Support Centre
China - Data Protection Overview
Back

China - Data Protection Overview

November 2020

INTRODUCTION

China's data protection laws are in a period of change and there has been significant progress in the field of data protection legislation in recent years. In addition to the Cybersecurity Law 2016 (official Chinese version available here; unofficial English version available here) ('the Cybersecurity Law'), the Civil Code of the People's Republic of China (only available in Chinese here) ('the Civil Code'), which will become effective on 1 January 2021, expressly provides the right of privacy and personal information protection. The express protection of personal information under the Civil Code represents a new era of privacy and personal information protection. Moreover, on 3 July 2020, the Data Security Law of the People's Republic of China (Draft) (only available in Chinese here) ('the Draft Data Security Law') was issued for public comments and, on 21 October 2020, the Personal Information Protection Law (Draft) (only available in Chinese here) ('the Draft Personal Information Law') was issued for public comments. The above legislation together symbolises the establishment of a complete system of personal information protection. The Cybersecurity Law, the Draft Data Security Law, and the Draft Personal Information Law altogether constitute three fundamental pieces of legislation in respect of cybersecurity and data protection. Nonetheless, there are also specific requirements under laws and regulations that govern specific industry sectors, such as the telecommunications, finance, healthcare, network services, consumer, and e-commerce sectors. For the purpose of this Overview, we will not discuss the data protection in specific industry sectors.

Prior to releasing the Draft Personal Information Law, there was no single law of general application that specifically addressed data protection as its principal or exclusive subject matter. In general, the laws that relate to the processing of personal information originally were intended to regulate different areas. These laws do, however, impose requirements that have the practical effect of affecting the processing of personal information. Some laws (such as those addressing consumer protection) contain provisions that govern the collection and processing of personal information, but remain principally directed toward the regulation of other issues. Therefore, although these laws do not address the topic of personal information in a direct, coordinated, and systematic manner, taken together, they address many of the individual components of what lawyers in many jurisdictions would recognize as a data protection law.

In the near future, new guidelines and standards can be expected at any moment as China's cybersecurity and personal information protection framework continues to emerge.

In addition, the legislative agenda for the current five-year plan states an intention to enact a new personal information protection law and a new data security law, of which drafts have been released for public comments. No specific timetable for either is given, but one might reasonably expect both to be enacted within the term of the current plan, which runs from March 2018 until March 2023.

In sum, change is in prospect in both the immediate and longer term. This note describes certain arrangements as they stand at this time, and does not attempt to predict the final, definitive features of China's data protection framework. Changes over time will be addressed by means of successive updates to this Overview.

1. GOVERNING TEXTS

1.1. Key acts, regulations, directives, bills

As explained above, at the time of this Guidance Note's publication, in China, the Draft Personal Information Law has recently been released for public comments. Besides the Draft Personal Information Law, we will list other key laws and regulations related to the data protection.

The Draft Personal Information Protection Law

The Draft Personal Information Protection Law addresses personal information processing, cross-border transfers of personal information, the rights of data subjects for data processing, data processor obligations, the supervisory authority in charge of personal information protection, and legal liability.

Constitutional provisions

Articles 38 and 40 of the Constitution of the People's Republic of China (only available in Chinese here) establishes rights that relate to privacy, such as a right of dignity of the person, prohibitions against insult, defamation, false accusation, or false information directed against Chinese citizens, and a right of freedom and secrecy of correspondence. These provisions do not, however, establish an express constitutional right to privacy, even though their subject-matter may be related to privacy.

Criminal law provisions

The Ninth Amendment to the People's Republic of China's Criminal Law (promulgated on 29 August 2015) (only available in Chinese here) ('the Ninth Amendment') provides that all parties who sell or provide personal information to a third party, in violation of the law, are subject to criminal liability, and that parties who sell or provide personal information obtained during their performance of duties and provision of services, in violation of law, are subject to a heavier punishment.

Regulation on the protection of the security of computer information systems

The Regulation on the Protection of the Security of Computer Information Systems (promulgated on 18 February 1994) (only available in Chinese here) requires that computer information systems not be used to endanger the legitimate interests of citizens of China, or to endanger the national and public interests.

Decisions of the standing committee of the people's congress of China on safeguarding the security of the internet

Decisions of the Standing Committee of the People's Congress of China on Safeguarding the Security of the Internet (promulgated on 28 December 2000 and amended on 27 August 2009) (only available in Chinese here) require that the contents of particular databases to:

  • be kept confidential;
  • be protected by security measures and procedures; and
  • not be breached, altered, or distributed.

