China - Data Protection Overview
1. Governing Texts
China's data protection regime is in a period of change and there has been significant progress in the field of data protection legislation in recent years. The Personal Information Protection Law ('PIPL') entered into effect on November 1, 2021, and is China's first comprehensive data protection law. The PIPL governs personal information processing activities carried out by entities or individuals within China and, together with two other key laws on cybersecurity and data protection; namely the Cybersecurity Law (only available in Chinese here); an unofficial English version of the Law is available here) ('CSL') and the Data Security Law ('DSL') introduces a new data protection regime for China.
In addition, the Civil Code of the People's Republic of China ('the Civil Code') effective on January 1, 2021, expressly provides the right of privacy and personal information protection. The express protection of personal information under the Civil Code represents a new era of privacy and personal information protection. Meanwhile, new supporting rules (such as guidelines and standards) are expected in the near future and beyond as China's cybersecurity, data security, and personal information protection framework continues to evolve.
Nonetheless, there are also specific requirements under laws and regulations that govern specific industry sectors, such as telecommunications, finance, healthcare, network services, consumer, e-commerce, and transportation.
For the purpose of this Overview, we will not discuss data protection in specific industry sectors.
At the time of this Guidance Note's publication, the CSL, the DSL, and the PIPL altogether constitute the three fundamental pieces of legislation with respect to cybersecurity and data protection in China. The relevant implementing rules are still in the process of being drafted. Changes over time will be addressed by means of successive updates to this Guidance Note.
The PIPL establishes the mechanism of personal information protection in China, and it is modeled, in part, on the GDPR. It introduces several important concepts, such as personal information, sensitive personal information, and processing. It explicitly stipulates its exterritorial jurisdiction and provides the traditional elements for data protection, such as principles of personal information processing, consent and non-consent grounds for processing, cross-border transfer mechanisms, and rights of data subjects. At the time of writing this note, some provisions are still waiting for implementing rules to provide clarification.
On November 7, 2016, the CSL, effective as of June 1, 2017, was passed in China. The CSL contains personal information protection requirements that are applicable to all enterprises that operate a computerized information network system. The CSL is the fundamental law regulating cyberspace, focusing on multi-level protection of cybersecurity, the protection of critical information infrastructure, cybersecurity reviews, and inspection, as well as the certification of key network devices and special cybersecurity products.
Given that the CSL was released in 2017, though in concept the CSL is specific to the context of cybersecurity, it also has the function of protecting personal information. Upon enactment of the PIPL, the focus of CSL became cybersecurity.
The DSL is the fundamental law for data security, and it designs a series of policies – including those regarding data categorization and classification, data risk controls, contingency responses for data security, data security reviews, export controls, and anti-discrimination – to ensure data development and use, as well as industry development. The specific rules for implementing these policies are expected in the future and may include supporting laws, regulations, and guidelines.
With respect to industry-specific rules currently available (e.g., those applicable to industrial data, securities, futures-related data, and personal financial data), data categorization and classification systems have already been established. In light of the coming enforcement of the DSL, data categorization and classification systems are expected in more industries in the future, especially for those industries that bear the responsibility of supervising data security under Article 6 of the DSL (e.g., telecommunications, transportation, natural resources, hygiene and health, education, and technology).
The Civil Code
The Civil Code which entered into effect on January 1, 2021, provides a right of privacy and personal information protection in Chapter VII of Part IV Personality Rights. Given the significance of the Civil Code, its issuance symbolizes a new era of protection of privacy and personal information. This is the first time the right to privacy and personal information protection has been listed as a single chapter under the law. The right to privacy and personal information would be categorized as a personality right, which provides a legal remedy from the perspective of torts in cases of infringement of privacy and/or personal information. Furthermore, privacy is defined by law for the first time, which refers to the private peaceful life of a natural person and the private space, private activities, and private information that a natural person does not wish to be known by others.
Measures of Security Assessment of Cross-border Data Transfer
The Cyberspace Administration of China ('CAC') issued the Measures on Security Assessment on Cross-border Data Transfer (only available Chinese here), which entered into effect on September 1, 2022, and provides a six-month grace period to the relevant personal information processors. If a cross-border data transfer satisfies any of the circumstances as prescribed in these measures, personal information handlers shall, through the local CAC at the provincial level, apply for mandatory security assessment for the relevant transfer.
Procurement of network products and services by critical information infrastructure ('CII') operators and data processing by network platform operators are subject to a cybersecurity review. Specifically, network platform operators holding more than one million individuals' personal information must apply for cybersecurity review if they propose to be listed overseas.
Articles 38 and 40 of the Constitution of the People's Republic of China establish rights that relate to privacy, such as the right to dignity of the person which provides prohibitions against insult, defamation, false accusation, or false information directed against Chinese citizens, and a right of freedom and secrecy of correspondence. These provisions do not, however, establish an express constitutional right to privacy, even though their subject matter may be related to privacy.
Criminal Law provisions
The Ninth Amendment to the People's Republic of China's Criminal Law (promulgated on August 29, 2015) (only available in Chinese here) ('the Ninth Amendment') provides that all parties who sell or provide personal information to a third party, in violation of the law, are subject to criminal liability, and that parties who sell or provide personal information obtained during the performance of their duties and provision of services, in violation of law, are subject to a heavier punishment.
