China - Data Protection Overview
1. Governing Texts
China's data protection regime is in a period of change and there has been significant progress in the field of data protection legislation in recent years. The Personal Information Protection Law ('PIPL') entered into effect on 1 November 2021 and is China's first comprehensive data protection law. The PIPL governs personal information processing activities carried out by entities or individuals within China and, together with two other key laws on cybersecurity and data protection; namely the Cybersecurity Law (only available in Chinese here); an unofficial English version of the Law is available here) ('CSL') and the Data Security Law ('DSL') introduces a new data protection regime for China.
In addition, the Civil Code of the People's Republic of China ('the Civil Code') effective on 1 January 2021, expressly provides the right of privacy and personal information protection. The express protection of personal information under the Civil Code represents a new era of privacy and personal information protection. Meanwhile, new supporting rules (such as guidelines and standards) are expected in near future and beyond as China's cybersecurity, data security, and personal information protection framework continues to evolve.
Nonetheless, there are also specific requirements under laws and regulations that govern specific industry sectors, such as the telecommunications, finance, healthcare, network services, consumer, e-commerce, and transportation.
For the purpose of this Overview, we will not discuss data protection in specific industry sectors.
At the time of this Guidance Note's publication, the CSL, the DSL, and the PIPL altogether constitute the three fundamental pieces of legislation in respect of cybersecurity and data protection in China. The relevant implementing rules are still in the progress of being drafted. Changes over time will be addressed by means of successive updates to this Guidance Note.
The PIPL establishes the mechanism of personal information protection in China, and it is modelled, in part, on the GDPR. It introduces several important concepts, such as personal information, sensitive personal information, and processing. It explicitly stipulates its exterritorial jurisdiction, and provides the traditional elements for data protection, such as principles of personal information processing, consent and non-consent grounds for processing, cross-border transfer mechanisms, and rights of data subjects. At the time of writing this note, some provisions are still waiting for implementing rules to provide clarification.
On 7 November 2016, the CSL, effective as of 1 June 2017, was passed in China. The CSL contains personal information protection requirements which are applicable to all enterprises that operate a computerised information network system. The CSL is the fundamental law regulating cyberspace, focusing on multi-level protection of cybersecurity, the protection of critical information infrastructure, cybersecurity reviews, and inspection, as well as the certification of key network devices and special cybersecurity products.
Given that the CSL was released in 2017, though in concept the CSL is specific to the context of cybersecurity, it also has the function of protecting personal information. Upon enactment of the PIPL, the focus of CSL would be on cybersecurity.
The DSL is the fundamental law for data security, and it designs a series of policies – including those regarding data categorisation and classification, data risk controls, contingency responses for data security, data security reviews, export controls, and anti-discrimination – to ensure data development and use, as well as industry development. The specific rules for implementing these policies are expected in the future, and may include supporting laws, regulations, and guidelines.
With respect to industry-specific rules currently available (e.g., those applicable to industrial data, securities and futures-related data, and personal financial data), data categorisation and classification systems have already been established. In light of the coming enforcement of the DSL, data categorisation and classification systems are expected in more industries in the future, especially for those industries that bear the responsibility of supervising data security under Article 6 of the DSL (e.g., telecommunications, transportation, natural resources, hygiene and health, education, and technology).
The Civil Code
The Civil Code which entered into effect on 1 January 2021, provides a right of privacy and personal information protection in Chapter VII of Part IV Personality Rights. Given the significance of the Civil Code, its issuance symbolises a new era of protection of privacy and personal information. This is the first time the right of privacy and personal information protection has been listed as a single chapter under the law. The right of privacy and personal information would be categorised as a personality right, which provides a legal remedy from the perspective of torts in cases of infringement of privacy and/or personal information. Furthermore, privacy is defined by law for the first time, which refers to the private peaceful life of a natural person and the private space, private activities, and private information that a natural person does not wish to be known by others.
Measures of Security Assessment of Cross-border Data Transfer
The Cyberspace Administration of China ('CAC') issued the Measures on Security Assessment on Cross-border Data Transfer (only available Chinese here), which entered into effect on 1 September 2022 and provides a six-month grace period to the relevant personal information processors. If a cross-border data transfer satisfies any of the circumstances as prescribed in these measures, personal information handlers shall, through the local CAC at provincial level, apply for mandatory security assessment for the relevant transfer.
