China - Data Protection Overview
1. Governing Texts
China's data protection regime is in a period of change and there has been significant progress in the field of data protection legislation in recent years. The Personal Information Protection Law ('PIPL') entered into effect on 1 November 2021 and is China's first comprehensive data protection law. The PIPL governs personal information processing activities carried out by entities or individuals within China and, together with two other key laws on cybersecurity and data protection; namely the Cybersecurity Law (only available in Chinese here; an unofficial English version of the Law is available here) ('CSL') and the Data Security Law ('DSL') introduces a new data protection regime for China.
In addition, the Civil Code of the People's Republic of China ('the Civil Code') effective on 1 January 2021, expressly provides the right of privacy and personal information protection. The express protection of personal information under the Civil Code represents a new era of privacy and personal information protection. Meanwhile, new supporting rules (such as guidelines and standards) are expected in 2022 and beyond as China's cybersecurity and personal information protection framework continues to evolve.
Nonetheless, there are also specific requirements under laws and regulations that govern specific industry sectors, such as the telecommunications, finance, healthcare, network services, consumer, e-commerce, and transportation.
For the purpose of this Overview, we will not discuss data protection in specific industry sectors.
At the time of this Guidance Note's publication, the CSL, the DSL, and the PIPL altogether constitute the three fundamental pieces of legislation in respect of cybersecurity and data protection in China. The relevant implementing rules are still in the progress of being drafted. Changes over time will be addressed by means of successive updates to this Guidance Note.
The PIPL establishes the mechanism of personal information protection in China and it is modelled, in part, on the GDPR. It introduces several important concepts, such as personal information, sensitive personal information, and processing. It explicitly stipulates its exterritorial jurisdiction, and provides the traditional elements for data protection, such as principles of personal information processing, consent and non-consent grounds for processing, cross-border transfer mechanisms and rights of data subjects. At the time of writing this note, some provisions are still waiting for implementing rules to provide clarification.
On 7 November 2016, the CSL, effective as of 1 June 2017, was passed in China. The CSL contains personal information protection requirements which are applicable to all enterprises that operate a computerised information network system. The CSL is the fundamental law regulating cyberspace, focusing on multi-level protection of cybersecurity, the protection of critical information infrastructure, cybersecurity reviews, and inspection as well as the certification of key network devices and special cybersecurity products.
Given that the CSL was released in 2017, though in concept the CSL is specific to the context of cybersecurity, it also has the function of protecting personal information. Upon enactment of the PIPL, the focus of CSL would be on cybersecurity.
The DSL is the fundamental law for data security, and it designs a series of policies – including those regarding data categorisation and classification, data risk controls, contingency responses for data security, data security reviews, export controls and anti-discrimination – to ensure data development and use, as well as industry development. The specific rules for implementing these policies are expected in the future, and may include supporting laws, regulations, and guidelines.
With respect to industry-specific rules currently available (e.g., those applicable to industrial data, securities and futures-related data, and personal financial data), data categorisation and classification systems have already been established. In light of the coming enforcement of the DSL, data categorisation and classification systems are expected in more industries in the future, especially for those industries that bear the responsibility of supervising data security under Article 6 of the DSL (e.g., telecommunications, transportation, natural resources, hygiene and health, education, and technology).
The Civil Code
The Civil Code which entered into effect on 1 January 2021, provides a right of privacy and personal information protection in Chapter VII of Part IV Personality Rights. Given the significance of the Civil Code, its issuance symbols a new era of protection of privacy and personal information. This is the first time the right of privacy and personal information protection has been listed as a single chapter under the law. The right of privacy and personal information would be categorised as a personality right, which provides a legal remedy from the perspective of Torts in cases of infringement of privacy and/or personal information. Furthermore, privacy is defined by law for the first time, which refers to the private peaceful life of a natural person and the private space, private activities, and private information that a natural person does not wish to be known by others.
Articles 38 and 40 of the Constitution of the People's Republic of China establish rights that relate to privacy, such as a right of dignity of the person which provides prohibitions against insult, defamation, false accusation, or false information directed against Chinese citizens, and a right of freedom and secrecy of correspondence. These provisions do not, however, establish an express constitutional right to privacy, even though their subject-matter may be related to privacy.