Several provisions on regulating market order of internet information services

Several Provisions on Regulating Market Order of Internet Information Services (promulgated on 29 December 2011, effective as of 15 March 2012) (only available in Chinese here) regulates the collection, processing, and disclosure of personal information by internet information service providers.

Resolution to strengthen the protection of information on the internet

At the end of 2012, the Standing Committee of the National People's Congress passed the Resolution to Strengthen the Protection of Information on the Internet (only available in Chinese here). Although this resolution appears intended primarily to address the security of internet use, it also contains provisions governing the collection and processing of personal information. Moreover, the nature of its subject matter (which is the processing of electronic personal information over the internet) gives it the potential for broader application than many other sector-specific regulations.

In 2013, significant developments in China's data protection legal framework materialised in the form of new regulations in the telecommunications, internet, and credit reference sectors, and new provisions protecting consumer personal information. By 2015, government authorities in China had started to place a higher level of priority on cybersecurity and personal data protection on the internet in response to the rapid development of internet technology and the resulting surge in the number of users of internet services.

Administrative regulations on the credit reference sector

The Administrative Regulations on the Credit Reference Sector (only available in Chinese here) set forth a series of rules for the collection, use, processing, disclosure, and transfer of personal information by credit reference agencies.

Cybersecurity Law

On 7 November 2016, the Cybersecurity Law, effective as of 1 June 2017, was passed in China. The Cybersecurity Law also imposes personal information protection obligations on network operators and requires data breach notification.

Moreover, the Cybersecurity Law contains personal information protection requirements which are applicable to all enterprises that operate a computerised information network system. The Cybersecurity Law contains a data localisation requirement, under which operators of critical information infrastructure ('CII') may not transmit 'critical data' or 'personal information' which they collect or generate within China in the course of operating their business in China to a destination outside of China, unless they first undergo (and pass) a 'security assessment.' At the time of writing this note, some provisions still await clarification by way of implementing regulations or other more detailed rule-making.

The Cybersecurity Law also establishes personal information protection obligations for network operators. Specifically, under the Cybersecurity Law, network operators are subject to notice and consent requirements in respect to the collection and use of personal information, and a requirement to comply with the principles of legitimacy, rightfulness, and necessity. Network operators are prohibited from providing personal information to third parties without the data subject's consent, except in cases where personal information is depersonalised in such a way that it cannot identify the data subject, and that the depersonalisation cannot be reversed. When leakage, destruction, or loss of personal information has occurred or has become possible, the network operator must promptly notify users, and report to the relevant government agencies pursuant to relevant laws. The administrative penalties for network operators that violate obligations under the Cybersecurity Law may include a warning, an order to rectify, a fine, an order to suspend operations, or even revocation of business permits or licences.

Though in concept the Cybersecurity Law is specific to the context of cybersecurity, and therefore in theory merely another patch within the patchwork quilt of China's personal information protection framework, the Cybersecurity Law requirements are made so broadly applicable as to bind practically all business enterprises of any substance.

The Cybersecurity Law is to be accompanied by an extensive series of guidelines and standard documents which, typically, will not be binding, but should still be taken seriously because they establish market standards, best practices, and regulatory expectations. This portfolio of guidance documents is still emerging. A certain number of these have been issued but only in draft form with substantial or even fundamental changes still possible, while others are still being drafted and have not been published yet.

Draft classified protection of cybersecurity

 In June 2018, the Ministry of Public Security (MPS') issued the Draft Regulations on the Classified Protection of Cybersecurity (only available in Chinese here), rating security into five classifications which are subject to five different levels of protection.

Regulation on the protection of the security of critical information infrastructure (draft) and cybersecurity review measures

In terms of CII, the Regulation on the Protection of the Security of Critical Information Infrastructure (Draft) (promulgated on 10 July 2017) (only available in Chinese here) concerns the protection of critical information infrastructure and the Cybersecurity Review Measures (promulgated on 13 April 2020) (only available in Chinese here) (an unofficial English version of the Law is available here) ('the Cybersecurity Measures') regulates CII operators procurement of network products and services. This draft regulation and the Cybersecurity Measures further expand and clarify the scope of entities that could be considered as CII operators, for example entities in sectors such as science and technology for national defence, large-scale equipment manufacturing, chemical engineering, food and drugs, etc. However, whether companies operating in one of the abovementioned sectors will be considered CII operators remains unclear. It is expected that further decisions and guidance will clarify exactly what CII is and the types of organisations that are deemed as CII operators.

