DLA Piper Intelligence

Data Protection
Laws of the World

Breach Notification

The PRC Cybersecurity Law introduced a general requirement for the reporting and notification of actual or suspected personal information breaches. Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organizations must promptly take relevant measures to mitigate any damage and notify relevant data subjects and report to relevant government agencies in a timely manner in accordance with relevant provisions.

The PRC Cybersecurity Law does not prescribe a timeline for reporting personal information breaches or security incidents. However, the PIS Specification and other guiding circulars (such as the National Network Security Incident Contingency Response Plan), and the latest draft guidelines published by the CAC on the Administrative Measures for the Release of Information on Cyber Security Threats provide some guidelines on the reporting and notification of personal information breaches or security incidents.

Organizations should also adopt proactive measures to minimize the risk of personal information breaches or security incidents, including but not limited to, formulating a contingency plan, organizing trainings and conducting regular contingency drills.

Last modified 31 Dec 2019
Law
China

There is not a single comprehensive data protection law in the People's Republic of China (PRC). Instead, rules relating to personal data protection and data security are part of a complex framework and are found across various laws and regulations. Provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law have generally been used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit.

On June 1, 2017, the PRC Cybersecurity Law came into effect and became the first national-level law to address cybersecurity and data privacy protection. Following this, there has been an abundance of implementing regulations and guidelines (herein referred to as Guidelines) proposed, issued or revised to flesh out the essentials and concepts introduced under the PRC Cybersecurity Law. These include, non-exhaustively:

  • National Standard of Information Security Technology – Personal Information Security Specification (PIS Specification), effective from May 1, 2018 (a revised draft is currently circulated for consultation);
  • Guidelines on Internet Personal Information Security Protection, effective from April 19, 2019; and
  • Draft National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment, released on June 11, 2018.

In addition to the PRC Cybersecurity Law, the following form the backbone of general data protection rules currently in the PRC:

  • The Decision on Strengthening Online Information Protection, effective from December 28, 2012 (Decision) and
  • National Standard of Information Security Technology – Guideline for u Personal Information Protection within Information System for Public and Commercial Services, effective from February 1, 2013

The Decision has the same legal effect as law, and its purpose is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. While the PIS Specification and other Guidelines are only technical guides (covering in detail key issues such as data transfers, sensitive personal information and data subject rights), and thus not legally binding, they are highly persuasive. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the PIS Specification and other Guidelines are important references. Therefore, compliance with the PIS Specification and other Guidelines is recommended as best practice.

Provisions contained in other laws and regulations may also apply depending on the industry or type of information involved (for example, personal information obtained by financial institutions and e-commerce businesses, personal information collected by telecom or Internet service / content providers, healthcare and genetic information, etc.).

Applicability of other laws or regulations (including provincial level laws) such as the PRC Criminal Law, PRC E-Commerce Law, PRC Consumer Rights Protection Law, will invariably depend on the factual context of each case and further independent analysis is recommended.

Finally, it should be noted that the Legal Committee of the National People’s Congress Standing Committee announced in late December 2019 that the enactment of legislation on personal data protection and security is a priority in the next legislative year. As such, it is recommended that organisations continue to monitor the developments of the PRC data protection regulatory regime.

Last modified 31 Dec 2019
Definitions

Definition of personal data

There is no single, pervasive definition of personal data in the PRC, but the concept of personal data in the various laws, regulations and guidance that comprise the data protection framework in the PRC are starting to become more aligned.

In summary, personal data (which is generally referred to as ‘personal information’ in the PRC) means all kinds of information (including sensitive personal information) recorded by electronic means or otherwise that can be used to independently identify or be combined with other information to identify a natural person's information.

Definition of sensitive personal data

Similar to personal information, there is no single, pervasive definition under binding laws in the PRC for sensitive personal data (which is generally referred to as 'sensitive personal information' in the PRC).

However, the PIS Specification – which as noted above is a non-binding, highly persuasive standard – provides some distinction between sensitive personal information and general personal information. Sensitive personal information is defined in the PIS Specification as personal information which, if disclosed or abused, will lead to adverse impact to the data subject. Examples of sensitive personal information as set out in the PIS Specification include personal identification number, mobile phone number, individual biometric information, bank account number, correspondence records and contents, property information, credit information, location tracking, lodging information, health and physiological information and transaction information etc.