Criminal law provisions
The Ninth Amendment to the People's Republic of China's Criminal Law (promulgated on 29 August 2015) (only available in Chinese here) ('the Ninth Amendment') provides that all parties who sell or provide personal information to a third party, in violation of the law, are subject to criminal liability, and that parties who sell or provide personal information obtained during the performance of their duties and provision of services, in violation of law, are subject to a heavier punishment.
Resolution to strengthen the protection of information on the internet
At the end of 2012, the Standing Committee of the National People's Congress passed the Resolution to Strengthen the Protection of Information on the Internet (only available in Chinese here) ('the Resolution'). Although the Resolution appears intended to primarily address the security of internet use, it also contains provisions governing the collection and processing of personal information. Moreover, the nature of its subject matter (which is the processing of electronic personal information over the internet) gives it the potential for broader application than many other sector-specific regulations.
Regulations of Security Protection of Critical Information Infrastructure
The Regulations of Security Protection of Critical Information Infrastructure (only available in Chinese here) entered into effect on 1 September 2021 and is the implementing rules of the CSL, specifically regulating critical information infrastructure ('CII'). CII herein will refer to the critical network facilities and information systems in important industries and areas such as public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government and science, and technology industry for national defence, which may seriously endanger the national security, national economy, people's livelihood, and public welfare once they are subject to any destruction, loss of function, or data leakage. The important industries will formulate the rules for identification of CII respectively and submit such rules to the State Council for record-filing.
Administrative regulations on the credit reference sector
The Administrative Regulations on the Credit Reference Sector (only available in Chinese here) sets forth a series of rules for the collection, use, processing, disclosure, and transfer of personal information by credit reference agencies.
Draft Regulations of Cybersecurity Grading Protection
On 27 June 2018, the Ministry of Public Security ('MPS') issued the Draft Regulations of Cybersecurity Grading Protection (only available in Chinese here) ('Draft Regulation'). The Draft Regulation establishes a mechanism for cybersecurity grading protection. The network shall be graded into five levels. The network graded at level two or above will be filed with the MPS. The most common grades of network are level one, level two and level three in the market.
Draft Measures of Security Assessment of Cross-border Transfer
The Cyberspace Administration of China ('CAC'), in its third legislative attempt to build a cross-border data transfer mechanism in China, issued on 29 October 2021 Draft Measures of Security Assessment of Cross-border Data Transfer (only available in Chinese here) ('Draft Measures on Cross Border Data Transfers'). If made final, these draft measures would apply to cross-border transfers of personal information and 'important data' collected and generated in China under certain circumstances. Data handlers would be subject to mandatory security assessments by the CAC in the following circumstances:
- transfer of personal information and important data collected and generated by CII operators (as defined under the CSL);
- transfers of important data;
- transfers of personal information by data handlers who process over 1 million individuals' personal information;
- transferring the personal information of more than 100,000 individuals. or the sensitive personal information of more than 10,000 individuals; or
- other conditions to be specified by the CAC.
The PIPL, the DSL, and the CSL are to be accompanied by an extensive series of guidelines and standard documents which, typically, will not be binding, but should still be taken seriously as they establish market standards, best practices, and regulatory expectations. This portfolio of guidance documents is still emerging. A certain number of these have been issued but only in draft form with substantial or even fundamental changes still possible, while others are still being drafted and have not been published yet.
All the national standards in connection with information security are issued by the National Information Security Standardisation Technical Committee ('TC260').
A standard issued by TC260 is the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) ('the Specification') which establishes benchmarks for the processing of personal information by all types of entities and organisations. This standard first entered into effect on 1 May 2018 and was amended on 6 March 2020, with such amendments becoming effective on 1 October 2020. The amendments address the relevant issues brought by emerging technologies, such as personalised display, data integration, management of SDK/plug-in, among others. The Specification is voluntary and not mandatory, but it may nevertheless be considered as a generally accepted compliance standard and good practice in China.
The internet security guidelines
The Guidelines for Internet Personal Information Security Protection ('the Internet Security Guidelines') (promulgated by the Cybersecurity Guard Department of the MPS, the Beijing Network Industry Committee, and the 3rd Research Institution of the MPS) stipulate protection of personal information from the perspectives of the management system, security technology, data processing, and contingency disposal. This guideline is voluntary and not mandatory, but it may nevertheless be considered as a generally accepted compliance standard and good practice in China, often referred by the police in enforcement actions.
