Support Centre

China - Federal

Summary

Law: Personal Information Protection Law ('PIPL') (Enforcement date of 1 November 2021)

Regulator: The Cyberspace Administration of China ('the CAC').

Summary: On 20 August 2021 China approved the PIPL, the first comprehensive data protection legislation in the region. The Law entered into effect on 1 November 2021 and established personal information processing rules, data subject rights, and obligations for personal information processors, among other things. In addition to the PIPL, the NPC has also approved, on 10 June 2021, the Data Security Law, which entered into effect on 1 September 2021. The Data Security Law regulates data processing activities associated with personal and non-personal data.

There are also provisions related to personal data protection in several other pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law') which provides certain general requirements, and the regulations for the protection of children's personal information (only available in Chinese here) which contains obligations relating to the processing of children's personal data stipulated. In addition, there are numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification.

Insights

The long-awaited Standard Contractual Clauses of China ('China SCCs'), as referred to in Article 38 of the Personal Information Protection Law ('PIPL'), and the Regulations for the China SCCs ('the Regulations') were finally endorsed and released by the Cyberspace Administration of China ('CAC') on 24 February 20231.

The perception of the China SCCs as being straight-forward and simple template clauses to just be concluded as they are could lead in the wrong direction. The complexities ahead shall not be underestimated, particularly for multinational companies. In this Insight, Dr. Michael Tan, Dr. Paul Voigt, Julian Sun, and Wiebke Reuter, from Taylor Wessing, share their long-term observations and thoughts on the China SCCs, as well as practical steps on how businesses can prepare.

On 24 February 2023, the Cyberspace Administration of China ('CAC') promulgated the Standard Contractual Measures for the Export of Personal Information ('the Measures'), which come into force on 1 June 2023 ('the Effective Date'), and to which the Personal Information Exit Standard Contract ('SCCs') was annexed.

In this Insight article, Samuel Yang, Chris Fung, and Monika Zhang, from AnJie Broad Law Firm, provide a high-level introduction to the content of the SCCs.

The State Administration for Market Regulation ('SAMR') and the Cyberspace Administration of China ('CAC') have jointly formulated and released the Rules for the Implementation of Personal Information Protection Certification. In fact, they decided to implement a personal information protection certification according to the Regulations of the People's Republic of China on Certification and Accreditation, with a view to encouraging personal information processors to improve their personal information protection capabilities through certification.

Dehao Zhang, Counsel at Fieldfisher LLP, unpacks the key elements of the certification, which, despite not being a mandatory obligation for organisation, provides another compliance approach for cross-border data transfers.

On 24 February 2023, the Cyberspace Administration of China ('CAC') released the Standard Contract Provisions for the Export of Personal Information ('the Standard Contract Provisions'). The Standard Contract Provisions are intended to implement Article 38(1)(3) of the Personal Information Protection Law ('PIPL') and provide for one of the lawful methods for the transfer of personal information outside of China. The Standard Contract Provisions contain a standard contract akin to Standard Contractual Clauses ('SCCs') and establish requirements for personal information processors, as well as overseas recipients, notably the obligation to carry out Data Protection Impact Assessments ('DPIAs'). OneTrust DataGuidance Research breaks down the Standard Contract Provisions.

On 16 December 2022, the National Information Security Standardization Technical Committee of China promulgated the guidelines for the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information v2.0 ('the revised Specification'), replacing the original specification enacted on 26 June 2022. The revised Specification provides implementation rules for one of the practical ways for lawfully conducting cross-border data processing activities, i.e. third-party certification. The revised Specification contains the applicable scenarios, ways to obtain certification, basic principles, basic requirements, and special requirements for securing data subjects' rights. Ziqing Zheng, Partner at Zhong Lun Law Firm, discusses the revised Specification and its content.

Part one of this series presents an overview of the Information Security Technology - Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019) ('the Security Design Requirements') and Part two of this series looks at the Information Security Technology - Implementation Guide for Classified Protection of Cybersecurity (GB/T 25058-2019) ('the 2019 Implementation Guide'). In this article, Todd Liao, Partner at Morgan, Lewis & Bockius LLP, provides an overview of MLPS 2.0, highlights key requirements under MLPS 2.0 and the Information Security Technology - Evaluation Requirements for Cybersecurity Classification Protection (GB/T 28448-2019) ('the Evaluation Requirements') in particular, and proposes recommendations for network operators in China.