Draft guidelines concerning the security assessment of cross-border transfers of personal information and important data and draft measures of security assessment of cross-border transfer of personal information

In terms of cross-border data transfer, the legal framework has not been finalised. There are two draft regulations, Draft Guidelines Concerning the Security Assessment of Cross-Border Transfers of Personal Information and Important Data (only available in Chinese here) ('the 2017 Draft') and Draft Measures of Security Assessment of Cross-Border Transfer of Personal Information (only available in Chinese here) ('the 2019 Draft'). Both draft guidelines provide requirements of security assessment for cross-border data transfers, although there are some differences in relation to the detailed provisions under these two draft guidelines. At the end of October 2020, these draft regulations and guidelines in relation to cross-border data transfer have yet to be finalised. It is believed that important data and personal data would be subject to different rules in cases of cross-border data transfer. It should be noted that, in the Draft Personal Information Protection Law, there are some provisions on cross-border transfers of personal data which will be the principal provisions on the subject in China.

Administrative measures for data security (draft)

On 28 May 2019, the Cyberspace Administration of China issued the Administrative Measures for Data Security (Draft) (only available in Chinese here), which further provides the relevant rules in relation to the collection and use of personal information. This draft also sets up rules concerning important data, which contains specific rules of data security and would be an important implementing regulation of the Cybersecurity Law in practice once it becomes effective.

Cryptography law

In addition, in 2019, the Cryptography Law (promulgated on 26 October 2019 and became effective on 1 January 2020) (only available in Chinese here) adopts import licensing and export control for commercial cryptography involving national security, public interests, or international obligations. Commercial cryptography products involving national security, national economy and people's livelihood, and public interests shall be included in the catalog of critical network equipment and special network security products, and may not be sold or provided unless they pass the detection and certification by qualified institutions.

Provisions on the inline protection of personal information of children

Provisions on the Online Protection of Personal Information of Children (promulgated on 22 August 2019 and effected on 1 October, 2019) (only available in Chinese here) establishes the special rules for protection of minor’s personal information, which is the first legislation concerning the personal information protection of children.

Methods for identifying unlawful acts of applications (apps) to collect and use personal information

In addition to the Administrative Provisions on Mobile Internet Applications Information Services (promulgated on 28 June 2016) (only available in Chinese here), regulation on the collection and use of personal information by Apps is one of the main focuses for personal information protection in 2019 and 2020. A series of regulation, guidelines, and draft national standard have been released. Methods for Identifying Unlawful Acts of Applications (Apps) to Collect and Use Personal Information (promulgated on 28 November 2019) (only available in Chinese here) provide the not-to-do list for Apps.

The Civil Code

The Civil Code was released on 28 May 2020 and will become effective on 1 January 2021. The Civil Code provides a right of privacy and personal information protection in Chapter VII of Part IV Personality Rights. The significance of the Civil Code is second only to the Constitution and its issuance symbols the new era of protection of privacy and personal information. This is the first time for right of privacy and personal information protection to be listed as a single chapter under the law. The right of privacy and personal information would be categorised as personality right, which provides the legal remedy from the perspective of torts in cases of infringement of privacy and/or personal information. Furthermore, privacy is defined by law for the first time, which refers to the private peaceful life of a natural person and the private space, private activities, and private information that a natural person does not wish to be known by others. Moreover, the Civil Code adds three types of information to the concept of personal information defined in the Cybersecurity Law; that is, email, health information, and tracking information.

The Civil Code focuses on regulating the collection, use, processing, transmission, provision, and disclosure of personal information by a third party, establishing the principle and conditions to process personal information, stipulating the individual's right toward his/her personal information, such as rights of access, copy, correction, and deletion, and preventing the information processor from leakage, falsification, and unlawful provision of personal information to others.

In addition to the consent required before processing personal information, the Civil Code also provides exceptions for consent if allowed by relevant laws and regulations. The Civil Code also creates the concept information processing, which broadly covers the activities of collection,  storage, use, processing, transmission, provision and disclosure of personal information.

The Civil Code also addresses personality rights, covering provisions which establish the right of a private citizen to sue for damages or other remedies in tort in cases where medical records are mishandled, where the internet is used to harm the interests of the private citizen or, more generally, where the private citizen's right to personality, such as life, body, privacy, health, name, reputation, honour, or portrait, has been infringed upon and damages have occurred.