National standards regarding classified protection of cybersecurity systems
In 2019, China established the classified protection of cybersecurity system by formally issuing five national standards (promulgated by TC260):
- Information Security Technology—Testing and Evaluation Technical Guide For Classified Cybersecurity Protection (GB/T 36627-2018);
- Information Security Technology—Testing And Evaluation Process Guide For Classified Protection Of Cybersecurity (GB/T 28449-2018);
- Information Security Technology - Basic Requirement of Classified Protection of Cybersecurity (GB/T22239-2019);
- Information Security Technology - Technical Requirement of Security Design of Cybersecurity (GB/T25070-2019);
- Information Security Technology - Test Requirement of Classified Protection of Cybersecurity (GB/T28448 - 2019);
- Information security technology -Implementation guide for classified protection of cybersecurity (GB/T 25058-2019); and
- Information security technology - Classification guide for classified protection of cybersecurity (GB/T 22240-2020).
Under the seven standards, the protection subjects include basic information networks, cloud computing platforms/systems, Big Data applications/platforms/resources, Internet of Things ('IoT'), industry control systems, and systems using mobile interconnection technology. The classified protection of cybersecurity has been divided into five levels. In each level, there are general security requirement and extended security requirements designed for cloud computing, mobile interconnection, IoT and industry control system. The general security requirement is applicable to each subject, e.g. cloud computing will be first subject to the general security requirements and then subject to extended security requirements specifically for cloud computing. The general security requirements would be further divided into technical requirements (including secure physical environment, secure communication network, secure area boundary, secure computing environment, and secure management centre) as well as management requirements (including secure management system, secure management department, secure management personnel, secure construction management, and secure operation and maintenance management).
Please note that while these recommended standards are not legally binding and enforceable, in practice the technical expert would assess the grading of the network by referring to these classified cybersecurity protection standards from the perspective of technique. Therefore, for the purpose of compliance with the cybersecurity protection required by law, network operators must comply with these classified cybersecurity-related national standards.
1.3. Case law
As it has adopted a civil law system, case law is generally less influential in China. Interpretations issued by relevant regulatory authorities are often more impactful than case law generated by litigation in the court system. Provisions of the Supreme People's Court on Several Issues concerning the Application of Law to Trials of Civil Dispute Cases of Infringement of Personal Rights via Information Networks (only available in Chinese here), which was issued by the Supreme People's Court of the People's Republic of China ('Supreme Court') in August 2014, has been significant in establishing protection for the name, likeness, reputation and honour, as well as the personal data of Chinese citizens.
Interpretation of the Supreme Court and the Supreme People's Procuratorate of the People's Republic of China on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Information (only available in Chinese here) clarifies certain issues concerning the application of criminal law and criminal procedure on personal information protection in practice.
Provisions of the Supreme People's Court on Several Issues concerning the Application of Law to Trials of Civil Dispute Cases of Infringement of Personal Rights via Information Networks (only available in Chinese here) clarifies issues concerning the application of law to civil cases involving the infringement of personal rights, including the right of name, reputation, honour, portrait, and privacy via information networks.
2. Scope of Application
The PIPL applies to identifiable natural persons and private/public organisations in China.
The PIPL applies to any processing of personal information in China.
In addition, processing activities outside of China relating to personal information of individuals in China if the purpose of the processing is to:
- offer goods or services to individuals in China; or
- monitor and evaluate the activities of individuals in China.
The PIPL applies to any processing of personal information in China as well as certain personal information processing activities conducted outside of China.
3.1. Main regulator for data protection
There is no single specific authority or agency in China that has responsibility for the supervision of compliance with personal data related laws. In general, under the PIPL, the regulators in charge of the protection of personal information include the CAC, relevant State Council departments, and relevant departments of local governments at county-level and higher. In practice, the public security authority (police) is in charge of practical enforcement, administrative penalties, and crimes relating to infringement of privacy.
Specifically, the government authorities that supervise specific sectors also have responsibility for the supervision of compliance with data protection related obligations within the same sectors. Examples of such sector-specific supervisory authorities include the China Banking and Insurance Regulatory Commission ('CBIRC'), the National Health and Family Planning Commission ('NHFPC'), the National Medical Products Administration ('NMPA'), the Ministry of Science and Technology ('MOST'), the State Administration for Market Regulation ('SAMR'), the Ministry of Industry and Information Technology ('MIIT') and the Ministry of Transportation ('MOT').