Procurement of network product and services by critical information infrastructure ('CII') operators and data processing by network platform operators are subject to cybersecurity review. Specifically, network platform operators holding more than 1 million individuals' personal information must apply for cybersecurity review if they propose to be listed overseas.
Articles 38 and 40 of the Constitution of the People's Republic of China establish rights that relate to privacy, such as a right of dignity of the person which provides prohibitions against insult, defamation, false accusation, or false information directed against Chinese citizens, and a right of freedom and secrecy of correspondence. These provisions do not, however, establish an express constitutional right to privacy, even though their subject-matter may be related to privacy.
Criminal Law provisions
The Ninth Amendment to the People's Republic of China's Criminal Law (promulgated on 29 August 2015) (only available in Chinese here) ('the Ninth Amendment') provides that all parties who sell or provide personal information to a third party, in violation of the law, are subject to criminal liability, and that parties who sell or provide personal information obtained during the performance of their duties and provision of services, in violation of law, are subject to a heavier punishment.
Resolution to Strengthen the Protection of Information on the Internet
At the end of 2012, the Standing Committee of the National People's Congress passed the Resolution to Strengthen the Protection of Information on the Internet (only available in Chinese here) ('the Resolution'). Although the Resolution appears intended to primarily address the security of internet use, it also contains provisions governing the collection and processing of personal information. Moreover, the nature of its subject matter (which is the processing of electronic personal information over the internet) gives it the potential for broader application than many other sector-specific regulations.
Regulations of Security Protection of Critical Information Infrastructure
The Regulations of Security Protection of Critical Information Infrastructure (only available in Chinese here) entered into effect on 1 September 2021 and are the implementing rules of the CSL, specifically regulating CII. CII refer to the critical network facilities and information systems in important industries and areas such as public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government and science, and technology industry for national defence, which may seriously endanger the national security, national economy, people's livelihood, and public welfare once they are subject to any destruction, loss of function, or data leakage. The important industries will formulate the rules for identification of CII respectively and submit such rules to the State Council for record-filing.
Administrative regulations on the credit reference sector
The Administrative Regulations on the Credit Reference Sector (only available in Chinese here) sets forth a series of rules for the collection, use, processing, disclosure, and transfer of personal information by credit reference agencies.
Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications
Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (only available in Chinese here) regulate collection of personal information by apps and specifically provide scope of necessary personal information for 39 types of mobile apps.
Methods for Identifying Unlawful Acts of Applications to Collect and Use Personal Information
Methods for Identifying Unlawful Acts of Applications to Collect and Use Personal Information (only available in Chinese here) provide specific and practical examples of unlawful collection and use of personal information for six types of data processing activities.
Draft Regulations of Cybersecurity Grading Protection
On 27 June 2018, the Ministry of Public Security ('MPS') issued the Draft Regulations of Cybersecurity Grading Protection (only available in Chinese here) ('Draft Regulation'). The Draft Regulation establishes a mechanism for cybersecurity grading protection. The network shall be graded into five levels. The network graded at level two or above will be filed with the MPS. The most common grades of network are level one, level two, and level three in the market.
The PIPL, the DSL, and the CSL are to be accompanied by an extensive series of guidelines and standard documents which, typically, will not be binding, but should still be taken seriously as they establish market standards, best practices, and regulatory expectations. This portfolio of guidance documents is still emerging. A certain number of these have been issued but only in draft form with substantial or even fundamental changes still possible, while others are still being drafted and have not been published yet.
All the national standards in connection with information security are issued by the National Information Security Standardisation Technical Committee ('TC260').
A standard issued by TC260 is the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) ('the Specification') which establishes benchmarks for the processing of personal information by all types of entities and organisations. This standard first entered into effect on 1 May 2018 and was amended on 6 March 2020, with such amendments becoming effective on 1 October 2020. The amendments address the relevant issues brought by emerging technologies, such as personalised display, data integration, and management of SDK/plug-in, among others. The Specification is voluntary and not mandatory, but it may nevertheless be considered as a generally accepted compliance standard and good practice in China.
The Internet Security Guidelines
The Guidelines for Internet Personal Information Security Protection (only available in Chinese here) ('the Internet Security Guidelines') (promulgated by the Cybersecurity Guard Department of the MPS, the Beijing Network Industry Committee, and the 3rd Research Institution of the MPS) stipulate protection of personal information from the perspectives of the management system, security technology, data processing, and contingency disposal. This guideline is voluntary and not mandatory, but it may nevertheless be considered as a generally accepted compliance standard and good practice in China, often referred by the police in enforcement actions.