The Draft Data Security Law

On 3 July 2020, the Draft Data Security Law was issued for public comment. The Draft Data Security Law is considered the fundamental piece of legislation in the field of data security and is set to constitute the legal system for data regulation together with Cybersecurity Law and the Draft Personal Information Protection Law.

1.2. Guidelines

Over the course of 2017-2020, in addition to some formal rules, Chinese authorities also released several draft regulations and guidelines in relation to the Cybersecurity Law.

All the national standards in connection with information security are issued by the National Information Security Standardisation Technical Committee ('TC260').

The TC260 Specification

A standard issued by TC260 entitled the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) ('the TC260 Specification') establishes benchmarks for the processing of personal information by all types of entities and organisations. This standard first became effective on 1 May 2018 and was amended on 6 March 2020, with such amendments becoming effective on 1 October 2020. The amendments address the relevant issues brought by emerging technologies, such as personalised display, data integration, management of SDK/plug-in, etc. The the TC260 Specification is voluntary and not mandatory, but it may nevertheless be considered as a generally accepted compliance standard and good practice in China.

The internet security guidelines

The Guidelines for Internet Personal Information Security Protection ('the Internet Security Guidelines') (promulgated by the Cybersecurity Guard Department of the MPS, the Beijing Network Industry Committee, and the 3rd Research Institution of the MPS) stipulate protection of personal information from the perspectives of the management system, security technology, data processing, and contingency disposal. This guideline is voluntary and not mandatory, but it may nevertheless be considered as a generally accepted compliance standard and good practice in China, often referred by the police in enforcement actions.

National standards regarding classified protection of cybersecurity systems

In 2019, China established the classified protection of cybersecurity system by formally issuing five national standards (promulgated by TC260): 

  • Information Security Technology - Basic Requirement of Classified Protection of Cybersecurity (GB/T22239-2019) (only available in Chinese here);
  • Information Security Technology - Technical Requirement of Security Design of Cybersecurity (GB/T25070-2019) (only available in Chinese here);
  • Information Security Technology - Test Requirement of Classified Protection of Cybersecurity (GB/T28448 - 2019) (only available in Chinese here);
  • Information security technology -Implementation guide for classified protection of cybersecurity (GB/T 25058-2019) (only available in Chinese here); and
  • Information security technology - Classification guide for classified protection of cybersecurity (GB/T 22240-2020) (only available in Chinese here).

Under the five standards, the protection subjects include basic information networks, cloud computing platforms/systems, Big Data applications/platforms/resources, Internet of Things ('IoT'), industry control systems, and systems using mobile interconnection technology. The classified protection of cybersecurity has been divided into five levels. In each level, there are general security requirement and extended security requirements designed for cloud computing, mobile interconnection, IoT and industry control system. The general security requirement is applicable to each subject, e.g. cloud computing will be first subject to the general security requirement and then subject to extended security requirement specifically for cloud computing. The general security requirement would be further divided into technical requirements (including secure physical environment, secure communication network, secure area boundary, secure computing environment, and secure management centre) as well as management requirements (including secure management system, secure management department, secure management personnel, secure construction management, and secure operation and maintenance management). Specific regulations on the classified protection of cybersecurity may refer to Regulations on the Classified Protection of Cybersecurity (Draft for Comments) (only available in Chinese here) ('the Draft Regulation') which was released on 27 June 2018 but has not become effective yet. Given that the period for public comments for the Draft Regulation has ended and its implementing standards have been effective, the Draft Regulation might be formally released at any time.

Please note that while these recommended standards are not legally binding and enforceable, in practice the technical expert would assess the grading of the network by referring to these classified cybersecurity protection standards from the perspective of technique. Therefore, for the purpose of compliance with the cybersecurity protection required by law, network operators shall comply with these classified cybersecurity-related national standards.