3.2. Main powers, duties and responsibilities
- The CAC is responsible for comprehensive planning and coordination of personal information protection work and related supervision and management.
- The relevant State Council departments are responsible for personal information protection, supervision, and management work within their respective scope.
- The relevant departments of local governments at county-level and higher perform personal information protection, supervision, and management duties according to relevant provisions at State level.
- The MPS is responsible for supervising and administering the security and examination of public information systems, controlling classified cybersecurity protection, and punishing cybercrime.
- The CBIRC is responsible for compliance with data protection related obligations within the banking and financial industry.
- The NHFPC is for compliance by medical institutions.
- The NMPA is for compliance of medical and healthcare products.
- The MOST is for compliance of human generic resources.
- The PBC is for compliance by credit reference service institutions and credit data centres.
- The SAMR is for compliance with the consumer sector.
- The MIIT is for compliance within the telecommunications industry.
- The MOT is for compliance within transportation industry.
4. Key Definitions
Data controller: There is no definition of data controller under the PIPL. However Personal information Handler refers to organisations and individuals that, in personal information handling activities, autonomously decide handling purposes.
Personal information handler under the PIPL is similar to the concept of a 'data controller’ in other privacy laws (such as the General Data Protection Regulation (EU) 2016/679) ('GDPR'). While the GDPR distinguishes between a data controller, who determines the means and purposes of processing personal data, and a data processor, who processes personal data on behalf of the controller, the PIPL does not formally define the concept of a data processor. Under the PIPL, when a personal information handler entrusts a third party (i.e., a data processor under the GDPR) to process personal information on behalf of the personal information handler, such third party will be referred to as the 'entrusted party' or the 'contracting party'.
Sensitive data: Personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
Processing: Collection, storage, use, processing, transmission, provision, disclosure, deletion, among other things, of personal information.
Biometric data: Biometric samples, biosignatures, biosignature models, biometric property, biometrics of original descriptive data, or the combination of the aforementioned data (Information technology—Security Techniques—Biometric Information Protection (Draft).
Pseudonymisation: There is no definition of pseudonymisation under the PIPL. However, de-identification: is the process of personal information undergoing handling to ensure it is impossible to identify specific natural persons without the support of additional information.
Anonymisation: The process of personal information undergoing handling to make it impossible to distinguish specific natural persons and impossible to restore.
5. Legal Bases
Article 13 of the PIPL stipulates the legal bases for personal information processing.
A personal information handler may process personal information once obtaining consent from the individuals.
Where processing is necessary to perform a contract, no consent is required.
Where processing is necessary to comply with a legal obligation or duty, no consent is required.
Where processing is for public interest purposes to carry out news reporting or supervision by public opinion, no consent is required.
Where a personal information handler processes personal information already disclosed by individuals or otherwise already lawfully disclosed, it is not necessary to obtain consent for processing within a reasonable scope in accordance with the provisions of the PIPL.
In addition, personal information can be processed under other circumstances as stipulated by applicable law or administrative regulation.
The PIPL stipulates seven principles for personal information processing including:
Lawfulness: Personal information must be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and not in any manner that is misleading, fraudulent, or coercive.
Purpose specification: Processing must be conducted:
- for a specified and reasonable purpose;
- for a purpose directly relevant to the purpose of processing; and
- in a way that has the least impact on personal rights and interests.
Data minimisation: The collection of personal information must be limited to the minimum scope necessary for achieving the purpose of processing and must not be excessive.
Storage limitation: The storage period of personal information must be the minimum period necessary for achieving the processing purpose, unless any applicable law or administrative regulation stipulates otherwise.
Transparency: Processing must be conducted in accordance with the principles of openness and transparency (i.e., provision of notice, described above).
Accuracy: Personal information handlers must ensure the quality of personal information processed, to avoid any negative impact on personal rights and interests due to the inaccuracy or incompleteness of the personal information processed.
Data security: Personal information handlers must take necessary measures to ensure the security of the personal information processed.
7. Controller and Processor Obligations
In terms of transfers of personal information to third parties, the PIPL requires the consent of data subjects, provided that there is no non-consent basis.