Guidance for Personal Information Security Impact Assessment (GB/T 39335 – 2020)
Guidance for Personal Information Security Impact Assessment (GB/T 39335 – 2020) ('the Security Impact Assessment Guidance') was issued by TC260 on 19 November 2020 and became effective 1 June 2021. The Security Impact Assessment Guidance provides the detailed rules for personal information handlers on how to conduct protection impact assessment for high-risk data processing activities, e.g. processing sensitive personal information, providing personal information to another data handler, and cross-border transfer of personal information.
National standards regarding classified protection of cybersecurity systems
In 2019, China established the classified protection of cybersecurity system by formally issuing seven national standards (promulgated by TC260):
- Information Security Technology—Testing and Evaluation Technical Guide For Classified Cybersecurity Protection (GB/T 36627-2018);
- Information Security Technology—Testing And Evaluation Process Guide For Classified Protection Of Cybersecurity (GB/T 28449-2018);
- Information Security Technology - Basic Requirement of Classified Protection of Cybersecurity (GB/T22239-2019);
- Information Security Technology - Technical Requirement of Security Design of Cybersecurity (GB/T25070-2019);
- Information Security Technology - Test Requirement of Classified Protection of Cybersecurity (GB/T28448 - 2019);
- Information security technology - Implementation guide for Classified Protection of Cybersecurity (GB/T 25058-2019); and
- Information security technology - Classification guide for Classified Protection of Cybersecurity (GB/T 22240-2020).
Under the seven standards, the protection subjects include basic information networks, cloud computing platforms/systems, Big Data applications/platforms/resources, Internet of Things ('IoT'), industry control systems, and systems using mobile interconnection technology. The classified protection of cybersecurity has been divided into five levels. In each level, there are general security requirements and extended security requirements designed for cloud computing, mobile interconnection, IoT, and industry control system. The general security requirement is applicable to each subject, e.g. cloud computing will be first subject to the general security requirements and then subject to extended security requirements specifically for cloud computing. The general security requirements would be further divided into technical requirements (including secure physical environment, secure communication network, secure area boundary, secure computing environment, and secure management centre), as well as management requirements (including secure management system, secure management department, secure management personnel, secure construction management, and secure operation and maintenance management).
Please note that while these recommended standards are not legally binding and enforceable, in practice the technical expert would assess the grading of the network by referring to these classified cybersecurity protection standards from the perspective of technique. Therefore, for the purpose of compliance with the cybersecurity protection required by law, network operators must comply with these classified cybersecurity-related national standards.
1.3. Case law
As China has adopted a civil law system, case law is generally less influential in China. Interpretations issued by relevant regulatory authorities are often more impactful than case law generated by litigation in the court system.
Provisions of the Supreme People's Court on Several Issues concerning the Application of Law to Trials of Civil Dispute Cases of Infringement of Personal Rights via Information Networks (only available in Chinese here) ('the Supreme Court Opinion'), which was issued by the Supreme People's Court of the People's Republic of China ('Supreme Court') in August 2014 and amended in 29 December 2020, has been significant in establishing protection for the name, likeness, reputation and honour, as well as the personal data of Chinese citizens.
Interpretation of the Supreme Court and the Supreme People's Procuratorate of the People's Republic of China on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Information (only available in Chinese here) clarifies certain issues concerning the application of criminal law and criminal procedure on personal information protection in practice.
Provisions of the Supreme Court on the Supreme Court Opinion clarifies issues concerning the application of law to civil cases involving the infringement of personal rights, including the right of name, reputation, honour, portrait, and privacy via information networks.
2. Scope of Application
The PIPL applies to identifiable natural persons and private/public organisations in China.
The PIPL applies to any processing of personal information in China.
In addition, the PIPL applies to processing activities outside of China relating to personal information of individuals in China if the purpose of the processing is to:
- offer goods or services to individuals in China; or
- monitor and evaluate the activities of individuals in China.
The PIPL applies to any processing of personal information in China as well as certain personal information processing activities conducted outside of China.
3.1. Main regulator for data protection
There is no single specific authority or agency in China that has responsibility for the supervision of compliance with personal data related laws. In general, under the PIPL, the regulators in charge of the protection of personal information include the CAC, the relevant cyberspace administration at provincial level, relevant State Council departments, and relevant departments of local governments at county-level and higher. In practice, the public security authority (police) is in charge of practical enforcement, administrative penalties, and crimes relating to infringement of privacy.