Last modified 31 Dec 2019
Authority

There is no single PRC regulatory authority which deals exclusively with data protection / privacy matters. The Cyberspace Administration of China (CAC) is currently generally considered the primary data protection authority in the PRC, although various other legislative and administrative authorities have claimed jurisdiction over data protection matters, such as:

  • National People’s Congress Standing Committee
  • Ministry of Public Security
  • Ministry of Industry and Information Technology
  • State Administration for Market Regulation
  • Ministry of Science and Technology

Other sector-specific regulators, such as the People’s Bank of China or the China Banking and Insurance Regulatory Commission, may also monitor and enforce data protection issues of regulated institutions within their sector.  

Last modified 31 Dec 2019
Registration

Generally, there is no legal requirement in the PRC for data users to register with the data protection authority.

That said, there are specific registration requirements imposed on the sharing and transferring of specific categories of data (e.g. human genetic resources), and proposed filling requirements for security impact assessments (see section on Cross Border Transfers in Collection & Processing).

Last modified 31 Dec 2019
Data Protection Officers

There is no general requirement under binding PRC laws for organizations to appoint a data protection officer.

However, the PIS Specification requires an organization to appoint a data protection officer and a data protection department if the organization’s main business line involves data processing and the organization has either:

  • more than 200 employees
  • personal information of more than 500,000 individuals are processed, or personal information of more than 500,000 individuals is expected to be processed within 12 months
Last modified 31 Dec 2019
Collection & Processing

In general, express consent is required from the data subject before personal information can be collected, used, transferred or otherwise processed. In certain circumstances, such as collecting or processing sensitive personal information, overseas data transfers and direct marketing, specific consent (i.e., consent specific to the processing activity / transfer (rather than just general consent to the privacy notice, expressed through an affirmative action) is required from the data subject. As a matter of best practice, and given the wide definition of sensitive personal information, explicit consent is recommended.

In addition, a data controller (i.e. the organization who has the authority to determine the purposes, means or method of processing) should provide data subjects with a privacy policy or other form of notice, informing them of the scope and ways in which their personal data is collected, processed and disclosed, including the following information:

  • the identity of the data controller, including its registered name, registered address, principal office, a telephone number and / or an e-mail address;
  • a list of personal information collected for each business purpose;
  • the location of storage, retention period, means of use / processing and scope of the personal information collected;
  • the purposes sought by the data controller, i.e., what the data controller uses the data for (for instance, supplying goods and services, creating a user account, processing payments, managing subscriptions to the newsletters, etc.). These should be as comprehensive as possible, as additional purposes will require new consent;
  • circumstances under which the data controller will transfer, share, assign personal data to third parties (including intra-group entities) or publicly disclose personal data, the types of personal data involved in these circumstances, and the types of third party data recipients;
  • data security capabilities of, and data protection measures to be adopted by, the data controller;
  • the rights of data subjects and mechanisms for them to exercise such rights, e.g. methods to access, rectify or delete their personal information, to de-register their accounts, withdraw their consent, to obtain copies of their personal information and to restrict automated decision by the data system etc.;
  • potential risks for providing personal data, as well as possible consequences for not providing the data; and
  • channels and procedures for making inquiries and lodging complaints by data subjects, as well as external dispute settlement body and contact information.

The information in the privacy policy must be true, accurate and complete. The contents of the privacy policy must be clear and easy to understand, and ambiguous language should be avoided. The privacy policy should be made available to the data subject when collecting consent, and published publicly and easily accessible. When changes occur to the information provided in the privacy policy, the data subject should be notified of such changes and further consent may need to be obtained.

Collection from individuals under 14 years old is prohibited unless explicit consent is obtained from their legal guardians.

Last modified 31 Dec 2019
Transfer

If a data controller wishes to share, disclose or otherwise transfer an individual's personal information to a third party (including group companies), the data controller must:

  • inform the data subject of the purposes of the sharing, disclosure or transfer of the personal information and the types of data recipient, and obtain prior express consent from the data subject;
  • perform a personal information impact assessment, and take effective measures to protect the data subjects according to the assessment results (for example putting in place a data transfer agreement or similar contractual protections);
  • record accurately and keep the information in relation to the sharing, disclosure or transfer of the personal information, including the date, scale, purpose and basic information of the data recipient of the sharing or assigning; and
  • not share or transfer any personal biometric information or other types of particularly sensitive personal information where prohibited under relevant laws or regulations.