Guidelines regulating apps

The following constitutes the comprehensive system for rules on the collection and use of personal information by apps:

  • the Self-Assessment Guideline on Unlawful Acts of Applications (Apps) of Collection and Use of Personal Information (promulgated by the App special governance working group in March 2019) (only available in Chinese here);
  • the Implementation of Security Recognition of Mobile Apps (promulgated by the State Administration for Market Regulation ('SAMR') and the Office of Central Cyberspace Affairs Commission ('CAC') on 13 March 2019) (only available in Chinese here);
  • the Specification of Essential Personal Information Collected by the Business Functions of Mobile Internet Applications (promulgated by TC260 on 1 June 2019) (only available in Chinese here);
  • the Information Security Technology - Basic Specification of Collection of Personal Information by Mobile Internet Apps (Draft) (promulgated by TC260 on 8 August 2019) (only available in Chinese here);
  • the Network Security Standard Practice Guidance - Guidance on Common Issues and Disposal for Personal Information Protection of Mobile App (promulgated by the TC260 Secretariat on 18 September 2020) (only available in Chinese here); 
  • the Network Security Standard Practice Guidance – Guidance on System Permission Application (promulgated by National Information Security Standardization Technical Committee Secretariat on 18 September 2020) (only available in Chinese here); 
  • the Network Security Standard Practice Guidance - Guidance on Security of Third Party SDK (Draft) (promulgated by TC260 Secretariat on 18 September 2020) (only available in Chinese here);
  • the Network Security Standard Practice Guidance - Guidance on Self-Assessment on Collection and Use of Personal Information (promulgated by TC260 on 22 July 2020) (only available in Chinese here); and
  • the Network Security Standard Practice Guidance – Guidance on Personal Information Security of Mobile Apps (Draft) (promulgated by TC260 on 30 March  2020) (only available in Chinese here). 

1.3. Case law

As it has adopted a civil law system, case law is generally less influential in China. Interpretations issued by relevant regulatory authorities are often more impactful than case law generated by litigation in the court system. Provisions of the Supreme People's Court on Several Issues concerning the Application of Law to Trials of Civil Dispute Cases of Infringement of Personal Rights via Information Networks (only available in Chinese here), which was issued by the Supreme People's Court of the People's Republic of China in August 2014, has been significant in establishing protection for the name, likeness, reputation and honour, and personal data of Chinese citizens.

Judicial interpretation

Interpretation of the Supreme Court and the Supreme People's Procuratorate of the People's Republic of China on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Information clarifies certain issues concerning the application of criminal law and criminal procedure on personal information protection in practice.

Provisions of the Supreme People's Court on Several Issues concerning the Application of Law to Trials of Civil Dispute Cases of Infringement of Personal Rights via Information Networks clarifies issues concerning the application of law to civil cases involving the infringement of personal rights, including the right of name, reputation, honour, portrait, and privacy via information networks.

2. SCOPE OF APPLICATION

2.1. Personal scope

The Draft Personal Information Protection Law applies to identifiable natural persons and private/public organisations.

2.2. Territorial scope

The Draft Personal Information Protection Law could be applicable outside of China to the extent necessary for the purpose of protecting the interests of data subjects in China. In cases where the purpose of data processing outside of China is to provide products or services to individuals in China or to analyse and assess the behaviour of individuals in China, such data processing activities would be governed by the Draft Personal Information Protection Law.

In cases where the data activities infringe the national security, public interests, or legitimate interests of citizen and organisation, the Draft Data Security Law would have long-arm jurisdiction.

2.3. Material scope

The Draft Personal Information Protection Law will cover personal information, personal sensitive information, and anonymous data.

3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY

3.1. Main regulator for data protection

Because there is no uniform data protection law in China, no single specific authority or agency in China has responsibility for the supervision of compliance with personal data related laws. Generally, the government authorities that supervise specific sectors also have responsibility for the supervision of compliance with data protection related obligations within the same sectors. Examples of such sector-specific supervisory authorities include the Cybersecurity Administration of China ('CAC'), the MPS, the China Banking and Insurance Regulatory Commission ('CBIRC'), the National Health and Family Planning Commission ('NHFPC'), the National Medical Products Administration ('NMPA'), the Ministry of Science and Technology ('MST'), the SAMR, and the Ministry of Industry and Information Technology ('MIIT').

At this time there are seven industry sectors in relation to which China has relatively coherent and complete regulatory frameworks. They include the telecommunications and network services, financial, credit reference, healthcare, consumer, and e-commerce sectors.

3.2. Main powers, duties and responsibilities

  • The CAC is responsible for implementing an internet information dissemination policy and promoting a legal system of internet information dissemination, as well as guiding, coordinating, and reinforcing the administration of internet content and investigating and punishing websites in violation of relevant laws and the regulations.
  • The MPS is responsible for supervising and administering the security and examination of public information systems, controlling classified cybersecurity protection, and punishing cybercrime.
  • The CBRC is responsible for compliance with data protection related obligations within the banking and financial industry.
  • The NHFPC is for compliance by medical institutions.
  • The NMPA is for compliance of medical and healthcare products.
  • The MOST is for compliance of human generic resources.
  • The PBC is for compliance by credit reference service institutions and credit data centres.
  • The SAMR is for compliance with the consumer sector.
  • The MIIT is for compliance within the telecommunications industry.