Specific industrial regulators will be responsible for the relevant compliance supervision work for the relevant industry. Examples of such sector-specific supervisory authorities include the China Banking and Insurance Regulatory Commission ('CBIRC'), the National Health and Family Planning Commission ('NHFPC'), the National Medical Products Administration ('NMPA'), the Ministry of Science and Technology ('MOST'), the State Administration for Market Regulation ('SAMR'), the Ministry of Industry and Information Technology ('MIIT') and the Ministry of Transportation ('MOT').
If any data processing is related to national security, CAC, National Development and Reform Commission ('NDRC'), MIIT, MPS, Ministry of State Security ('MSS'), Ministry of Finance ('MOF'), Ministry of Commerce ('MOC'), PBC, SAMR, National Radio and Television Administration ('NRTA'), China Securities Regulatory Commission ('CSRC'), National Administration of State Secrets Protection ('NASSP'), and/or State Cipher Code Administration ('SCCA') might be involved in the relevant security assessment depending on the specific case.
3.2. Main powers, duties and responsibilities
The government authorities that supervise specific sectors have responsibility for the supervision of compliance with data protection related obligations within the same sectors. The relevant regulators supervise the relevant work in their industries respectively. More generally:
- the CAC is responsible for comprehensive planning and coordination of personal information protection work and related supervision and management;
- the relevant State Council departments are responsible for personal information protection, supervision, and management work within their respective scope;
- the relevant departments of local governments at county-level and higher perform personal information protection, supervision, and management duties according to relevant provisions at state level;
- the MPS is responsible for supervising and administering the security and examination of public information systems, controlling classified cybersecurity protection, and punishing cybercrime;
- the MIIT supervises cybersecurity of telecommunications and internet companies;
- the CBIRC is responsible for compliance with data protection related obligations within the banking and financial industry;
- the NHFPC is responsible for compliance by medical institutions;
- the NMPA is responsible for compliance of medical and healthcare products; and
- data compliance of consumer sector will be governed by SAMR.
4. Key Definitions
Personal information handler (data controller): There is no definition of data controller under the PIPL. However, personal information handler refers to organisations and individuals that, in personal information handling activities, autonomously decide handling purposes.
Personal information handler under the PIPL is similar to the concept of a 'data controller' in other privacy laws (such as the General Data Protection Regulation (EU) 2016/679) ('GDPR')). While the GDPR distinguishes between a data controller, who determines the means and purposes of processing personal data, and a personal information processor, who processes personal data on behalf of the controller, the PIPL does not formally define the concept of a personal information processor. Under the PIPL, when a personal information handler entrusts a third party (i.e., a personal information processor under the GDPR) to process personal information on behalf of the personal information handler, such third party will be referred to as the 'entrusted party' or the 'contracting party'.
Sensitive data: Personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons, grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
Processing: Collection, storage, use, processing, transmission, provision, disclosure, and deletion, among other things, of personal information.
Biometric data: Biometric samples, biosignatures, biosignature models, biometric property, biometrics of original descriptive data, or the combination of the aforementioned data (Information technology—Security Techniques—Biometric Information Protection (Draft) (only available to download in Chinese here).
Pseudonymisation: There is no definition of pseudonymisation under the PIPL. However, de-identification is the process of personal information undergoing handling to ensure it is impossible to identify specific natural persons without the support of additional information.
Anonymisation: The process of personal information undergoing handling to make it impossible to distinguish specific natural persons and impossible to restore.
Privacy Impact Assessment | Data Protection Impact Assessment: 'Privacy Impact Assessment' ('PIA') or 'Data Protection Impact Assessment' ('DPIA') is not defined in the PIPL. However, the PIPL does outline requirements for the conducting of personal information protection impact assessments ('PIPIA') as outlined below.
In addition, the Specification defines 'personal information security impact assessment' ('PISIA') as a process to check the degree of compliance with laws and regulations of personal information processing activities, determine the potential risks to the legitimate rights and interests of personal information subjects, and assess the effectiveness of the measures used to protect personal information subjects (Section 3.9 of the Specification).
Data protection officer: There is no definition of 'data protection officer' in the PIPL. However, the PIPL refers to 'personal information protection officers' who are responsible for supervising personal information handling activities as well as adopted protection measures, etc. (Article 52 of the PIPL).