Cross-border transfers

Where the sharing, disclosure or transfer of the personal information is to a third party outside of the PRC, additional rules will apply. Data localization is an increasing trend in the PRC, with various draft measures as well as sector-specific regulations prohibiting the transfer of certain personal information outside the borders of the PRC. Although to what extent these rules apply remains unclear and further clarification from the regulators is expected, there has been more guidance published by certain regulators for example on healthcare data and the specific requirements on human genetic data. We anticipate more to come in the upcoming year.

Under the current prevailing understanding, in order to transfer or access personal information outside of the PRC, the data controller must:

  • inform the data subject of the transfer outside of the PRC, and obtain explicit consent of the data subject before the personal information is shared, disclosed or transferred;
  • store a copy of the data within the PRC; and
  • conduct a security assessment (in addition to the personal information impact assessment described above), which is likely to be a self-assessment.

On June 13 2019, the CAC circulated for public comment the Measures on Cross Border Transfer Security Assessment (Measures). The Measures introduced a range of activities that organisations should undertake prior to overseas translations, including non-exclusively:

  • all network operators (and not just critical information infrastructure operators (CIIO)) will now have to undertake a security assessment before transferring personal overseas, and file this with the local CAC;
  • establish data transfer agreements with all offshore data recipients;
  • submit annual report to the CAC on the status of cross border transfers and the performance of data transfer agreements;
  • maintain a log of all cross border transfers of personal information for at least give years;
  • establish and maintain an effective incidental response plan and report all major data security incidents; and
  • appoint a designated officer to take control and address compliance with data protection and security requirements, and to liaise with relevant authorities.

In addition to the above requirements, additional restrictions apply to transfers of certain types of information outside of the PRC, for example (this is not a comprehensive list):

  • certain categories of regulated (personal and non-personal) data are not permitted to leave the PRC at all, such as state secrets;
  • the People’s Bank of China (PBOC) requires all onshore banks to store, handle and analyse personal financial information collected in China, and not transfer abroad such data unless otherwise permitted by law or approved by the PBOC;
  • all medical, health care, and family planning service entities are required to store population and health information on onshore servers; and
  • data relating to human genetic resources cannot be transferred abroad without the approval of the Ministry of Science and Technology.
Last modified 31 Dec 2019
Security

Organizations must take appropriate technical and organizational measures against unauthorized or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorized or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Under the PRC Cybersecurity Law, network operators (i.e. organizations that own or operate IT networks / infrastructure and, it is thought, even just websites in China) must implement technical and other necessary measures to ensure the security of personal information and to prevent the data from being accidentally disclosed, tampered with or destroyed. Remedial measures must be taken immediately if personal information is being or is likely to be disclosed, tampered with or destroyed. Network operators should also establish systems to handle complaints or reports about personal information security, publish the means for individuals to make such complaints or reports, and promptly handle any such complaints or reports received. Organizations deemed CIIOs (see above) must apply additional security safeguards.

The PRC Cybersecurity Law implemented a multi-level protection scheme for cybersecurity protection of information systems by network operators. Information systems are classified into 5 tiers and the security standard goes higher from tier 1 to tier 5. Organizations should conduct a self-evaluation and determine the tier(s) to which its information systems belong, based on relevant laws, regulations and guidelines. Filing to the Public Security Bureau is required and, in certain circumstances, assessment by accredited third party may also be required, depending on the determined tier level of a respective information system.

Further national standards and guidelines have been published to provide further details and requirements on the process and technical aspect of the tiered system.

If a data controller appoints a data processor to process personal information on its behalf, the data controller should ensure sufficient measures are adopted by the data processor to protect the personal information: for example, to conduct due diligence and regular audits on data processor to ensure the data processor adopts sufficient and adequate security measures; and put in place an appropriate data processing agreement with the data processor.

Last modified 31 Dec 2019
Breach Notification

The PRC Cybersecurity Law introduced a general requirement for the reporting and notification of actual or suspected personal information breaches. Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organizations must promptly take relevant measures to mitigate any damage and notify relevant data subjects and report to relevant government agencies in a timely manner in accordance with relevant provisions.