Resolution to Strengthen the Protection of Information on the Internet
At the end of 2012, the Standing Committee of the National People's Congress passed the Resolution to Strengthen the Protection of Information on the Internet (only available in Chinese here) ('the Resolution'). Although the Resolution appears intended to primarily address the security of internet use, it also contains provisions governing the collection and processing of personal information. Moreover, the nature of its subject matter (which is the processing of electronic personal information over the internet) gives it the potential for broader application than many other sector-specific regulations.
Regulations of Security Protection of Critical Information Infrastructure
The Regulations of Security Protection of Critical Information Infrastructure (only available in Chinese here) entered into effect on September 1, 2021, and are the implementing rules of the CSL, specifically regulating CII. CII refers to the critical network facilities and information systems in important industries and areas such as public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government, and science, and technology industry for national defense, which may seriously endanger the national security, national economy, people's livelihood, and public welfare once they are subject to any destruction, loss of function, or data leakage. The important industries will formulate the rules for the identification of CII and submit such rules to the State Council for record-filing.
Administrative Regulations on the Credit Reference Sector
The Administrative Regulations on the Credit Reference Sector (only available in Chinese here) set forth a series of rules for the collection, use, processing, disclosure, and transfer of personal information by credit reference agencies.
Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications
Rules on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (only available in Chinese here) regulate the collection of personal information by apps and specifically provide the scope of necessary personal information for 39 types of mobile apps.
Methods for Identifying Unlawful Acts of Applications to Collect and Use Personal Information
Methods for Identifying Unlawful Acts of Applications to Collect and Use Personal Information (only available in Chinese here) provide specific and practical examples of unlawful collection and use of personal information for six types of data processing activities.
Measures for the Security Assessment of Cross-border Data Transfers
Pursuant to the Measures for the Security Assessment of Cross-border Data Transfers (only available in Chinese here), the data handler shall pass a security assessment by CAC for the cross-border transfer of personal information if:
- it transfers important data outside of China;
- it is a critical information infrastructure, or it processes personal information involving one million individuals; or
- it transfers personal information outside of China involving more than 100,000 individuals or transfers sensitive personal information outside of China involving more than 10,000 individuals cumulatively since 1 January of the previous year.
The effective period is two years from passing the assessment.
Guideline to Applications for Security Assessment of Cross-border Data Transfers (First Edition)
The data handlers subject to the security assessment by the CAC shall follow the Guideline to Applications for Security Assessment of Outbound Data Transfers (First Edition) (only available in Chinese here) to prepare the relevant application documents for the security assessment. The self-assessment report for risks involved in the cross-border transfer is one of the key documents for the application.
Measures for the Standard Contract for Cross-Border Transfer of Personal Information
Pursuant to the Measures for the Standard Contract for Cross-Border Transfer of Personal Information (only available in Chinese here), the data handlers must sign the standard contract for cross-border transfer of personal information ('the Standard Contract') if they are not subject to the security assessment by the CAC and file the Standard Contract with the CAC.
Guidelines for Filing the Standard Contract for Outbound Cross-Border Transfer of Personal Information (First Edition)
Data handlers that are not subject to the security assessment shall follow the Guidelines for Filing the Standard Contract for Outbound Cross-Border Transfer of Personal Information (First Edition) (only available in Chinese here) to prepare the Standard Contract filing for cross-border transfer of personal information. A personal information protection impact assessment ('PIPIA') report is one of the key documents for filing the Standard Contract.
Interim Measures for the Management of Generative Artificial Intelligence Services
Interim Measures for the Management of Generative Artificial Intelligence Services (only available in Chinese here) regulate the application of generative artificial intelligence ('AI'). These interim measures apply to the utilization of generative AI technology to provide services that generate any text, images, audio, videos, or other content to the public within the territory of China. Alternatively, if the generative AI technology is utilized in China but does not provide generative AI services to the public within China, such technology is not governed by these interim measures. If the generative AI provides public opinion or has the capability of social mobilization, the provider must conduct security assessment and filing, amendment, or cancellation of filings for the algorithms. Also, the provider is obligated to explain the source, scale, type, labeling rules, algorithm mechanism, etc. of the training data as required by the competent regulators during an inspection and providing necessary technical, data, and other support and assistance.
Administrative Provisions on Deep Synthesis in Internet-based Information Services
The Administrative Provisions on Deep Synthesis in Internet-based Information Services (only available in Chinese here) apply to the provision of Internet-based information services using deep synthesis technology within the territory of China. These provisions adopt a relatively broad definition of deep synthesis technology and stipulate the obligations of providers, users, and technical supporters of deep synthesis technology.
Provisions on the Administration of Algorithm-generated Recommendations for Internet Information Services
Provisions on the Administration of Algorithm-generated Recommendations for Internet Information Services (only available in Chinese here) apply to the application of recommendation algorithm technologies in the provision of internet-based information services within the territory of China. The application of recommendation algorithm technologies refers to using algorithm technologies such as generation and synthesis technology, personalized pushing technology, ranking and selection technology, retrieval and filtering technology, and dispatching and decision-making technology to provide users with information. The provisions mainly address the right to information related to algorithms, the right of choice, the right to complaint, the protection of minors and elders, the rights of workers dispatching services, the right to fair deals, and the prohibition of algorithm discrimination. In addition, for algorithms with public opinion attributes or social mobilization capabilities, the provider shall fulfill the filing obligation.
