Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Shanghai: Shanghai Data Regulations - Regionalising data protection in China

The Shanghai Municipal People's Government announced, on 29 November 2021, that the 37th meeting of the Standing Committee of the 15th Shanghai Municipal People's Congress adopted, on 25 November 2021, the Shanghai Data Regulations ('the Regulations'). OneTrust DataGuidance breaks down the key provisions of the Regulations, featuring insights from Carol Sun, Partner at Yuanda Law Offices.

MarsYu / Signature collection /

The Regulations set out rules for the processing of information. In particular, Chapter 1 provides general provisions on data subjects rights, and the standardisation of data processing activities. In addition, the Regulations note that its provisions are in accordance with the Data Security Law of the People's Republic of China ('DSL'), and the Personal Information Protection Law of the People's Republic of China ('PIPL').

Notification obligations for data handlers

Chapter 2 of the Regulations establish data handlers' obligations with regard with data subject rights, including consent requirements and consent requirements in line with the PIPL, and detailed notification obligations for data handlers (Article 20 of the Draft Regulations).

Sun stated, "[the Regulations are] consistent with the 'PIPL' regarding notification obligation of data handlers (also translated as 'data processor', but with similar concept of data controller under General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR')), although the draft of the Regulations originally contained more detailed provisions. The overall requirement of the Regulations and PIPL is to inform the individual 'truthfully, accurately, and completely in a conspicuous manner and in clear and understandable language'.

The matters to be notified include:

  • the title or name and contact information of the personal information handler;
  • the purpose and method of handling personal information;
  • type and storage period of the personal information;
  • the methods and procedures for individuals to exercise their rights; and
  • other matters that shall be notified in accordance with the provisions of laws and administrative regulations."

The Regulations also enhances the data subjects' right to rectification and erasure. The Regulations specifically provide that data handlers must take the initiative to delete personal information in the following circumstances, noting that if the data handler does not delete the applicable data, the individual has the right to request deletion:

  • the processing purpose has been achieved, cannot be achieved, or is no longer necessary to achieve the processing purpose;
  • the processor ceases to provide products or services, or the storage period has expired;
  • individuals withdraw their consent;
  • the processor disposes of personal information in violation of laws administrative regulations, or agreements; and
  • other circumstances stipulated by laws and administrative regulations. (Article 21 of the Draft Regulations)'

Application of facial recognition technology

The Regulations address the collection of specific types of data including biometric data and data collected through the installation of image collection. Specifically, Article 23 of the Regulations cover the collection of personal information in shopping malls, supermarkets, parks, scenic spots, public cultural stadiums, hotels, and other public spaces, as well as residential quarters, and commercial buildings.

In this regard, Sun highlighted, "Articles 22 and 23 of the Regulations clarify multiple constraints for the application of biometrics information (including face recognition) identification technology. Article 22 requires a 'separate consent' from the data subject for the handling of biometrics information. Article 23 provides that, for face recognition equipment installed in public places, data handlers should confine its purpose to the necessity of preserving public safety and set a prominent notice of the install of such face recognition equipment. The Regulations stipulate similar requirement of personal information protection as the PIPL, including without limitation of the data subjects' rights, the prohibition of excessive collection. However, the Regulations provide more scrutiny regulation on biometric information by requiring Data Handlers to provide alternative plans when handling biometric information to fully safeguard the natural persons' rights of selection."

Data security protection obligations

The data security management obligations are laid out in Chapter 8 of the Regulations, and establishes data handlers as responsible for data security, and where there are multiple data handlers, each data handler must take responsibility for the corresponding data security (Article 78 of the Regulations).

Sun noted, "[t]he Regulations provide a comprehensive data security management system under the guidance of DSL. The data security chapter outlined in the Regulations is consistent with the DSL, such as the data security protection obligations and special protection of important data.

[More specifically,] the data security protection obligations are listed in sub-clauses separately in Article 79. The content is basically the same as DSL, which can be divided into three categories for understanding:

  • pre-prevention: establishing a data security management system, educating and training, and taking measures to ensure data security;
  • halfway handling: remediation of security defects and vulnerabilities, handling and reporting of security incidents; and
  • cybersecurity classified security protection requirements."

Data transactions

Article 54 of the Regulations address data handling by data transaction service institutions. In particular, the Regulation stipulates that data transaction service institutions must establish a standardised, transparent, safe, controllable, and traceable data transaction service environment, and formulate transaction service procedures as well as internal management systems (Article 54 of the Regulations).

Significantly, Sun noted that "[c]ompared with DSL, the Regulation provides a better understanding of data transaction management and the data transaction market by stipulating the content of data transactions, transaction pricing and the establishment of 'data exchange'."

Data reform and cooperation

Sun further commented, "A special chapter is set up in the Regulations to support Pudong New Area to play a leading and innovative role in respect of in-depth sharing of public data, data exchange, construction of international data port, cross-border data flow, industrial development and digital trust system. The biggest impact could come from the possible exploration of cross-border data flow. Article 67 of the Regulations stipulate that the efforts shall be made to explore the formulation of a catalogue of low-risk data for cross-border flow in the Lin-Gang Special Area, which is the first time that the low-risk data catalogue for cross-border flow has been introduced in the form of legislation."

Harry Chambers Privacy Analyst
[email protected]

Comments provided by:

Carol Sun Partner
[email protected]
Yuanda Law Offices, Shanghai