5. Legal Bases
Article 13 of the PIPL stipulates the legal bases for personal information processing.
A personal information handler may process personal information once it obtains consent from the individuals.
Where necessary to conclude or fulfill a contract in which the individual is an interested party, consent is not necessary for processing.
Where processing is necessary to comply with a legal obligation or duty, no consent is required.
Where processing is for public interest purposes, to carry out news reporting, or supervision by public opinion, no consent is required.
Where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded contracts, consent is not necessary for processing.
Where a personal information handler processes personal information already disclosed by individuals or otherwise already lawfully disclosed, it is not necessary to obtain consent for processing within a reasonable scope in accordance with the provisions of the PIPL.
In addition, personal information can be processed under other circumstances as stipulated by applicable law or administrative regulation.
The PIPL stipulates seven principles for personal information processing including:
Lawfulness: Personal information must be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and not in any manner that is misleading, fraudulent, or coercive.
Purpose specification: Processing must be conducted:
- for a specified and reasonable purpose;
- for a purpose directly relevant to the purpose of processing; and
- in a way that has the least impact on personal rights and interests.
Data minimisation: The collection of personal information must be limited to the minimum scope necessary for achieving the purpose of processing and must not be excessive.
Storage limitation: The storage period of personal information must be the minimum period necessary for achieving the processing purpose, unless any applicable law or administrative regulation stipulates otherwise.
Transparency: Processing must be conducted in accordance with the principles of openness and transparency (i.e., provision of notice, described above).
Accuracy: Personal information handlers must ensure the quality of personal information processed, to avoid any negative impact on personal rights and interests due to the inaccuracy or incompleteness of the personal information processed.
Data security: Personal information handlers must take necessary measures to ensure the security of the personal information processed.
7. Controller and Processor Obligations
In terms of transfers of personal information to third parties, the PIPL requires the consent of data subjects, provided that there is no non-consent basis for processing.
The PIPL provides three methods for personal information handlers to transfer personal information out of China:
- passing a security assessment administered by the CAC;
- undertaking a personal information protection certification conducted by recognised institutions in accordance with relevant regulations of the CAC; or
- executing a standard contract for cross-border transfer provided by the CAC.
If the cross-border data transfer satisfies any of the following circumstances, personal information handlers shall, through the local cyberspace administration at provincial level, apply for mandatory security assessment for such transfer:
- transfer of important data outside of China;
- transfer of personal information outside of China by a CII operator, or a personal information processor, processing more than 1 million individuals' personal information;
- cumulative transfer of personal information of more than 100,000 individuals from 1 Jan of the preceding calendar year or cumulative transfer of 'sensitive' personal information of more than 10,000 individuals from 1 Jan of the preceding calendar year; or
- other circumstances that require the security assessment of cross-border transfer provided by the CAC.
In terms of mandatory security assessment, the cyberspace administration at provincial level must complete the formality review within five business days upon receipt of the application documents. If such documents satisfy the formality requirements, the cyberspace administration at provincial level would submit such documents to the CAC. The CAC shall notify the applicant in writing whether it accepts the application within seven business days upon receipt of application documents. The CAC shall complete the security assessment within 45 business days after issuing the written notification of acceptance. In cases of complexity or supplementing/amending application documents, appropriate extensions are allowed. In general, most applications would not fall into the extension scenario. The estimated time for the completion of the security assessment by the CAC is approximately 57 business days. If the relevant personal information handlers object to the result of the security assessment, they may apply for re-assessment within 15 business days upon receipt of such result. The re-assessment would be final and binding.
For non-CII operators or personal information handlers that process personal information below the aforementioned threshold amount prescribed by the CAC, there are two other options for cross-border data transfers. One option is to obtain a personal information protection certification awarded by a recognised institution by the CAC. The other option, and the most likely to be used, is to execute a data transfer agreement with the recipient located outside of China, in compliance with a standard contract to be provided by the CAC.
For cross-border transfers of personal information, in addition to the above requirements, a personal information handler must also inform individuals of:
- the identity and contact information of the data recipient(s);
- the purpose(s) and method(s) of data processing;
- the type(s) of personal information to be transferred; and
- how individuals can exercise their rights under the PIPL with respect to the data recipient(s).
Personal information handlers must also obtain separate consent from individuals for the cross-border transfer of their personal information unless there is a legal basis for such transfer.