Circular of the Ministry of Industry and Information Technology on Launching the Record-filing of Mobile Internet Applications
The circular of the Ministry of Industry and Information Technology on Launching the Record-filing of Mobile Internet Applications requires Apps (including applets and fast applications) for filing.
Draft Regulations of Cybersecurity Grading Protection
On June 27, 2018, the Ministry of Public Security ('MPS') issued the Draft Regulations of Cybersecurity Grading Protection (only available in Chinese here) ('Draft Regulation'). The Draft Regulation establishes a mechanism for cybersecurity grading protection. The network shall be graded into five levels. The network graded at level two or above will be filed with the MPS. The most common grades of networks are level one, level two, and level three in the market.
Draft Administrative Measures for Personal Information Protection Compliance Auditing
On August 3, 2023, Draft Administrative Measures for Personal Information Protection Compliance Auditing (only available in Chinese here) was issued by the CAC. The compliance audit is triggered by laws or required by the regulator in charge of the protection of personal information. Data handlers which process over one million individuals' personal information shall conduct a compliance audit annually and other data handlers shall conduct compliance audits every two years. The draft administrative measures also list the key considerations for compliance audits.
The PIPL, the DSL, and the CSL are to be accompanied by an extensive series of guidelines and standard documents which, typically, will not be binding, but should still be taken seriously as they establish market standards, best practices, and regulatory expectations. This portfolio of guidance documents is still emerging. A certain number of these have been issued but only in draft form with substantial or even fundamental changes still possible, while others are still being drafted and have not been published yet.
All the national standards in connection with information security are issued by the National Information Security Standardisation Technical Committee ('TC260').
A standard issued by TC260 is the Information Security Technology - Personal Information Security Specification (GB/T 35273-2020) ('the Specification') which establishes benchmarks for the processing of personal information by all types of entities and organizations. This standard first entered into effect on May 1, 2018, and was amended on March 6, 2020, with such amendments becoming effective on October 1, 2020. The amendments address the relevant issues brought by emerging technologies, such as personalized display, data integration, and management of SDK/plug-in, among others. The Specification is voluntary and not mandatory, but it may nevertheless be considered a generally accepted compliance standard and good practice in China.
The Internet Security Guidelines
The Guidelines for Internet Personal Information Security Protection (only available in Chinese here) ('the Internet Security Guidelines') (promulgated by the Cybersecurity Guard Department of the MPS, the Beijing Network Industry Committee, and the 3rd Research Institution of the MPS) stipulate protection of personal information from the perspectives of the management system, security technology, data processing, and contingency disposal. This guideline is voluntary and not mandatory, but it may nevertheless be considered as a generally accepted compliance standard and good practice in China, often referred to by the police in enforcement actions.
Guidance for Personal Information Security Impact Assessment (GB/T 39335 – 2020)
Guidance for Personal Information Security Impact Assessment (GB/T 39335 – 2020) ('the Security Impact Assessment Guidance') was issued by TC260 on November 19, 2020, and became effective June 1, 2021. The Security Impact Assessment Guidance provides detailed rules for personal information handlers on how to conduct protection impact assessment for high-risk data processing activities, e.g. processing sensitive personal information, providing personal information to another data handler, and cross-border transfer of personal information.
National standards regarding classified protection of cybersecurity systems
In 2019, China established the classified protection of cybersecurity system by formally issuing seven national standards (promulgated by TC260):
- Information Security Technology - Testing and Evaluation Technical Guide For Classified Cybersecurity Protection (GB/T 36627-2018);
- Information Security Technology - Testing And Evaluation Process Guide For Classified Protection Of Cybersecurity (GB/T 28449-2018);
- Information Security Technology - Basic Requirement of Classified Protection of Cybersecurity (GB/T22239-2019);
- Information Security Technology - Technical Requirement of Security Design of Cybersecurity (GB/T25070-2019);
- Information Security Technology - Test Requirement of Classified Protection of Cybersecurity (GB/T28448 - 2019);
- Information security technology - Implementation guide for Classified Protection of Cybersecurity (GB/T 25058-2019); and
- Information security technology - Classification guide for Classified Protection of Cybersecurity (GB/T 22240-2020).
Under the seven standards, the protection subjects include basic information networks, cloud computing platforms/systems, Big Data applications/platforms/resources, Internet of Things ('IoT'), industry control systems, and systems using mobile interconnection technology. The classified protection of cybersecurity has been divided into five levels. At each level, there are general security requirements and extended security requirements designed for cloud computing, mobile interconnection, IoT, and industry control systems. The general security requirement is applicable to each subject, e.g. cloud computing will be first subject to the general security requirements and then subject to extended security requirements specifically for cloud computing. The general security requirements would be further divided into technical requirements (including secure physical environment, secure communication network, secure area boundary, secure computing environment, and secure management center), as well as management requirements (including secure management system, secure management department, secure management personnel, secure construction management, and secure operation and maintenance management).
Please note that while these recommended standards are not legally binding and enforceable, in practice the technical expert would assess the grading of the network by referring to these classified cybersecurity protection standards from the perspective of technique. Therefore, for the purpose of compliance with the cybersecurity protection required by law, network operators must comply with these classified cybersecurity-related national standards.
Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (GB/T 42574-2023)
Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (GB/T 42574-2023) provides detailed methods and steps to inform and obtain consent from data subjects and also provides examples of how to inform and obtain consent from data subjects in typical scenarios.