In terms of cross-border transfers of personal information, the PIPL provides three methods for the cross-border transfer of personal information. First, CII operators and personal information handlers that process personal information beyond the (to be determined) threshold amount prescribed by the CAC are subject to data localisation requirements. Where it is necessary for such entities to transfer personal information out of China, the entities must pass a mandatory security assessment organised by the CAC.
Pursuant to the Draft Measures on Cross Border Data Transfers, entities must pass a mandatory security assessment organised by the CAC if:
- transferring personal information by data handlers who process over 1 million individuals' personal information; or
- cumulatively transferring personal information of more than 100,000 individuals, or sensitive personal information of more than 10,000 individuals.
For non-CII operators or personal information handlers that process personal information below the threshold amount prescribed by the CAC – such threshold amount is to be determined by CAC yet – there are two other options for cross-border data transfers. One option is to obtain a personal information protection certification awarded by a recognised institution in accordance with regulations to be published by the CAC. The other option, and the most likely to be used, is to execute a data transfer agreement with the recipient located outside of China, in compliance with a standard contract to be provided by the CAC.
For cross-border transfers of personal information, in addition to the above requirements, a personal information handler must also inform individuals of:
- the identity and contact information of the data recipient(s);
- the purpose(s) and method(s) of data processing;
- the type(s) of personal information to be transferred; and
- how individuals can exercise their rights under the PIPL with respect to the data recipient(s).
Personal information handlers must also obtain separate consent from individuals for the cross-border transfer of their personal information.
Additionally, cross-border transfers of personal information made for the purpose of providing international judicial and law enforcement assistance must first be approved by a competent Chinese authority.
The PIPL does not mandatorily require the personal information handler to retain data processing records. Nevertheless, if the personal information handler is required to conduct personal information protection impact assessment ('PIPIA') for its processing activities, it shall retain the PIPIA report and relevant processing status records for three years. In addition, based on the Article 69 of PIPL, if the PI Handler could not prove it has no fault while processing personal information, it should be responsible for the damage caused by processing.
Therefore, it is suggested for the personal information handler to retain the processing records for good practice and defend itself against third party claim.
In addition, Section 11.3 of the Specification specifically recommends the data controller establish, maintain and update the records of personal information processing activities and lists the detailed contents of records.
Under Article 55 of the PIPL, a personal information handler must conduct a personal information protection impact assessment ('PIPIA') prior to:
- processing sensitive personal information;
- using personal information in automated decision-making;
- engaging an entrusted party to process personal information on the personal information handler's behalf;
- providing personal information to another personal information handler;
- disclosing personal information to the public;
- transferring personal information outside of China; or
- any processing activity that will have a material impact on the personal rights and interests of an individual.
The PIPIA must specify:
- whether the purpose(s) and method(s) of processing are lawful, legitimate, and necessary;
- the impact of the processing on individuals' rights and interests, and the level of risk involved; and
- whether the protective measures undertaken are lawful, effective, and commensurate to the degree of such risk.
PIPIA reports and records of processing must be retained for at least three years.
The Guideline of Personal Information Security Impact Assessment (GB/T 39335-2020) provides guidance on how to conduct a PIPIA.
Under Article 52 of the PIPL, if the volume of personal information processed reaches a threshold level as stipulated by the CAC, a personal information handler must appoint a personal information protection officer ('PIPO'). The volume of personal information triggering the threshold has not yet been defined.
Under the PIPL, in the event of a suspected or actual data breach, a personal information handler must immediately undertake remedial measures and notify affected individuals and relevant regulators. The PIPL requires specific content to be included in the notification, including:
- the type(s) of personal information affected;
- the cause of, and possible harm that may result from, the breach;
- any remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm; and
- the contact information of the personal information handler.
The PIPL does, however, provide a risk of harm threshold for notice to affected individuals. If the measures taken by a personal information handler can effectively mitigate the harm caused by the data breach, a personal information handler would not be required to notify affected individuals, unless a regulator determines otherwise.
Personal information retention periods will be the shortest period necessary to realise the purpose of the personal information handling, except where laws or administrative regulations provide otherwise.
The personal information handler will also refer to the Provisions on the Online Protection of Personal Information of Children (only available in Chinese here) when processing children's personal information.
There is no provision regulating processing criminal conviction data under the PIPL.