The PRC Cybersecurity Law does not prescribe a timeline for reporting personal information breaches or security incidents. However, the PIS Specification and other guiding circulars (such as the National Network Security Incident Contingency Response Plan), and the latest draft guidelines published by the CAC on the Administrative Measures for the Release of Information on Cyber Security Threats provide some guidelines on the reporting and notification of personal information breaches or security incidents.

Organizations should also adopt proactive measures to minimize the risk of personal information breaches or security incidents, including but not limited to, formulating a contingency plan, organizing trainings and conducting regular contingency drills.

Last modified 31 Dec 2019
Enforcement

Possible enforcement of, and sanctions for, a data protection breach in the PRC will depend on the specific data protection laws and regulations breached. Sanctions in relation to data protection breaches are scattered across various different laws and regulations, and the measures described below may not be comprehensive in all situations, as additional laws or regulations may be applicable depending on the industry or type of information at hand.

Generally, the civil and criminal sanctions and administrative penalties for data protection breaches include warnings, orders to rectify, fines, confiscation of unlawful income, compensation to victims, cancellation of licences, prison sentences, closing down of websites and prohibition on engaging in certain types of business in the future.

Typically, it would be a graded approach – warning and requirement to comply, then possibly fines up to approximately RMB 500,000. Affected individuals may also potentially claim for indemnification under the Tort Liability Law. In severe cases, breaches may lead to higher fines being imposed or the revocation of license. Responsible personnel could be prohibited from engaging in relevant business and their conduct could be recorded in their social credit files. Depending on the severity of the illegal conduct, the responsible person could also be subject to detention or up to seven years of imprisonment, plus a concurrent fine to the organization if applicable.

The enforcement environment is evolving rapidly as individuals are increasingly aware of their data protection rights and as data protection obligations expand as laws develop and are added in China. For example, the PRC Cybersecurity Law suggests the possibility of ordering corrections, issuing warnings, confiscation of illegal gains and fines of up to 10 times of illegal gains (or fines of up to RMB 1,000,000 where there is no illegal gain) upon discovery of violation in handling personal information. The responsible persons may also be fined between RMB 10,000 to 100,000.

Last modified 31 Dec 2019
Electronic Marketing

Direct marketing by electronic means is only possible if the targeted consumers have explicitly consented to receiving such messages either at the time their electronic address / mobile phone number was collected or at a later time.

Specific information must be stated in each electronic message: for example, the identity of the entity sending the message, and a mark identifying "(advertisement in Chinese)" or "AD" on a direct marketing message.

There are also specific rules applicable to direct marketing by text messages (SMS), and certain specific prescribed information must be provided to data subjects at the time their mobile phone number was collected or prior to sending direct marketing text messages. 

Last modified 31 Dec 2019
Online Privacy

The PRC Cybersecurity Law, Consumer Protection Law and E-Commerce Law offer similar protection to consumer / user personal information. Data controllers should strengthen management of information provided by users, prohibit the transmission of unlawful information and take necessary measures to remove any infringing content, then report to supervisory authorities. Sufficient notice and adequate consent should be obtained from data subjects prior to the collection and use of personal information. Further obligations are imposed on mobile apps providers including but not limited to conducting real-name identification, undertaking information content review.

In the past year, the regulators have issued a range of guidelines targeting mobile app providers. These guidelines introduce specific data protection and privacy obligations aiming to regulate the data collection practices and processing activities of mobile app providers. There has also been a crackdown against (suspected) non-compliant mobile apps. Organisations are advised to review their app compliance as a matter of priority.

Under the PRC Cybersecurity Law, PRC Consumer Protection Law, PRC E-Commerce Law and the PIS Specification, data subject have specific rights, such as, to access their data, to correction of their data, to request deletion of data in the event of a data breach, to de-register their account etc.

There are currently no specific requirements regarding cookies within existing laws or regulations in the PRC. However, the use of cookies and / or similar tracking technologies, to the extent they constitute processing of personal information, should be notified to data subjects as part of a privacy policy and adequate consent should be obtained from data subjects for such use.

Further information

See our Navigating China series for more information on China’s evolving cybersecurity and data protection landscape.

Last modified 31 Dec 2019
Contacts
Carolyn Bigg
Carolyn Bigg
Partner
T +852 2103 0576
Venus Cheung
Venus Cheung
Registered Foreign Lawyer
T +852 2103 0572
Last modified 31 Dec 2019