4. KEY DEFINITIONS

Personal data: Any information which can independently identify a natural person or be used to identify a specific natural person when combined with other information, including natural person's name, date of birth, ID, biometric information, address, phone number, email, health information, and location information (Article 1034 of the Civil Code).

Sensitive data: Any personal information that potentially endangers the physical and property safety and easily causes damage of personal reputation and physical and mental health or discrimination treatment in cases of leakage, unlawful provision or misuse (TC260 Specification).

Data controller: The organisation or individual who is entitled to determine the purpose and manner of personal information processing (The TC260 Specification).

Data processor: Not defined under law, although the Civil Code does use the concept of data processor.

Biometric data: Biometric samples, biosignatures, biosignature models, biometric property, biometrics of original descriptive data, or the combination of the aforementioned data (Information technology—Security techniques—Biometric information protection (Draft).

Health data: Not defined under law.

Pseudonymisation: Where the data subject cannot be identified by technical processing of the personal information and such information after processing cannot be recovered (TC260 Specifications). 

5. LEGAL BASES

Pursuant to the Draft Personal Information Protection Law, the data processor may process personal data based on:

  • consent of the data subject;
  • the necessity to execute or perform contract;
  • the necessity to perform a legal obligation or legal duty;
  • response to an emergency public health event or the necessity to protect the safety of an individual's life and property; or
  • news publication and supervision by public opinion for public interests within reasonable scope.

5.1. Consent

Please see section 5 above.

5.2. Contract with the data subject

Please see section 5 above.

5.3. Legal obligations

Please see section 5 above.

5.4. Interests of the data subject

Not applicable.

5.5. Public interest

Pursuant to the Civil Code, the data processor shall not assume civil liability for its reasonable actions in cases of safeguarding the public interest.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. PRINCIPLES

The Draft Personal Information Protection Law stipulates seven principles including:

  • legality;
  • explicit purpose;
  • minimum necessity;
  • transparency;
  • accuracy;
  • accountability; and
  • and data security.

7. CONTROLLER AND PROCESSOR OBLIGATIONS

7.1 Data processing notification

Under Chinese law, there is no requirement for registration of data processing.

7.2. Data transfers

In terms of transfer of personal information to third parties, the Cybersecurity Law requires the consent of data subjects.

In terms of cross-border transfers of personal information, since May 2019, the CAC released several draft data protection laws for public comment, such as the draft Data Security Administrative Measures, and the 2019 Draft, aimed at providing regulation and more detailed rules to supplement the principles of the Cybersecurity Law. It is noted that, before the 2019 Draft, back in April 2017, the CAC had released the 2017 Draft, which overlaps with the 2019 Draft in terms of cross-border transfers of personal information although there are some different provisions. The Draft Personal Information Protection Law also addresses cross-border data transfer, reflecting latest attitude of Chinese regulators for cross-border data flows. Nevertheless, given that cross-border data flows are necessary for the cross-border flow of goods, services, persons, and capital, and also closely relate to a nation's national security, enforcement needs, protection of personal data, and domestic digital economy industry, the mechanism of cross-border data transfers is quite complex and has been under discussion for a long time in China.

At present, China has not finalised the cross-border data flow mechanism, and the current related regulations have not yet become effective. Pursuant to the Draft Personal Information Protection Law, in general, cross-border transfers of personal information shall be certified by recognised institutions, or else the data processor shall execute an agreement with the recipient located outside of China regarding the cross-border transfer of personal information and ensure the processing meets the protection standard provided under this law, unless the data processor is categorised as a CII operator or the volume of data processed by the data processor exceeds certain volume stipulated by the CAC, in which case the cross-border transfer of personal information shall be subject to a security assessment conducted by the CAC.  

7.3. Data processing records

There is no mandatory requirement to address data processing records of a data controller and/or operator. Pursuant to the TC260 Specification, the data controller shall correctly record and store the personal information to be processed by a third party.