1.3. Case law
As China has adopted a civil law system, case law is generally less influential in China. Interpretations issued by relevant regulatory authorities are often more impactful than case law generated by litigation in the court system.
Provisions of the Supreme People's Court on Several Issues concerning the Application of Law to Trials of Civil Dispute Cases of Infringement of Personal Rights via Information Networks (only available in Chinese here) ('the Supreme Court Opinion') were issued by the Supreme People's Court of the People's Republic of China ('Supreme Court') in August 2014 and amended on December 29, 2020, and has been significant in establishing protection for the name, likeness, reputation, and honor, as well as the personal data of Chinese citizens.
Interpretation of the Supreme Court and the Supreme People's Procuratorate of the People's Republic of China on Several Issues concerning the Application of Law in the Handling of Criminal Cases of Infringing on Citizens' Personal Information (only available in Chinese here) clarifies certain issues concerning the application of criminal law and criminal procedure on personal information protection in practice. Provisions of the Supreme Court on the Supreme Court Opinion clarify issues concerning the application of law to civil cases involving the infringement of personal rights, including the right of name, reputation, honor, portrait, and privacy via information networks.
2. Scope of Application
The PIPL applies to identifiable natural persons and private/public organizations in China.
The PIPL applies to any processing of personal information in China.
In addition, the PIPL applies to processing activities outside of China relating to the personal information of individuals in China if the purpose of the processing is to:
- offer goods or services to individuals in China; or
- monitor and evaluate the activities of individuals in China.
The PIPL applies to any processing of personal information in China as well as certain personal information processing activities conducted outside of China.
3.1. Main regulator for data protection
There is no single specific authority or agency in China that has responsibility for the supervision of compliance with personal data-related laws. In general, under the PIPL, the regulators in charge of the protection of personal information include the CAC, the relevant cyberspace administration at the provincial level, relevant State Council departments, and relevant departments of local governments at the county level and higher. In practice, the public security authority (police) is in charge of practical enforcement, administrative penalties, and crimes relating to infringement of privacy.
Specific industrial regulators will be responsible for the relevant compliance supervision work for the relevant industry. Examples of such sector-specific supervisory authorities include the National Financial Regulatory Administration ('NFRA') (Previously China Banking and Insurance Regulatory Commission ), the National Health and Family Planning Commission ('NHFPC'), the National Medical Products Administration ('NMPA'), the Ministry of Science and Technology ('MOST'), the State Administration for Market Regulation ('SAMR'), the Ministry of Industry and Information Technology ('MIIT') and the Ministry of Transportation ('MOT').
If any data processing is related to national security, CAC, National Development and Reform Commission ('NDRC'), MIIT, MPS, Ministry of State Security ('MSS'), Ministry of Finance ('MOF'), Ministry of Commerce ('MOC'), PBC, SAMR, National Radio and Television Administration ('NRTA'), China Securities Regulatory Commission ('CSRC'), National Administration of State Secrets Protection ('NASSP'), and/or State Cipher Code Administration ('SCCA') might be involved in the relevant security assessment depending on the specific case.
3.2. Main powers, duties and responsibilities
The government authorities that supervise specific sectors have responsibility for the supervision of compliance with data protection-related obligations within the same sectors. The relevant regulators supervise the relevant work in their industries respectively. More generally:
- the CAC is responsible for the comprehensive planning and coordination of personal information protection work and related supervision and management;
- the relevant State Council departments are responsible for personal information protection, supervision, and management work within their respective scope;
- the relevant departments of local governments at the county level and higher perform personal information protection, supervision, and management duties according to relevant provisions at the state level;
- the MPS is responsible for supervising and administering the security and examination of public information systems, controlling classified cybersecurity protection, and punishing cybercrime;
- the MIIT supervises the cybersecurity of telecommunications and internet companies;
- the NFRA is responsible for compliance with data protection-related obligations within the banking and financial industry;
- the NHFPC is responsible for compliance by medical institutions;
- the NMPA is responsible for compliance with medical and healthcare products; and
- data compliance of the consumer sector will be governed by SAMR.
4. Key Definitions
Personal information handler (data controller): There is no definition of data controller under the PIPL. However, personal information handler refers to organizations and individuals that, in personal information handling activities, autonomously decide handling purposes.
Personal information handler under the PIPL is similar to the concept of a 'data controller' in other privacy laws (such as the General Data Protection Regulation (EU) 2016/679) ('GDPR')). While the GDPR distinguishes between a data controller, who determines the means and purposes of processing personal data, and a personal information processor, who processes personal data on behalf of the controller, the PIPL does not formally define the concept of a personal information processor. Under the PIPL, when a personal information handler entrusts a third party (i.e., a personal information processor under the GDPR) to process personal information on behalf of the personal information handler, such third party will be referred to as the 'entrusted party' or the 'contracting party'.
Sensitive data: Personal information that, once leaked or illegally used, may easily cause harm to the dignity of natural persons, grave harm to personal or property security, including information on biometric characteristics, religious beliefs, specially designated status, medical health, financial accounts, individual location tracking, etc., as well as the personal information of minors under the age of 14.
Processing: Collection, storage, use, processing, transmission, provision, disclosure, and deletion, among other things, of personal information.
