Support Centre

China - Federal

Summary

Law: There is no single, comprehensive personal data protection law. However, there are provisions related to personal data protection in several pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law').

Regulator: There are several authorities which regulate aspects of data protection. In particular, the Ministry of Industry and Information Technology ('MIIT') and the Cyberspace Administration of China ('the CAC').

Summary: China currently takes a patchwork approach to personal data protection, and relevant provisions are contained in several different laws and regulations. The Cybersecurity Law provides certain general requirements and there are also obligations relating to the processing of children's personal data stipulated in the regulations for the protection of children's personal information (only available in Chinese here). There are also numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification. A proposed personal information protection law that is tabled to be discussed by the National People's Congress could harmonise the approach to the regulation of privacy.

In addition, a Data Security Law of the People's Republic of China (Draft) (only available in Chinese here) and Personal information protection Law (Draft) (only available in Chinese here) have been released by the National People's Congress of China. The Draft Data Security Law introduces data security requirements for data activities conducted within mainland China, while the Draft Personal Information Protection Law clarifies personal information processing rules, data subject rights, and the obligations of personal information processors, among other things. There is currently no specific timeline for when the draft Data Security Law or draft Personal Information Protection Law will be passed.

Insights

The Personal Information Protection Law of the People's Republic of China ('PIPL') sets out a comprehensive framework governing the protection of personal information. Under the PIPL and its implementation rules and standards, several characteristic assessment regimes are established which require personal information processors (a concept akin to controllers under the GDPR) to consider and evaluate a series of key factors that may affect data subjects' rights and public interests, before they export data outside of China or engage in certain types of data processing activities. James Gong, Partner at Bird & Bird, discusses some of the assessments, the circumstances under which they are necessary, and the factors which must be considered when carrying them out in this article.

Article 3(1) of the Personal Information Protection Law of the People's Republic of China ('PIPL') provides that the PIPL applies to the processing of personal information of natural persons within the territory of the Chinese Mainland. Yuan Lizhi, Duan Yu, and Wang Beining, of Jingtian & Gongcheng, clarify the definitions of personal information and processing before proceeding to discuss the application and scope of the PIPL in this insight.

The Cyberspace Administration of China ('CAC') released, on 14 November 2021, draft Regulations on Network Data Security Management ('the Draft Regulations'). The Draft Regulations regulate network data processing activities, ensure data security, and protect the rights and interests of data subjects and organisations, in accordance with the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law. This insight discusses the Draft Regulations and its key provisions.

Legal uncertainties have long been the biggest challenge for multinational companies in their data protection compliance in China. The Data Security Law ('DSL'), which became effective on 1 September 2021, and the Personal Information Protection Law ('PIPL'), which became effective on 1 November 2021, brought complexity to many issues as they referenced requirements under other laws and regulations. The situation is expected to improve since the Cyberspace Administration of China ('CAC') released, on 14 November 2021, its draft Network Data Security Management Regulations ('the Draft') and invited public comments. The Draft introduces quantitative criteria which will hopefully increase clarity with regard to data protection compliance in the future. Dr Michael Tan and Vera Lee, from Taylor Wessing, discuss the proposed quantitative criteria in this Insight.

Due to significant changes which are coming to China's data protection legal framework, organisations should carefully study how this new legislation compares to that of other jurisdictions with comprehensive data protection regulations in order to appropriately adapt their processing activities. In part two of this series, Dora Luo (Duoqun), Partner at Hunton Andrews Kurth LLP, discusses this with reference to the provisions of the Personal Information Protection Law ('PIPL') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), focusing on data protection principles, data subject rights, and data processor obligations.

Due to significant changes which are coming to China's data protection legal framework, organisations should carefully study how this new legislation compares to that of other jurisdictions with comprehensive data protection regulations in order to appropriately adapt their processing activities. In part one of this series, Dora Luo (Duoqun), Partner at Hunton Andrews Kurth LLP, discusses this with reference to the provisions of the Personal Information Protection Law ('PIPL') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), focusing on key definitions, jurisdictional scope, and legal grounds.

The Cyberspace Administration of China ('CAC') released, on 29 October 2021, draft Measures for Security Assessments of Outbound Data Transfers ('the Draft Measures'). The Draft Measures are intended to regulate outbound data transfers, protect rights and interests in relation to personal information, and promote the safe and free flow of data across borders, in accordance with the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and other laws and regulations. OneTrust DataGuidance breaks down the key provisions of the Draft Measures.

The Personal Information Protection Law ('PIPL') was officially promulgated on 20 August 2021 and will take effect on 1 November 2021. Although the drafting of the PIPL was heavily influenced by the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), vendor management and legal liability are among those areas where the PIPL and the GDPR slightly diverge. Ziqing Zheng, Non-equity Partner at Zhong Lun Law Firm, considers the obligations under the PIPL relating to vendors and data controllers, as well as the legal liability requirements provided.

The Personal Information Protection Law ('PIPL') will become effective on 1 November of 2021, which makes data protection compliance a focus for organisations operating in China, especially in relation to the lawfulness of processing and consent. Not just organisations who have never had a data protection compliance program, but also those organisations whose operations are already aligned with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), will have to address the lawfulness of their processing under the PIPL. Dehao Zhang, Counsel at Fieldfisher China, discusses this area of the PIPL and its nuances.

 

The Personal Information Protection Law ('PIPL') introduces new requirements for most of the key areas of China's data protection framework. OneTrust DataGuidance answers some of the most commonly asked questions about the PIPL and its provisions.

While it is great that the Personal Information Protection Law ('PIPL') has been adopted, organisations should consider their new compliance obligations under the same, if they fall under Article 3 of the new legislation. Data localisation and data transfer obligations under the PIPL are of particular importance, and will no doubt impact the global data strategy of some international organisations as well as both data importers and exporters. Dehao Zhang, Counsel at Fieldfisher LLP, discusses this area and its nuances.

The Personal Information Protection Law ('PIPL') has set up an independent chapter dedicated to the rights of data subjects and the obligations that data handlers1 should fulfill when responding to data subjects' exercise of such rights. It is therefore necessary for data handlers to understand what statutory rights are granted to data subjects and what data handlers should do when facing the relevant compliance challenges under the PIPL. Carol Sun and Jeff Wang, from YuandaWinston China Law, outline data subject rights under the PIPL and what those handling data need to consider in order to remain compliant with data protection legislation.