the EU 2021 Standard Contractual Clauses ('the EU SCCs').

On 30 June 2022, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information (Draft for Comment) ('the Draft Standard Contract Provisions'). The Draft Standard Contract Provisions are intended to implement Article 38(1)(3) of the Personal Information Protection Law ('PIPL') and provides for one of the lawful methods for the transfer of personal information outside of China. The Draft Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors as well as overseas recipients. In part two, OneTrust DataGuidance Research examines the standard contract provisions provided by the CAC.

The Cyberspace Administration of China ('CAC') has adopted the Measures for Security Assessment of Data Exports ('the Measures'), which makes the data transfer mechanism under Article 38(1) of the Personal Information Protection Law ('PIPL') an effective mechanism for critical information infrastructure operators ('CIIOs') and organisations that meet the threshold of the CAC. As required by the Measures, such CIIOs and organisations have six months to comply with its requirements and assess their data transfer practices in relation to the Measures, which creates urgent work for the privacy teams in such organisations. Dehao Zhang, Counsel at Fieldfisher China, discusses the Measures and their requirements.

Since the Personal Information Protection Law ('PIPL') came into force on 1 November 2021, the Standard Contractual Clauses ('SCCs') for cross-border data transfers as referred to in Article 38 of the PIPL have been pending. This puts companies in a very tricky position, wherein they have the statutory obligation to follow the SCCs while no such SCCs are available. Fortunately, this will be changed soon. On 30 June 2022, the Cyberspace Administration of China ('CAC') presented to the public a draft of the prescribed format for SCCs under the PIPL1. The deadline for public comments is 29 July 2022, meaning that the SCCs are likely to be officially launched very soon. Dr. Michael Tan, Julian Sun, and Kyle Tong, from Taylor Wessing LLP, discuss the draft SCCs and their importance.

On 30 June 2022, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information (Draft for Comment) ('the Draft Standard Contract Provisions'). The Draft Standard Contract Provisions are intended to implement Article 38(1)(3) of the Personal Information Protection Law ('PIPL') and provides for one of the lawful methods for the transfer of personal information outside of China. The Draft Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors as well as overseas recipients, notably the obligation to carry out Data Protection Impact Assessments ('DPIAs'). OneTrust DataGuidance Research breaks down the Draft Standard Contract Provisions, featuring expert insights from Dehao Zhang, Counsel at Fieldfisher China.

On 26 June 2022, the National Information Security Standardization Technical Committee of China promulgated its guidelines on the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information ('the Specification'). The Specification provides implementation rules for one of the methods of lawfully conducting cross-border data processing activities, i.e. third party certification. The Specification contains the applicable scenarios, ways to obtain certification, basic principles, basic requirements, and special requirements for securing data subjects' rights. Ziqing Zheng, Partner at Zhong Lun Law Firm, discusses the Specification and its content.

Following the Personal Information Protection Law ('PIPL') coming into effect, most organisations, especially those international companies who conduct business in China, have enthusiastically complied with the PIPL. However, some articles of PIPL are very high level and general, which may need to be supplemented by further guidance from legislators or data protection authorities in China. For example, some requirements seem impractical, such as those regarding data localisation, data transfers, and data protection officer ('DPO') requirements, which may cause misunderstanding or difficulty for compliance efforts. Dehao Zhang, Counsel at Fieldfisher, provides some practical advice to help organisations stay compliant.

In China, the federal legislation is only part of the picture, with knowledge of recent regional laws also necessary for a full understanding of the data privacy landscape across the country. OneTrust DataGuidance provides an overview of various developments in this area.

Except for the Civil Code of the People's Republic of China ('the Civil Code'), China has three main laws governing data processing activities, namely Personal Information Protection Law ('PIPL'), effective as of 1 November 2021, Data Security Law ('DSL'), effective as of 1 September 2021, and the Cybersecurity Law 2016 ('CSL'), effective as of 1 June 2017. These three laws together govern most data protection matters in China and, in some situations, outside of China, and constitute the data protection framework together with the Civil Code, making data protection a strict regulatory area in China. Dehao Zhang, Counsel at Fieldfisher China, discusses the interplay between the PIPL, the DSL, and the CSL.