Biometric data: Biometric samples, biosignatures, biosignature models, biometric property, biometrics of original descriptive data, or the combination of the aforementioned data (Information technology—Security Techniques—Biometric Information Protection (Draft) (only available to download in Chinese here).
Pseudonymization: There is no definition of pseudonymization under the PIPL. However, de-identification is the process of personal information undergoing handling to ensure it is impossible to identify specific natural persons without the support of additional information.
Anonymization: The process of personal information undergoing handling to make it impossible to distinguish specific natural persons and impossible to restore.
Privacy Impact Assessment | Data Protection Impact Assessment: 'Privacy Impact Assessment' ('PIA') or 'Data Protection Impact Assessment' ('DPIA') is not defined in the PIPL. However, the PIPL does outline requirements for the conducting of personal information protection impact assessments ('PIPIA') as outlined below.
In addition, the Specification defines 'personal information security impact assessment' ('PISIA') as a process to check the degree of compliance with laws and regulations of personal information processing activities, determine the potential risks to the legitimate rights and interests of personal information subjects, and assess the effectiveness of the measures used to protect personal information subjects (Section 3.9 of the Specification).
Data protection officer: There is no definition of 'data protection officer' in the PIPL. However, the PIPL refers to 'personal information protection officers' who are responsible for supervising personal information handling activities as well as adopting protection measures, etc. (Article 52 of the PIPL).
5. Legal Bases
Article 13 of the PIPL stipulates the legal bases for personal information processing.
A personal information handler may process personal information once it obtains consent from the individuals.
Where necessary to conclude or fulfill a contract in which the individual is an interested party, consent is not necessary for processing.
Where processing is necessary to comply with a legal obligation or duty, no consent is required.
Where processing is for public interest purposes, to carry out news reporting, or supervision by public opinion, no consent is required.
Where necessary to conduct human resources management according to lawfully formulated labor rules and structures and lawfully concluded contracts, consent is not necessary for processing.
Where a personal information handler processes personal information already disclosed by individuals or otherwise already lawfully disclosed, it is not necessary to obtain consent for processing within a reasonable scope in accordance with the provisions of the PIPL.
In addition, personal information can be processed under other circumstances as stipulated by applicable law or administrative regulation.
The PIPL stipulates seven principles for personal information processing including:
Lawfulness: Personal information must be processed in accordance with the principles of legality, legitimacy, necessity, and good faith, and not in any manner that is misleading, fraudulent, or coercive.
Purpose specification: Processing must be conducted:
- for a specified and reasonable purpose;
- for a purpose directly relevant to the purpose of processing; and
- in a way that has the least impact on personal rights and interests.
Data minimization: The collection of personal information must be limited to the minimum scope necessary for achieving the purpose of processing and must not be excessive.
Storage limitation: The storage period of personal information must be the minimum period necessary for achieving the processing purpose unless any applicable law or administrative regulation stipulates otherwise.
Transparency: Processing must be conducted in accordance with the principles of openness and transparency (i.e., provision of notice, described above).
Accuracy: Personal information handlers must ensure the quality of personal information processed, to avoid any negative impact on personal rights and interests due to the inaccuracy or incompleteness of the personal information processed.
Data security: Personal information handlers must take necessary measures to ensure the security of the personal information processed.
7. Controller and Processor Obligations
In terms of transfers of personal information to third parties, the PIPL requires the consent of data subjects, provided that there is no non-consent basis for processing.
The PIPL provides three methods for personal information handlers to transfer personal information out of China:
- passing a security assessment administered by the CAC;
- undertaking a personal information protection certification conducted by recognized institutions in accordance with relevant regulations of the CAC; or
- executing a standard contract for cross-border transfer provided by the CAC.
If the cross-border data transfer satisfies any of the following circumstances, personal information handlers shall, through the local cyberspace administration at the provincial level, apply for mandatory security assessment for such transfer:
- transfer of important data outside of China;
- transfer of personal information outside of China by a CII operator, or a personal information processor, processing more than one million individuals' personal information;
- cumulative transfer of personal information of more than 100,000 individuals from 1 Jan of the preceding calendar year or cumulative transfer of 'sensitive' personal information of more than 10,000 individuals from 1 Jan of the preceding calendar year; or
- other circumstances that require the security assessment of cross-border transfer provided by the CAC.
In terms of mandatory security assessment, the cyberspace administration at the provincial level must complete the formality review within five business days upon receipt of the application documents. If such documents satisfy the formality requirements, the cyberspace administration at the provincial level would submit such documents to the CAC. The CAC shall notify the applicant in writing whether it accepts the application within seven business days upon receipt of application documents. The CAC shall complete the security assessment within 45 business days after issuing the written notification of acceptance. In cases of complexity or supplementing/amending application documents, appropriate extensions are allowed. In general, most applications would not fall into the extension scenario. The estimated time for the completion of the security assessment by the CAC is approximately 57 business days. If the relevant personal information handlers object to the result of the security assessment, they may apply for re-assessment within 15 business days upon receipt of such result. The re-assessment would be final and binding.
For non-CII operators or personal information handlers that process personal information below the aforementioned threshold amount prescribed by the CAC, there are two other options for cross-border data transfers. One option is to obtain a personal information protection certification awarded by a recognized institution by the CAC. The other option, and the most likely to be used, is to execute a data transfer agreement with the recipient located outside of China, in compliance with a standard contract to be provided by the CAC.