7.4. Data protection impact assessment

There is no mandatory requirement for a data controller to conduct a Data Protection Impact Assessment ('DPIA')/Privacy Impact Assessment ('PIA'). Nonetheless, the TC260 Specification requires the data controller to conduct DPIA/PIA to assess the security risk involved in data processing activities. In cases where the data controller authorises a third party to process the personal data collected, the data controller shall assess the data processing activity to ensure the data processor possesses sufficient data security capability and provides sufficient security protection. In addition, in cases of sharing, transferring, and disclosing personal information, the data controller is subject to conduct DPIA/PIA. There is no exception for conducting a DPIA/PIA.

7.5. Data protection officer appointment

Pursuant to the Cybersecurity Law, the network operator shall appoint a person in charge of network security.

Pursuant to the Draft Personal Information Protection Law, the data processor which processes the volume of personal information which reaches certain number stipulated by the CAC must appoint a data protection officer ('DPO') responsible for personal information processing. The name and contact information of the DPO shall be made public and filed with the competent authority.  

7.6. Data breach notification

In principle, pursuant to the Cybersecurity Law, in actual or likely cases of disclosure, damage, or loss of personal information, a network operator must take remedial measures immediately and, pursuant to relevant laws, inform the users and report to the competent authorities in a timely manner. Nevertheless, such relevant laws with specific notification requirements have not yet become effective. Even though the Cybersecurity Law stipulates the principle provisions of breach notification, in practice, there are no specific rules of breach notification available to be referred to by the network operators. In the event that the data breach endangers and has an impact on national security, social order, economic development, and public interests by varying degrees, the company involved in the breach should immediately initiate the contingency plans and report to the Contingency Response Office in certain circumstances pursuant to the National Contingency Plans for Cyber Security Incidents.

Pursuant to the Personal Information Protection Law Draft, in cases of a data breach, the data processor shall take remedial measures immediately and notify the competent department and the data subjects. The specific contents to be contained in the notification could also be found in the Personal Information Protection Law Draft. Nonetheless, the Personal Information Protection Law Draft provides one exception for notification to the data subjects. If the measures taken by the data processor could effectively avoid damages caused by disclosure of personal information, it is not necessary for the data processor to notify the data subjects unless the competent department considers otherwise.

The Specification would require delivery of breach notification, as well as that certain response and evaluative actions be taken after the occurrence of a personal information security incident, such as taking a record of the substance of the incident, evaluating the possible impact of the incident, and adopting measures to control and eliminate risks.

Additionally, the Guidelines for Internet Personal Information Security Protection requires the network personal information holder to report to the public security authority, take remedial measures, report the accident pursuant to the National Contingency Plans for Cybersecurity Incidents (only available in Chinese here), and, where appropriate, notify the affected data subjects and publish warning information of the public concern to the community.

7.7. Data retention

The Cybersecurity Law requires disposal of personal information in accordance with provisions of law, administrative regulations, and agreements executed with users. The Draft Personal Information Protection Law and the TC260 Specification would require minimisation of the retention of personal information to the shortest period of time that is necessary for the realisation of the objective of its collection and use.

7.8. Children's data

Processing children's personal information shall refer to the Provisions on the Online Protection of Personal Information of Children (only available in Chinese here). Children refers to minors under 14 years old. Before the collection, use, transfer, and disclosure of children's personal information, the network operator shall inform the guardian in a significant and clear manner and obtain consent of the guardian.

7.9. Special categories of personal data

There is no provision regulating processing criminal conviction data.

7.10. Controller and processor contracts

The Draft Personal Information Protection Law requires an agreement to be placed between a data controller and a data processor. The contents of the agreement shall include:

  • the purpose of data processing;
  • processing mode;
  • types of personal information;
  • protection measures;
  • both parties' rights and liabilities; and

The data processor must also supervise the data processing activities.

8. DATA SUBJECT RIGHTS

8.1. Right to be informed

The data subjects shall be informed of the rules in connection with data processing and the purpose, method and scope of data processing.

The data processor shall disclose the rules of data collection and use and clearly express the purposes, means, and scope of data collection and use.

8.2. Right to access

The data subject is entitled to make a request to the data processor to access to their personal data lawfully.

8.3. Right to rectification

In cases of any error in the personal data, the data subject is entitled to make a request to the data processor for rectification.

8.4. Right to erasure

In case the data subjects find the data processor processes data in violation of laws and regulations or both parties' agreement, the data subject is entitled to request for deletion in a timely manner.