Additionally, cross-border transfers of personal information made for the purpose of providing international judicial and law enforcement assistance must first be approved by a competent Chinese authority.
The PIPL does not mandatorily require the personal information handler to retain data processing records. Nevertheless, if the personal information handler is required to conduct personal information protection impact assessments ('PIAs') for its processing activities, it shall retain the PIA report and relevant processing status records for three years. In addition, based on the Article 69 of PIPL, if the personal information handler could not prove it has no fault while processing personal information, it should be responsible for the damage caused by processing.
Therefore, it is suggested for the personal information handler to retain the processing records for good practice and defend itself against third party claims.
In addition, Section 11.3 of the Specification specifically recommends the data controller establish, maintain, and update the records of personal information processing activities and lists the detailed contents of records.
Under Article 55 of the PIPL, a personal information handler must conduct a personal information PIA prior to:
- processing sensitive personal information;
- using personal information in automated decision-making;
- engaging an entrusted party to process personal information on the personal information handler's behalf;
- providing personal information to another personal information handler;
- disclosing personal information to the public;
- transferring personal information outside of China; or
- any processing activity that will have a material impact on the personal rights and interests of an individual.
The PIA must specify:
- whether the purpose(s) and method(s) of processing are lawful, legitimate, and necessary;
- the impact of the processing on individuals' rights and interests, and the level of risk involved; and
- whether the protective measures undertaken are lawful, effective, and commensurate to the degree of such risk.
PIA reports and records of processing must be retained for at least three years.
The Guideline of Personal Information Security Impact Assessment (GB/T 39335-2020) provides guidance on how to conduct a PIPIA. In addition, the Specification outlines recommendations associated with the conducting of a personal information security impact assessment (Section 11.4 of the Specification).
Under Article 52 of the PIPL, if the volume of personal information processed reaches a threshold level as stipulated by the CAC, a personal information handler must appoint a personal information protection officer ('Officer'). The volume of personal information triggering the threshold has not yet been defined.
Pursuant to Article 52 of the PIPL, organisations are required to publish the details of the designated persons including name, contact method, etc. and report them to the departments fulfilling personal information protection duties and responsibilities.
Article 53 of the PIPL states that organisations established outside the borders of the People's Republic of China are required to establish a dedicated entity, or appoint a representative, within the borders of the People's Republic of China to be responsible for matters related to the personal information they handle.
Please note the DSL and CSL also require the appointment of designated persons responsible for data security and designate persons in charge of cybersecurity, respectively (Article 27 of the DSL and Article 21(i) of the CSL).
In addition, reference can be made to the Specification which outlines the duties of the person and the department responsible for personal information protection. Such duties include but are not limited to (Article 11.1(d) of the Specification):
- coordinating personal information security within the organisation, and bearing direct responsibility for personal information security;
- organising the development of a personal information protection work plan, and supervising its implementation;
- developing, issuing, implementing, and regularly updating privacy policies and related procedures;
- establishing, maintaining, and updating a list of personal information held by the organisation (including the type of personal information, quantity, source, recipient, etc.) and authorised access policies;
- carrying out personal information security impact assessments, proposing countermeasures for personal information protection, and urging reform and rectification of all hidden dangers;
- organising personal information security training;
- testing products or services before they are released to avoid the inappropriate collection, use, and sharing of personal information;
- publishing complaints, reporting methods, and other information, and promptly accepting complaints and reports;
- conducting a security audit; and
- communicating with the supervisory and management departments, and reporting on personal information protection and event handling.
Under the PIPL, in the event of a suspected or actual data breach, a personal information handler must immediately undertake remedial measures and notify affected individuals and relevant regulators. The PIPL requires specific content to be included in the notification, including:
- the type(s) of personal information affected;
- the cause of, and possible harm that may result from, the breach;
- any remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm; and
- the contact information of the personal information handler.
The PIPL does, however, provide a risk of harm threshold for notice to affected individuals. If the measures taken by a personal information handler can effectively mitigate the harm caused by the data breach, a personal information handler would not be required to notify affected individuals, unless a regulator determines otherwise.
Personal information retention periods will be the shortest period necessary to realise the purpose of the personal information handling, except where laws or administrative regulations provide otherwise.
The personal information handler will also refer to the Provisions on the Online Protection of Personal Information of Children (only available in Chinese here) when processing children's personal information.
There is no provision regulating processing criminal conviction data under the PIPL.
