Support Centre

China - Federal

Summary

Law: There is no single, comprehensive personal data protection law. However, there are provisions related to personal data protection in several pieces of legislation; most notably the Cybersecurity Law 2016 which came into effect in 2017 (official Chinese version available here; unofficial English available here) ('the Cybersecurity Law').

Regulator: There are several authorities which regulate aspects of data protection. In particular, the Ministry of Industry and Information Technology ('MIIT') and the Cyberspace Administration of China ('the CAC').

Summary: China currently takes a patchwork approach to personal data protection, and relevant provisions are contained in several different laws and regulations. The Cybersecurity Law provides certain general requirements and there are also obligations relating to the processing of children's personal data stipulated in the regulations for the protection of children's personal information (only available in Chinese here). There are also numerous non-binding guidelines and standards, which provide best practice recommendations for the handling of personal data. The most notable of these is Standard GB/T 35273-2020 on Information Security Technology - Personal Information Security Specification. A proposed personal information protection law that is tabled to be discussed by the National People's Congress could harmonise the approach to the regulation of privacy.

In addition, a Data Security Law of the People's Republic of China (Draft) (only available in Chinese here) and Personal information protection Law (Draft) (only available in Chinese here) have been released by the National People's Congress of China. The Draft Data Security Law introduces data security requirements for data activities conducted within mainland China, while the Draft Personal Information Protection Law clarifies personal information processing rules, data subject rights, and the obligations of personal information processors, among other things. There is currently no specific timeline for when the draft Data Security Law or draft Personal Information Protection Law will be passed.

Insights

The Personal Information Protection Law ('PIPL') has set up an independent chapter dedicated to the rights of data subjects and the obligations that data handlers1 should fulfill when responding to data subjects' exercise of such rights. It is therefore necessary for data handlers to understand what statutory rights are granted to data subjects and what data handlers should do when facing the relevant compliance challenges under the PIPL. Carol Sun and Jeff Wang, from YuandaWinston China Law, outline data subject rights under the PIPL and what those handling data need to consider in order to remain compliant with data protection legislation.

China's Personal Information Protection Law ('PIPL') was first introduced in October 2020. Following two rounds of public comments, the finalised version was approved on 20 August 2021 by the National People's Congress ('NPC') and is set to enter into effect on 1 November 2021. Across the three drafts notable changes were made including a right to data portability and enhanced protections for minors. OneTrust DataGuidance highlights the key difference between the three versions.

The Data Security Law of the People's Republic of China ('DSL') was passed on 10 June 2021 by 29th meeting of the Standing Committee of the 13th the National People's Congress and entered into effect on 1 September 2021. The DSL, among other things, regulates the handling of data, ensures data security, and protects citizens' and organisations' lawful rights and interests. OneTrust DataGuidance discusses key provisions and obligations introduced for operators.

The State Council of the People's Republic of China announced, on 17 August 2021, that it had passed a Regulation on the Security Protection of Critical Information Infrastructure ('the Regulation'), which will take effect on 1 September 2021. The Regulation is meant to ensure the security of critical information infrastructure ('CII'), maintain cybersecurity, and was formulated in accordance with the Cybersecurity Law 2017 ('CSL'). OneTrust DataGuidance analyses this development and its impact.

The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 3 of this series, OneTrust DataGuidance discusses individual rights and enforcement. 

The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 2 of this series, OneTrust DataGuidance discusses the controller obligations which are key to ensuring compliance.

The National People's Congress of the People's Republic of China ('NPC') announced, on 20 August 2021, the adoption of the Personal Information Protection Law of the People's Republic of China ('PIPL'). In Part 1 of this series, OneTrust DataGuidance discusses the PIPL and some of its provisions.

The forthcoming Data Security Law ('DSL') will make some significant additions to the current Chinese legal framework on personal information and how it can be handled. Dr. Michael Tan and Julian Sun, Partner and Associate respectively at Taylor Wessing LLP, discuss the DSL's highlights and give some practical recommendations in order to prepare.

With the gears truly beginning to turn in the legislative process and a 2022 enforcement date likely, it now remains for the provisions of the Personal Information Protection Law ('PIPL') to be fine-tuned in order to provide legal certainty for companies. Galaad Delval, independent privacy professional, discusses the recent third draft of the PIPL and what changes have been made.

With the Data Security Law of the People's Republic of China ('DSL') set to become effective in the near future, the landscape of data security law in China will undergo some significant changes. Galaad Delval, independent privacy professional, discusses the DSL and some outstanding issues surrounding the definition of 'important data' which remains to be addressed.

On 7 March 2021, State Councillor and Foreign Minister Wang Yi answered questions from media on the new measures to fight COVID-191, including the International Travel Health Certificate ('the Certificate') which displays, among other things, an individual's vaccination status. The Certificate can be displayed via the WeChat mini program in electronic form, as well as in paper form. Chinese citizens get the Certificate through either using WeChat to scan the official QR Code, or by searching for it on the WeChat mini program. Dehao Zhang, Counsel at Fieldfisher, discusses the Certificate from a data protection angle.

The regulation of e-commerce in China is an area of growing complexity that may prove to be a minefield for multinational companies in particular. Dr. Michael Tan and Julian Sun, Partner and Associate respectively at Taylor Wessing, discuss this issue with reference to obligations in both the privacy and competition spheres.