For cross-border transfers of personal information, in addition to the above requirements, a personal information handler must also inform individuals of:
- the identity and contact information of the data recipient(s);
- the purpose(s) and method(s) of data processing;
- the type(s) of personal information to be transferred; and
- how individuals can exercise their rights under the PIPL with respect to the data recipient(s).
Personal information handlers must also obtain separate consent from individuals for the cross-border transfer of their personal information unless there is a legal basis for such transfer.
Additionally, cross-border transfers of personal information made for the purpose of providing international judicial and law enforcement assistance must first be approved by a competent Chinese authority.
The PIPL does not mandatorily require the personal information handler to retain data processing records. Nevertheless, if the personal information handler is required to conduct PIPIAs for its processing activities, it shall retain the PIPIA report and relevant processing status records for three years. In addition, based on Article 69 of PIPL, if the personal information handler cannot prove it has no fault while processing personal information, it should be responsible for the damage caused by processing. Therefore, it is suggested that the personal information handler retain the processing records for good practice and defend itself against third-party claims.
In addition, Section 11.3 of the Specification specifically recommends the data controller establish, maintain, and update the records of personal information processing activities and lists the detailed contents of records.
Under Article 55 of the PIPL, a personal information handler must conduct a PIPIA prior to:
- processing sensitive personal information;
- using personal information in automated decision-making;
- engaging an entrusted party to process personal information on the personal information handler's behalf;
- providing personal information to another personal information handler;
- disclosing personal information to the public;
- transferring personal information outside of China; or
- any processing activity that will have a material impact on the personal rights and interests of an individual.
The PIPIA must specify:
- whether the purpose(s) and method(s) of processing are lawful, legitimate, and necessary;
- the impact of the processing on individuals' rights and interests, and the level of risk involved; and
- whether the protective measures undertaken are lawful, effective, and commensurate to the degree of such risk.
PIPIA reports and records of processing must be retained for at least three years.
The Security Impact Assessment Guidance provides guidance on how to conduct a PIPIA. In addition, the Specification outlines recommendations associated with the conducting of a personal information security impact assessment (Section 11.4 of the Specification).
Under Article 52 of the PIPL, if the volume of personal information processed reaches a threshold level as stipulated by the CAC, a personal information handler must appoint a personal information protection officer ('Officer'). The volume of personal information triggering the threshold has not yet been defined.
Pursuant to Article 52 of the PIPL, organizations are required to publish the details of the designated persons including name, contact method, etc., and report them to the departments fulfilling personal information protection duties and responsibilities. Article 53 of the PIPL states that organizations established outside the borders of the People's Republic of China are required to establish a dedicated entity or appoint a representative, within the borders of the People's Republic of China to be responsible for matters related to the personal information they handle.
Please note the DSL and CSL also require the appointment of designated persons responsible for data security and designated persons in charge of cybersecurity, respectively (Article 27 of the DSL and Article 21(i) of the CSL).
In addition, reference can be made to the Specification which outlines the duties of the person and the department responsible for personal information protection. Such duties include but are not limited to (Article 11.1(d) of the Specification):
- coordinating personal information security within the organization, and bearing direct responsibility for personal information security;
- organizing the development of a personal information protection work plan, and supervising its implementation;
- developing, issuing, implementing, and regularly updating privacy policies and related procedures;
- establishing, maintaining, and updating a list of personal information held by the organization (including the type of personal information, quantity, source, recipient, etc.) and authorized access policies;
- carrying out personal information security impact assessments, proposing countermeasures for personal information protection, and urging reform and rectification of all hidden dangers;
- organizing personal information security training;
- testing products or services before they are released to avoid the inappropriate collection, use, and sharing of personal information;
- publishing complaints, reporting methods, and other information, and promptly accepting complaints and reports;
- conducting a security audit; and
- communicating with the supervisory and management departments, and reporting on personal information protection and event handling.
Under the PIPL, in the event of a suspected or actual data breach, a personal information handler must immediately undertake remedial measures and notify affected individuals and relevant regulators. The PIPL requires specific content to be included in the notification, including:
- the type(s) of personal information affected;
- the cause of, and possible harm that may result from the breach;
- any remedial measures taken by the personal information handler and measures individuals can adopt to mitigate harm; and
- the contact information of the personal information handler.
The PIPL does, however, provide a risk of harm threshold for notice to affected individuals. If the measures taken by a personal information handler can effectively mitigate the harm caused by the data breach, a personal information handler would not be required to notify affected individuals, unless a regulator determines otherwise.
Personal information retention periods will be the shortest period necessary to realize the purpose of personal information handling, except where laws or administrative regulations provide otherwise.
The personal information handler will also refer to the Provisions on the Online Protection of Personal Information of Children (only available in Chinese here) when processing children's personal information.
There is no provision regulating the processing of criminal conviction data under the PIPL.
The PIPL provides that controllers may only handle sensitive personal information for specified purposes when fully necessary, and when employing strict protective measures. Please see above for the definition of sensitive personal information.
Further to the above, controllers handling sensitive personal information must obtain independent consent, and where laws and administrative regulations provide obtain written consent for the handling of sensitive personal information. Moreover, when handling sensitive personal information, controllers must, in addition to the notification requirements specified in Article 17 of the PIPL, notify individuals of the necessity of sensitive personal information handling and the impact on the individuals' rights and interests, except where this Law provides that that notice need not be provided to individuals.