On 16 December 2022, the National Information Security Standardisation Technical Committee of China ('TC260') released a revised version of the Practice Guidelines for Cybersecurity Standards - Technical Specification for the Certification of Cross-Border Processing of Personal Information ('the revised Certification Specification')1, less than six months after issuing the first version of the Certification Specification2.

In this article, James Gong, Partner at Bird & Bird, highlights the key provisions of the revised Certification Specification, with concluding thoughts on the impact of the same, especially in comparison to the draft Personal Information Export Standard Contract ('the draft Standard Contract')3.

On 30 August 2019, the State Administration for Market Regulation ('SAMR') and the Standardization Administration of the People's Republic of China ('SAC') jointly released the Information Security Technology - Implementation Guide for Classified Protection of Cybersecurity (GB/T 25058-2019) ('the 2019 Implementation Guide') to provide business operators with guidance on how to implement the Multi-layered Protection Scheme ('MLPS') in practice. This recommended national standard became effective on 1 March 2020. Part one of this series presents an overview of the Information Security Technology - Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019). In part two, Dr. Annie Xue, Partner at GEN Law Firm, provides a brief overview of the standard making background, the highlights of the 2019 Implementation Guide, and the potential legal consequence in case of violation.

Since its initial adoption in 1994, Multi-Level Protection Scheme ('MLPS') has long served as a cornerstone of China's cyberspace regulatory regulations. In part one of this series looking at each of the four standards under MLPS 2.0, Kevin Duan, Kemeng Cai, and Jin Jin, from Han Kun Law Offices, provide an overview of the Information Security Technology - Technical Requirements of Security Design for Cybersecurity Classification Protection (GB/T 25070-2019) ('the Security Design Requirements').

The Cybersecurity Law ('CSL'), the Data Security Law ('DSL') and the Personal Information Protection Law ('PIPL'), which have been promulgated and implemented in the past few years, constitute the basic framework of China's cybersecurity and data protection legal regime. These laws significantly impacted many companies' business operations and legal compliance work. All three laws have provisions that put forward general principles regarding outbound data transfer and require a security assessment for outbound data transfer ('the Security Assessment') by the Chinese authorities in certain situations.

In light of this, on 7 July 2022, the Cyberspace Administration of China ('CAC') issued the Measures for the Security Assessment of Data Exports ('the Measures'), which elaborated and expanded on the general principles of security assessment for outbound data transfer as stipulated by the three laws. The Measures came into effect on 1 September 2022, right after the CAC issued the Guidelines for Data Export Security Assessment Declaration (1st edition) ('the Guidelines') on 31 August 2022, which provide detailed guidance on how data processors should apply for the security assessment and carry out the related preparations. Generally speaking, the Measures and the Guidelines pose significant challenges for businesses that must apply for the security assessment. Samuel Yang and Hanxuan Yang, from AnJie Law Firm, analyse some common obstacles and challenges faced by data exporters and propose some possible countermeasures.

On 31 August 2022, hours before the Security Assessment Measures for Cross-border Data Transfer ('the Measures') officially came into effect, the Cyberspace Administration of China ('CAC') released the Guidelines on Application for Security Assessment for Cross-border Data Transfer (First Edition) ('the Guidelines') which reiterate the application scope and the data export assessment procedures under the Measures, and also outlines in detail the documents to be submitted for such procedures. A long-awaited structural template for the self-assessment report was also issued at the same time. This provides a much clearer picture for companies to follow in order to legally share and transfer data across the border of the People's Republic of China ('PRC'). The Measures set an explicit deadline (i.e. by the end of February 2023) for companies to fulfill their legal obligations including the assessment. As preparation for the required formalities could potentially become quite complicated in practice due to (unfortunately the still remaining) vagueness and ambiguity of these requirements, it is recommended to prepare for this immediately to avoid potential compliance exposure. Dr. Michael Tan, Julian Sun, and Kyle Tong, from Taylor Wessing LLP, summarise some highlights as follows for your easier reference.

Relevant Chinese data protection supervisory authorities, including the Cyberspace Administration of China ('CAC'), the Ministry of Industry and Information Technology ('MIIT'), and the National Information Security Standardisation Technical Committee ('TC260'), have all been very active with issuing a range of guidelines, measures, and provisions relating to data protection and cybersecurity. Generally, the applicable publications supplement laws such as the Personal Information Protection Law ('PIPL') and the Data Security Law ('DSL') by providing further detail regarding the mechanisms and processes outlined in the legislation. In order to help companies keep up-to-date with the latest guidance, OneTrust DataGuidance has summarised the relevant publications issued in the past year, including any draft documents.