Support Centre

China

Summary

Law: Personal Information Protection Law ('PIPL') (Enforcement date of 1 November 2021)

Regulator: The Cyberspace Administration of China ('the CAC').

Summary: On 20 August 2021 China approved the PIPL, the first comprehensive data protection legislation in the region. The Law entered into effect on 1 November 2021 and established personal information processing rules, data subject rights, and obligations for personal information processors, among other things. In addition to the PIPL, the NPC has also approved, on 10 June 2021, the Data Security Law, which entered into effect on 1 September 2021. The Data Security Law regulates data processing activities associated with personal and non-personal data.

There are also provisions related to personal data protection in several other pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law') which provides certain general requirements, and the regulations for the protection of children's personal information (only available in Chinese here) which contains obligations relating to the processing of children's personal data stipulated. In addition, there are numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification.

Insights

Following the Personal Information Protection Law ('PIPL') coming into effect, most organisations, especially those international companies who conduct business in China, have enthusiastically complied with the PIPL. However, some articles of PIPL are very high level and general, which may need to be supplemented by further guidance from legislators or data protection authorities in China. For example, some requirements seem impractical, such as those regarding data localisation, data transfers, and data protection officer ('DPO') requirements, which may cause misunderstanding or difficulty for compliance efforts. Dehao Zhang, Counsel at Fieldfisher, provides some practical advice to help organisations stay compliant.

On 29 April 2022, the National Information Security Standardisation Technical Committee of China released, for public consultation, draft guidelines on the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information ('the Draft Specification'). The Draft Specification intends to provide implementation rules for one of the methods of lawful conducting cross-border data processing activities, i.e. third party certification. The Draft Specification contains the applicable scenarios, ways to obtain certification, basic principles, basic requirements, and special requirements for securing data subjects' rights. Ziqing Zheng, Partner at Zhong Lun Law Firm, discusses the Draft Specification and its content.

In China, the federal legislation is only part of the picture, with knowledge of recent regional laws also necessary for a full understanding of the data privacy landscape across the country. OneTrust DataGuidance provides an overview of various developments in this area.

Except for the Civil Code of the People's Republic of China ('the Civil Code'), China has three main laws governing data processing activities, namely Personal Information Protection Law ('PIPL'), effective as of 1 November 2021, Data Security Law ('DSL'), effective as of 1 September 2021, and the Cybersecurity Law 2016 ('CSL'), effective as of 1 June 2017. These three laws together govern most data protection matters in China and, in some situations, outside of China, and constitute the data protection framework together with the Civil Code, making data protection a strict regulatory area in China. Dehao Zhang, Counsel at Fieldfisher China, discusses the interplay between the PIPL, the DSL, and the CSL.

Despite the Personal Information Protection Law ('PIPL') having been in force since 1 November 2021, a number of matters in relation to the operation of the PIPL remain unclear. Dehao Zhang, Counsel at Fieldfisher, provides answers to some outstanding questions regarding the operation of the PIPL.

The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 3 of this series, OneTrust DataGuidance discusses individual rights and enforcement. 

The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 2 of this series, OneTrust DataGuidance discusses the controller obligations which are key to ensuring compliance.

The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 1 of this series, OneTrust DataGuidance discusses the PIPL and some of its provisions.

The Cyberspace Administration of China ('CAC') issued, on 4 January 2022, the Internet Information Service Algorithm Recommendation Management Regulations ('the Regulations') following approval by the Ministry of Industry and Information Technology, the Ministry of Public Security, and State Administration for Market Regulation. The Regulation entered into force on 1 March 2022. OneTrust DataGuidance breaks down key provisions of the Regulations, featuring insights from Julian Sun, Associate at Taylor Wessing.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part one of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from Australia, China, India, and Japan.

For insight into handling children's personal data in New Zealand, the Philippines, and Singapore, please see part two here.

The global COVID-19 pandemic has posed, and still poses, many challenges in the context of employment, one of which are the rapidly changing requirements in terms of privacy, data protection, and disclosure of the employees' vaccination status. This Insight series looks across a variety of countries with regards to which information employers can collect, outlining the local requirements in Australia, New Zealand, and Singapore in part one and in China, Japan, India, and Russia in part two.

The Cyberspace Administration of China ('CAC') announced, on 4 January 2022, that it along with 12 other departments had revised the Cybersecurity Review Measures ('the Measures'). The Measures were approved at the 20th meeting of the CAC on 16 November 2021 and entered into effect on 15 February 2022. OneTrust DataGuidance breaks down the key provisions, obligations, and procedure of the Measures.