Pursuant to the PIPL, where a personal information handler contracts with an entrusted party to process personal information on its behalf, the personal information handler must execute a processing agreement with the entrusted party that includes:
- the purpose(s) of processing;
- the period and method(s) of processing;
- the type(s) of personal information to be processed;
- any protective measures to be taken; and
- both parties' rights and obligations under the PIPL.
Personal information handlers are responsible under the PIPL for supervising the processing activities of entrusted parties, but the PIPL does not specify prescribed supervision requirements. Upon the completion or termination of a personal information handler's agreement with an entrusted party, the entrusted party must return or delete the personal information to the personal information handler.
8. Data Subject Rights
Prior to processing personal information, a personal information handler must provide notice to individuals on how their personal information will be processed. Under the PIPL, a privacy notice must contain the following:
- the name and contact information of the personal information handler;
- the purpose(s) and method(s) of processing, the categories of personal information to be processed, and the retention period of the personal information;
- the name and contact information of any other personal information handler that will have access to the personal information, the purpose(s) and method(s) of processing by such other personal information handler, and the categories of personal information provided to such other personal information handler;
- where applicable, the use of automated decision-making;
- where applicable, the necessity of processing sensitive personal information and the impact of such processing on individuals' rights and interests;
- where applicable, a special notice with respect to the processing of children's personal information (under 14 years old);
- for data transfers outside of China;
- the name and contact information of the data recipient(s);
- the purpose(s) and method(s) of processing by the recipient(s);
- the type(s) of personal information transferred; and
- the method and procedure for individuals to exercise their rights under the PIPL with respect to the data transfer recipient(s); and
- where applicable, the contact information of the Officer.
Pursuant to the PIPL, individuals are entitled to make a request to the personal information handler to access to their personal information lawfully.
Pursuant to the PIPL, in cases of any error or incompleteness of personal information, the individual is entitled to make a request to the personal information handler for rectification.
Pursuant to the PIPL, individuals are entitled to request the personal information handler to delete their personal information under any of the following conditions:
- the handling purpose has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the handling purpose;
- personal information handlers cease the provision of products or services, or the retention period has expired;
- the individual rescinds consent;
- where personal information handlers have handled personal information in violation of laws, administrative regulations, or agreements; or
- other circumstances provided by laws or administrative regulations.
Pursuant to the PIPL, the individual is entitled to object to personal information processing.
Pursuant to the PIPL, the individuals may request the personal information handler to transfer their personal information to a designated personal information handler.
Pursuant to the PIPL, personal information handlers must ensure the transparency and fairness of automated decision-making. It is prohibited from placing discriminated treatment on the price and other transaction conditions to individuals. In the event that individuals consider automated decision-making to have a significant impact on their interests, they are entitled to request the personal information handler to explain the reason and may reject the decision made through automated means. If the personal information handler adopts automated decision-making to conduct marketing and messaging, the option not directed against personal features or the option of rejecting of automated decision-making will also be provided.
Pursuant to the PIPL, individuals may also request the personal information handler to copy their personal information and restrict the processing of their personal information.
In terms of deceased individuals, their next of kin may, for the sake of their own lawful, legitimate interests, exercise the rights to consult, copy, correct, delete, etc., of the deceased in regard to the deceased person's personal information, except where the deceased individual has other arrangements before their death.
Personal information handlers who violate the PIPL with respect to their processing of personal information may be subject to penalties including
- an order to correct the alleged violations;
- the disgorgement of profits; or
- the provisional suspension or termination of the electronic applications found to be in violation of the PIPL.
Entities that refuse to fail to correct the alleged violations may be subject to a fine of not more than RMB 1 million (approx. $137,270) and responsible personnel may be subject to fines between RMB 10,000 (approx. $1,370) to 100,000 (approx. €13,690).
In the event of grave violations of the PIPL (which is not defined under the PIPL), entities and responsible personnel may be subject to fines of up to RMB 50 million (approx. $6.8 million), or 5% of annual revenue. Additionally, the offending entity's business or related business activities may be suspended pending rectification of the alleged violations, and the entity may be required to report to the relevant authorities regarding such suspension. Further, individuals directly responsible for 'grave' violations of the PIPL may be fined between RMB 100,000 (approx. $13,690) and RMB 1 million, (approx. $137,270) and may be prohibited from holding certain positions, including director, supervisor, high-level manager or data protection officer, for a certain period of time.
An enforcement review of the privacy practices of certain principal internet service providers in China resulted in disciplinary measures against at least four of them in December 2017. Reportedly, the review was undertaken on the service providers' failure to observe the requirements of a set of generally applicable standard guidelines establishing good practices on personal information security. Though, on the face of it, not binding, enforcement agencies in China can still use such a personal information security standard as a reference or guide in their administration and enforcement activities.
Below are some enforcement cases in recent years:
- On January 6, 2018, the CAC coordination department made an appointment with Alipay and Zhima Credit Management LLC due to non-compliance with the Specification.
- A listed company in Wuxi adopted a weak password for the website administrator to log in to the office administration system. In addition, the company did not request a change of password for the first-time login or force the password strength to be set up. These insufficient security measures may very likely result in the loss of personal information through stuffing attacks by hackers.