Pursuant to the PIPL, where a personal information handler contracts with an entrusted party to process personal information on its behalf, the personal information handler must execute a processing agreement with the entrusted party that includes:
- the purpose(s) of processing;
- the period and method(s) of processing;
- the type(s) of personal information to be processed;
- any protective measures to be taken; and
- both parties’ rights and obligations under the PIPL.
Personal information handlers are responsible under the PIPL for supervising the processing activities of entrusted parties, but the PIPL does not specify prescribed supervision requirements. Upon the completion or termination of a personal information handler's agreement with an entrusted party, the entrusted party must return or delete the personal information to the personal information handler.
8. Data Subject Rights
Prior to processing personal information, a personal information handler must provide notice to individuals on how their personal information will be processed. Under the PIPL, a privacy notice must contain the following:
- the name and contact information of the personal information handler;
- the purpose(s) and method(s) of processing, the categories of personal information to be processed, and the retention period of the personal information;
- the name and contact information of any other personal information handler that will have access to the personal information, the purpose(s) and method(s) of processing by such other personal information handler, and the categories of personal information provided to such other personal information handler;
- where applicable, the use of automated decision-making;
- where applicable, the necessity of processing sensitive personal information and the impact of such processing on individuals' rights and interests;
- where applicable, a special notice with respect to the processing of children's personal information (under 14 years old);
- for data transfers outside of China;
- the name and contact information of the data recipient(s);
- the purpose(s) and method(s) of processing by the recipient(s);
- the type(s) of personal information transferred; and
- the method and procedure for individuals to exercise their rights under the PIPL with respect to the data transfer recipient(s); and
- where applicable, the contact information of the PIPO.
Pursuant to the PIPL, the individuals are entitled to make a request to the personal information handler to access to their personal data lawfully.
Pursuant to the PIPL, in cases of any error or incompleteness of the personal information, the individual is entitled to make a request to the personal information handler for rectification.
Pursuant to the PIPL, the individuals are entitled to request the personal information handler to delete their personal information on any of the following conditions:
- the handling purpose has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the handling purpose;
- personal information handlers cease the provision of products or services, or the retention period has expired;
- the individual rescinds consent;
- where personal information handlers have handled personal information in violation of laws, administrative regulations, or agreements; or
- other circumstances provided by laws or administrative regulations.
Pursuant to the PIPL, the individual is entitled to object to personal information processing.
Pursuant to the PIPL, the individuals may request the personal information handler to transfer their personal information to the designated personal information handler.
Pursuant to the PIPL, data processors must ensure the transparency and the fairness of automated decision-making. It is prohibited from placing discriminated treatment on the price and other transaction conditions to the individuals. In the event that individuals consider the automated decision-making to have significant impact on their interests, the individuals are entitled to request the personal information handler to explain the reason and may reject the decision made only relied on automated means. If the personal information handler adopts automated decision-making to conduct marketing and messaging, the option not directed against personal features or the option of rejection of automated decision making will also be provided.
Pursuant to the PIPL, the individuals may also request the personal information handler to copy their personal information and restrict processing of their personal information.
Personal information handlers who violate the PIPL with respect to their processing of personal information may be subject to penalties including
- an order to correct the alleged violations;
- the disgorgement of profits; or
- the provisional suspension or termination of the electronic applications found to be in violation of the PIPL.
Entities that refuse to fail to correct the alleged violations may be subject to a fine of not more than RMB 1 million (approx. €135,300) and responsible personnel may be subject to fines between RMB 10,000 (approx. €1,350) to 100,000 (approx. €13,500).
In the event of grave violations of the PIPL (which term is not defined under the PIPL), entities and responsible personnel may be subject to fines of up to RMB 50 million (approx. €6.75 million), or 5% of annual revenue. Additionally, the offending entity's business or related business activities may be suspended pending rectification of the alleged violations, and the entity may be required to report to the relevant authorities regarding such suspension. Further, individuals directly responsible for 'grave' violations of the PIPL may be fined between RMB 100,000 (approx. €13,500) and RMB 1 million, (approx. €135,300) and may be prohibited from holding certain positions, including director, supervisor, high-level manager or data protection officer, for a certain period of time.