Pursuant to the PIPL, where a personal information handler contracts with an entrusted party to process personal information on its behalf, the personal information handler must execute a processing agreement with the entrusted party that includes:
- the purpose(s) of processing;
- the period and method(s) of processing;
- the type(s) of personal information to be processed;
- any protective measures to be taken; and
- both parties' rights and obligations under the PIPL.
Personal information handlers are responsible under the PIPL for supervising the processing activities of entrusted parties, but the PIPL does not specify prescribed supervision requirements. Upon the completion or termination of a personal information handler's agreement with an entrusted party, the entrusted party must return or delete the personal information to the personal information handler.
8. Data Subject Rights
Prior to processing personal information, a personal information handler must provide notice to individuals on how their personal information will be processed. Under the PIPL, a privacy notice must contain the following:
- the name and contact information of the personal information handler;
- the purpose(s) and method(s) of processing, the categories of personal information to be processed, and the retention period of the personal information;
- the name and contact information of any other personal information handler that will have access to the personal information, the purpose(s) and method(s) of processing by such other personal information handler, and the categories of personal information provided to such other personal information handler;
- where applicable, the use of automated decision-making;
- where applicable, the necessity of processing sensitive personal information and the impact of such processing on individuals' rights and interests;
- where applicable, a special notice with respect to the processing of children's personal information (under 14 years old);
- for data transfers outside of China;
- the name and contact information of the data recipient(s);
- the purpose(s) and method(s) of processing by the recipient(s);
- the type(s) of personal information transferred; and
- the method and procedure for individuals to exercise their rights under the PIPL with respect to the data transfer recipient(s); and
- where applicable, the contact information of the Officer.
Pursuant to the PIPL, the individuals are entitled to make a request to the personal information handler to access to their personal information lawfully.
Pursuant to the PIPL, in cases of any error or incompleteness of the personal information, the individual is entitled to make a request to the personal information handler for rectification.
Pursuant to the PIPL, the individuals are entitled to request the personal information handler to delete their personal information on any of the following conditions:
- the handling purpose has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the handling purpose;
- personal information handlers cease the provision of products or services, or the retention period has expired;
- the individual rescinds consent;
- where personal information handlers have handled personal information in violation of laws, administrative regulations, or agreements; or
- other circumstances provided by laws or administrative regulations.
Pursuant to the PIPL, the individual is entitled to object to personal information processing.
Pursuant to the PIPL, the individuals may request the personal information handler to transfer their personal information to the designated personal information handler.
Pursuant to the PIPL, personal information handlers must ensure the transparency and the fairness of automated decision-making. It is prohibited from placing discriminated treatment on the price and other transaction conditions to the individuals. In the event that individuals consider the automated decision-making to have significant impact on their interests, the individuals are entitled to request the personal information handler to explain the reason and may reject the decision made through automated means. If the personal information handler adopts automated decision-making to conduct marketing and messaging, the option not directed against personal features or the option of rejection of automated decision making will also be provided.
Pursuant to the PIPL, the individuals may also request the personal information handler to copy their personal information and restrict processing of their personal information.
In terms of deceased individuals, their next of kin may, for the sake of their own lawful, legitimate interests, exercise the rights to consult, copy, correct, delete, etc., the personal information of the deceased, except where the deceased individuals have other arrangements before their death.
Personal information handlers who violate the PIPL with respect to their processing of personal information may be subject to penalties including
- an order to correct the alleged violations;
- the disgorgement of profits; or
- the provisional suspension or termination of the electronic applications found to be in violation of the PIPL.
Entities that refuse to fail to correct the alleged violations may be subject to a fine of not more than RMB 1 million (approx. €136,260) and responsible personnel may be subject to fines between RMB 10,000 (approx. €1,360) to 100,000 (approx. €13,630).
In the event of grave violations of the PIPL (which term is not defined under the PIPL), entities and responsible personnel may be subject to fines of up to RMB 50 million (approx. €6.8 million), or 5% of annual revenue. Additionally, the offending entity's business or related business activities may be suspended pending rectification of the alleged violations, and the entity may be required to report to the relevant authorities regarding such suspension. Further, individuals directly responsible for 'grave' violations of the PIPL may be fined between RMB 100,000 (approx. €13,630) and RMB 1 million, (approx. €135,260) and may be prohibited from holding certain positions, including director, supervisor, high-level manager or data protection officer, for a certain period of time.