- One culture transmission company purchased a large volume of student personal information related to school, class, and parents' telephone numbers and planned to use this data for precision marketing. In April 2019, Wuxi police ordered RMB 20,000 (approx. $2,750) fines.
- On July 3, 2019, MIIT made sampling checks on 100 internet companies and discovered some issues with the same. 18 apps sampled did not disclose the rules for the collection and use of personal information or inform of the way to correct personal information or provide deregistration. 33 apps sampled collected and used personal information in violation of laws. The MIIT ordered the non-compliant app to be removed from the store for rectification.
- On December 19, 2019, the MIIT publicly announced 41 Apps in connection with infringement of users' interests. On January 8, 2020, the MIIT publicly announced 15 apps in connection with infringement of users' interests. The non-compliance focuses on unlawful collection and use of personal information, unreasonable requests of authorization from users, or placement of barriers for deregistration. The MIIT ordered the apps to be removed from the online store if the apps could not complete the rectification.
- On June 23, 2023, the People's Procuratorate of Yuhang District, Hangzhou, and Zhejiang Provinces submitted a civil public interest litigation to the Hangzhou Internet Court against one internet technology company for forcing users to authorize it to access the photos, media content, and documents on device and International Mobile Equipment Identity ('IMEI'), as well as unlawful collection and storage of over 10 million pieces of personal information. The plaintiff and defendant reached a mediation agreement in the court. Based on the mediation agreement, the defendant must:
- delete all the relevant personal information unlawfully collected;
- announce an apology publicly on Legal Daily; and
- undertake that it will conduct business operations lawfully.
In cases of violation of this agreement, it would pay RMB 500,000 (approx. $68,450) as liquidated damage to the public interest fund of National Personal Information Protection for public welfare expenditure.
- The bank customer manager of a bank in Zhanjiang City, Guangdong Province unlawfully sold the relevant customers' bank account information, including name, ID, telephone number, and bank account number, with a total amount of 31,456 pieces, to one finance company for loan marketing. The People's Procuratorate of Jingkai District, Zhanjiang submitted the prosecutorial proposal to the Banking and Insurance Regulatory Sub-Bureau of Zhanjiang ('Sub-Bureau') before litigation. On December 31, 2020, the Sub-Bureau held the bank is subject to RMB 200,000 (approx. $27,380) administrative penalty. On January 4, 2021, the Sub-Bureau held the bank account manager prohibited from working in the banking industry for one year.
- On July 5, 2021, the Zhejiang Communications Administration discovered that Ali Cloud Computing LLC disclosed the users' registration information to its partner without consent on November 11, 2019, after an investigation. Zhejiang Communications Administration held such action violated Article 42 of the CSL and ordered Ali Cloud for correction.
- Kohler (China) collected facial information in stores without the consent of consumers from February 2020 to March 2021, which violated the relevant provisions under the Law of the People's Republic of China on the Protection of the Rights and Interests of Consumers (only available in Chinese here) ('the Consumers Protection Law'), thus the Administration of Market Regulation of Jiangan District, Shanghai ordered RMB 500,000 (approx. $68,390) penalties and correction to Kohler.
- In August 2021, the branch (Yubei District) of Chongqing New Oriental Education & Training LLC collected and used 1,053 pieces of consumers' personal information unlawfully without the consent of consumers. Chongqing Administration for Market Regulation held the company violated relevant provisions of the Consumer Protection Law, ordered an RMB 340,000 (approx. €46,510) penalty, and requested it to eliminate relevant impacts.
- On November 1, 2021, the MIIT requested apps to show the list of personal information collected and the list of personal information shared with third parties in the 2nd level menu of the apps.
- On July 21, 2022, in the procedure of cybersecurity review, Didi was subject to fines of RMB 8 billion (approx. $1 billion), and its CEO and chairman were subject to RMB 1 million (approx. $136,810) fines respectively by violation of CLS, DSL, and PIPL.
- On May 21, 2023, the CAC found products of Micron had serious potential risks, brought significant security risks to the supply chain of the critical information infrastructure, and affected national security. Thus, Micron failed to pass the cybersecurity review by the CAC. The operators of the critical information infrastructure must cease purchasing products of Micron.
- On June 23, 2022, the Hangzhou Internet Court held the data subjects must exercise the rights towards the data handlers first; and only if the data handlers refuse to fulfill the relevant obligations or fail to respond within a certain time, or the channel for complaint is not valid, the data subjects may bring lawsuit to the court for relief.
- On March 11, 2021, the People's Procuratorate of Yuhang District, Hangzhou, and Zhejiang Provinces submitted a civil public interest litigation to the Hangzhou Internet Court against one short video platform for failing to inform the guardian of an account for minors and of the collection and retention of the minors' personal information in a clear and conspicuous way and failing to obtain the expressed and effective consent. Also, the company failed to obtain the expressed consent again before pushing short videos with minors' information directly. The company made 34 corrections requested submitted by the People's Procuratorate of Yuhang District during the litigation and settled the case.
- In May 2022, the People's Procuratorate of Putuo District, Shanghai published the first non-prosecution case. Company Z was subject to criminal liability for using crawler technology. It applied for the non-prosecution to the Procuratorate of Putuo District and corrected all the issues in the correction period.
- On November 1, 2021, the MIIT requested the Apps to show the list of personal information collected and the list of personal information shared with third parties in the 2nd level menu of the Apps.