An enforcement review of the privacy practices of certain of the principal internet service providers in China resulted in disciplinary measures against at least four of them in December 2017. Reportedly, the review was undertaken on the service providers' failure to observe the requirements of a set of generally applicable standard guidelines establishing good practices on personal information security. Though, on the face of it, not binding, enforcement agencies in China can still use such a personal information security standard as a reference or guide in their administration and enforcement activities.
Below are some enforcement cases in recent years:
- On 6 January 2018, the CAC coordination department made an appointment with Alipay and Zhima Credit Management LLC due to non-compliance with the Specification.
- A listed company in Wuxi adopted a weak password for the website administrator to log in the office administration system. In addition, the company did not request a change of password for the first-time login or force the password strength to be set up. These insufficient security measures may very likely result in loss of personal information through stuffing attack by the hacker.
- One culture transmission company purchased a large volume of student personal information related to school, class, and parents' telephone numbers and planned to use this data for precision marketing. In April 2019, Wuxi police order RMB 20,000 (approx. €2,700) fines.
- On 3 July 2019, MIIT made sampling check on 100 internet companies and discovered some issues for the same. 18 apps sampled did not disclose the rules for collection and use of personal information or inform of the way to correct personal information or provide deregistration. 33 apps sampled collected and used personal information in violation of laws. The MIIT ordered the non-compliant app to be removed from the store for rectification.
- On 19 December 2019, the MIIT publicly announced 41 Apps in connection with infringement of users' interests. On 8 January 2020, the MIIT publicly announced 15 apps in connection with infringement of users' interests. The non-compliance focuses on unlawful collection and use of personal information, unreasonably request of authorisation from users, or placement of barriers for deregistration. The MIIT ordered the app removed from the online store if the app could not complete the rectification.
- On 23 June 23, the People's Procuratorate of Yuhang District, Hangzhou, and Zhejiang Provinces submitted a civil public interest litigation to the Hangzhou Internet Court against one internet technology company for forcing users to authorise it to access to the photos, media content, and documents on device and International Mobile Equipment Identity ('IMEI'), as well as unlawful collection and storage of over 10 million pieces of personal information. The plaintiff and defendant reached a mediation agreement in the court. Based on the mediation agreement, the defendant must:
- delete all the relevant personal information unlawfully collected;
- announce apology publicly on Legal Daily; and
- undertake that it will conduct business operation lawfully.
In cases of violation of this agreement, it would pay RMB 500,000 (approx. €67,450) as liquidated damage to the public interest fund of National Personal Information Protection for public welfare expenditure.
- The bank customer manager of a bank in Zhanjiang city, Guangdong Province unlawfully sold the relevant customers' bank account information, including name, ID, telephone number, bank account number, with a total amount of 31,456 pieces, to one finance company for loan marketing. The People's Procuratorate of Jingkai District, Zhanjiang submitted the prosecutorial proposal to the Banking and Insurance Regulatory Sub-Bureau of Zhanjiang ('Sub-Bureau') before litigation. On 31 December 2020, the Sub-Bureau held the bank being subject to RMB 200,000 (approx. €23,000) administrative penalty. On 4 January 2021, the Sub-Bureau held the bank account manager being prohibited from working in the bank industry for one year.
- On 4 July 2021, the CAC announced that the App of Didi had seriously violated the collection and use of personal information under the CSL and ordered the app store to remove Didi.
- On 5 July 2021, Zhejiang Communications Administration discovered that Ali Cloud Computing LLC disclosed the users' registration information to its partner without consent on 11 November 2019 after investigation. Zhejiang Communications Administration held such action violated Article 42 of the CSL and ordered Ali Cloud for correction.
- Kohler (China) collected facial information in stores without consent of consumers from February 2020 to March 2021, which violated the relevant provisions under the the Law of the People's Republic of China on the Protection of the Rights and Interests of Consumers (only available in Chinese here) ('the Consumers Protection Law'), thus the Administration of Market Regulation of Jiangan District, Shanghai ordered RMB 500,000 (approx. €67,450) penalties and correction to Kohler.
- In August 2021, the branch (Yubei District) of Chongqing New Oriental Education & Training LLC collected and used 1,053 pieces of consumers' personal information unlawfully without consent of consumers. Chongqing Administration for Market Regulation held the company violated relevant provisions of the Consumer's Protection Law, ordered RMB 340,000 (approx. €45,900) penalties and requested it to eliminate relevant impacts.