An enforcement review of the privacy practices of certain of the principal internet service providers in China resulted in disciplinary measures against at least four of them in December 2017. Reportedly, the review was undertaken on the service providers' failure to observe the requirements of a set of generally applicable standard guidelines establishing good practices on personal information security. Though, on the face of it, not binding, enforcement agencies in China can still use such a personal information security standard as a reference or guide in their administration and enforcement activities.
Below are some enforcement cases in recent years:
- On 6 January 2018, the CAC coordination department made an appointment with Alipay and Zhima Credit Management LLC due to non-compliance with the Specification.
- A listed company in Wuxi adopted a weak password for the website administrator to log in the office administration system. In addition, the company did not request a change of password for the first-time login or force the password strength to be set up. These insufficient security measures may very likely result in loss of personal information through stuffing attack by the hacker.
- One culture transmission company purchased a large volume of student personal information related to school, class, and parents' telephone numbers and planned to use this data for precision marketing. In April 2019, Wuxi police order RMB 20,000 (approx. €2,720) fines.
- On 3 July 2019, MIIT made sampling checks on 100 internet companies and discovered some issues for the same. 18 apps sampled did not disclose the rules for collection and use of personal information or inform of the way to correct personal information or provide deregistration. 33 apps sampled collected and used personal information in violation of laws. The MIIT ordered the non-compliant app to be removed from the store for rectification.
- On 19 December 2019, the MIIT publicly announced 41 Apps in connection with infringement of users' interests. On 8 January 2020, the MIIT publicly announced 15 apps in connection with infringement of users' interests. The non-compliance focuses on unlawful collection and use of personal information, unreasonable request of authorisation from users, or placement of barriers for deregistration. The MIIT ordered the app to be removed from the online store if the app could not complete the rectification.
- On 23 June 23, the People's Procuratorate of Yuhang District, Hangzhou, and Zhejiang Provinces submitted a civil public interest litigation to the Hangzhou Internet Court against one internet technology company for forcing users to authorise it to access to the photos, media content, and documents on device and International Mobile Equipment Identity ('IMEI'), as well as unlawful collection and storage of over 10 million pieces of personal information. The plaintiff and defendant reached a mediation agreement in the court. Based on the mediation agreement, the defendant must:
- delete all the relevant personal information unlawfully collected;
- announce an apology publicly on Legal Daily; and
- undertake that it will conduct business operation lawfully.
In cases of violation of this agreement, it would pay RMB 500,000 (approx. €68, 130) as liquidated damage to the public interest fund of National Personal Information Protection for public welfare expenditure.
- The bank customer manager of a bank in Zhanjiang city, Guangdong Province unlawfully sold the relevant customers' bank account information, including name, ID, telephone number, bank account number, with a total amount of 31,456 pieces, to one finance company for loan marketing. The People's Procuratorate of Jingkai District, Zhanjiang submitted the prosecutorial proposal to the Banking and Insurance Regulatory Sub-Bureau of Zhanjiang ('Sub-Bureau') before litigation. On 31 December 2020, the Sub-Bureau held the bank being subject to RMB 200,000 (approx. €27,250) administrative penalty. On 4 January 2021, the Sub-Bureau held the bank account manager being prohibited from working in the bank industry for one year.
- On 4 July 2021, the CAC announced that the App of Didi had seriously violated the collection and use of personal information under the CSL and ordered the app store to remove Didi.
- On 5 July 2021, Zhejiang Communications Administration discovered that Ali Cloud Computing LLC disclosed the users' registration information to its partner without consent on 11 November 2019 after investigation. Zhejiang Communications Administration held such action violated Article 42 of the CSL and ordered Ali Cloud for correction.
- Kohler (China) collected facial information in stores without consent of consumers from February 2020 to March 2021, which violated the relevant provisions under the Law of the People's Republic of China on the Protection of the Rights and Interests of Consumers (only available in Chinese here) ('the Consumers Protection Law'), thus the Administration of Market Regulation of Jiangan District, Shanghai ordered RMB 500,000 (approx. €68,130) penalties and correction to Kohler.
- In August 2021, the branch (Yubei District) of Chongqing New Oriental Education & Training LLC collected and used 1,053 pieces of consumers' personal information unlawfully without consent of consumers. Chongqing Administration for Market Regulation held the company violated relevant provisions of the Consumer's Protection Law, ordered an RMB 340,000 (approx. €46,330) penalty, and requested it to eliminate relevant impacts.