8.5. Right to object/opt-out

Pursuant to the Draft Personal Information Protection Law, the data subject is entitled to object to personal information processing. The data processor cannot refuse to provide products or services because the data subjects refuses to process data or withdraw consent unless personal information processing is necessary to provide products and services.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Pursuant to the Draft Personal Information Protection Law, data processors shall ensure the transparency of the decision and the fairness of automated decision-making. In the event that data subjects consider the automated decision-making to have significant impact on their interests, the data subject is entitled to request the data processor explain the reason and may reject the decision made by automated means. If the data processor adopts automated decision-making to conduct marketing and messaging, the marketing and messaging not directed against personal features shall also be provided.

8.8. Other rights

Right to deregistration

Pursuant to the Provisions on Protection of Personal Information of Telecommunication and Internet Users, the data subject is entitled to deregister account in cases of termination of service.

In addition, pursuant to the TC260 Specification, the data subjects are entitled to deregister account unconditionally.

9. PENALTIES

Various sanctions and penalties can apply, depending on the violation and the applicable regulation. Quite possibly, over time the sanctions and penalties imposed under the Cybersecurity Law may emerge as the most important ones in practice. Under the Cybersecurity Law, for non-compliance with personal information protection obligations, sanctions, and penalties include a warning, confiscation of illegal income, a fine of more than one time and less than ten times the illegal income or a fine of less than RMB 1 million (approx. €128,540), a fine of between RMB 10,000 (approx. €1,290) and RMB 100,000 (approx. €12,850) applicable to management and other personnel who bear direct responsibility, and (under severe circumstances) suspension of the related business, suspension of the business for internal rectification, shutdown of the website, and revocation of related permits or licences.

Additionally, the Draft Personal Information Protection Law increases the punishment significantly. Where serious circumstances arise, the data processor is subject to fines of up to RMB 50 million (approx. €6.4 million) or 5% of the turnover of the previous year.

9.1 Enforcement decisions

An enforcement review of the privacy practices of certain of the principal internet service providers in China resulted in disciplinary measures against at least four of them in December 2017. Reportedly, the review was undertaken on the service providers' failure to observe the requirements of a set of generally applicable standard guidelines establishing good practices on personal information security. Though, on the face of it, not binding, enforcement agencies in China can still use such a personal information security standard as a reference or guide in their administration and enforcement activities.

Below are some enforcement cases in recent years:

  • On 6 January 2018, the CAC coordination department made an appointment with Alipay and Zhima Credit Management LLC due to non-compliance with the TC260 Specification.
  • A listed company in Wuxi adopted a weak password for the website administrator to log in the office administration system. In addition, the company did not request a change of password for the first-time login or force the password strength to be set up. These insufficient security measures may very likely result in loss of personal information through stuffing attack by the hacker.
  • One culture transmission company purchased a large volume of student personal information related to school, class, and parents' telephone numbers and planned to use this data for precision marketing. In April 2019, Wuxi police order RMB 20,000 (approx. €2,570) fines.
  • On 11 July 2019, App Special Administration Work Group ('the Work Group') publicly announced 30 apps violated Cybersecurity Law through collection and use of personal information. Among the 30 apps, ten apps had no privacy policy; 20 apps required the user to consent multiple authorisation one time, and if the user does not do so, such apps could not be installed. The Work Group requested the relevant app operators to complete rectification within 30 days, otherwise the Work Group would suggest the competent authority to follow up the case.
  • On 3 July 2019, MIIT made sampling check on 100 internet companies and discovered some issues for the same. 18 apps sampled did not disclose the rules for collection and use of personal information or inform of the way to correct personal information or provide deregistration. 33 apps sampled collected and used personal information in violation of laws. The MIIT ordered the non-compliant app to be removed from the store for rectification.
  • On 5 December 2019, National Cybersecurity Notification Centre publicly announce removing 100 apps in violation of laws and regulations. Since November 2019, the MPS have reinforced their efforts to regulate infringement of citizens' personal information and focused on governing unlawful collection and use of personal information by apps, such as where no privacy policy is available, there is no explicit description of scope of collection of personal information, and where collection of personal information exceeds the scope or is unnecessary. The MIIT ordered to remove 27 apps, place fines for ten apps and send two apps for criminal investigation.
  • On 19 December 2019, the MIIT publicly announced 41 Apps in connection with infringement of users' interests. On 8 January 2020, the MIIT publicly announced 15 apps in connection with infringement of users' interests. The non-compliance focuses on unlawful collection and use of personal information, unreasonably request of authorisation from users, or placement of barriers for deregistration. The MIIT ordered the app removed from the online store if the app could not complete the rectification.