DLA Piper Intelligence

Data Protection
Laws of the World

Law

China
China

Currently, there is not a comprehensive data protection law in the People's Republic of China ('PRC'). Instead, rules relating to personal data protection are found across various laws and regulations. Generally speaking, provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law may be used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit. A draft Personal Data Protection Law has been under review by the PRC Government for many years, but there is still no indication as to if and when such law will be passed.

The following form the backbone of general data protection rules currently in the PRC:

  • The Decision on Strengthening Online Information Protection (Promulgated and effective on 28 December 2012; the ‘Decision’) adopted by the Standing Committee of the National People’s Congress, and
  • National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services (promulgated 05 Nov 2012 and effective on 01 February 2013, GB/Z 28828-2012; the ‘Guideline’) as published by General Administration of Quality Supervision, Inspection and Quarantine of China and Standardization Administration of China,

(collectively referred to as the ‘General Data Protection Law’).The purpose of the Decision is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law. While the Guideline is only a technical guide and thus not legally binding, it is considered important because its scope extends to any “processing of personal information through information systems” (not necessarily connected to the Internet), and because of the fact that it covers in detail key issues such as data exports, sensitive data, data subject access and the right to rectification. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the Guideline can be a good reference. Therefore, compliance with the Guideline is recommended as good practice.

In addition to the General Data Protection Law, provisions contained in other laws and regulations may be applicable depending on the industry or type of information at issue (for example, personal information obtained by financial institutions, e-commerce businesses, certain healthcare providers, or telecom or Internet service/content providers is subject to special regulation). For example (this is not an exhaustive list):

  • The Criminal Law of the People’s Republic of China prohibits sale or illegal provision of, or illegal access (such as theft) to citizens' personal information.
  • Provisions of the Supreme People’s Court on Several Questions relating to the Applicable Law of Civil Disputes Concerning the Use of Informational Network to Harm Personal Rights and Interests (promulgated on 21 August 2014, and effective on 10 October 2014), which are applicable to Internet users and Internet service providers who use information networks to infringe the privacy rights of a third party.
  • The Provisions on Telecommunication and Internet User Personal Information Protection (promulgated on 19 July 2013 and effective on 1 September 2013), which are applicable to telecom and Internet service providers.
  • The Guidelines for the Supervision of Information Technology Outsourcing Risks of Banking Financial Institutions, which would be applicable to banks who are outsourcing information technology services.
  • The Consumer Rights Protection Law of the People’s Republic of China (promulgated 25 October 2013 and effective on 15 Mar 2014; the ‘Consumer Protection Law’) contains data protection obligations which are applicable to most if not all types of businesses that deals with consumers. The Consumer Protection Law was supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (promulgated in January 2015) ('Consumer Protection Measures'). Further, the draft Implementation Regulations for the Consumer Protection Law of the People's Republic of China (Draft for Review) ('Draft Consumer Protection Regulations') were formulated and published for consultation in 2016 by the State Administration for Industry and Commerce and reiterate and clarify some of the data protection obligations as regards consumers' personal data.

 

A significant recent development is the Cybersecurity Law, which was passed on 7 November 2016 and comes into force on 1 June 2017. The new law, which has been widely reported in both the local and international press, introduces a range of new rules relating to networks and online activities in the PRC, including enhanced data protection/security obligations. It has significant implications for the data protection and data/cyber security practices of both Chinese companies and international organisations doing business in the PRC. In short, as regards data protection it imposes new security and data protection obligations on "network operators"; and puts restrictions on transfers of certain data (including personal information of PRC citizens) outside of the PRC by "key information infrastructure operators" ('KIIOs'). Some of the data protections within the Cybersecurity Law formalise as binding legal obligations some data protection safeguards that were previously only perceived as good practice in the PRC.

 

Please note that our discussion here only includes the General Data Protection Law, the Cybersecurity Law and the Consumer Protection Law as such laws will have the most direct, general and broad application to most if not all types of businesses in the PRC. Applicability of other laws or regulations will invariably depend on the factual context of each case and further independent analysis is recommended, (for example, businesses in the banking, healthcare or securities sectors will be subject to industry-specific data protection regulations; and employee personal data attracts some protections under employment laws).

Last modified 26 Jan 2017
Law
China

Currently, there is not a comprehensive data protection law in the People's Republic of China ('PRC'). Instead, rules relating to personal data protection are found across various laws and regulations. Generally speaking, provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law may be used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit. A draft Personal Data Protection Law has been under review by the PRC Government for many years, but there is still no indication as to if and when such law will be passed.

The following form the backbone of general data protection rules currently in the PRC:

  • The Decision on Strengthening Online Information Protection (Promulgated and effective on 28 December 2012; the ‘Decision’) adopted by the Standing Committee of the National People’s Congress, and
  • National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services (promulgated 05 Nov 2012 and effective on 01 February 2013, GB/Z 28828-2012; the ‘Guideline’) as published by General Administration of Quality Supervision, Inspection and Quarantine of China and Standardization Administration of China,

(collectively referred to as the ‘General Data Protection Law’).The purpose of the Decision is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law. While the Guideline is only a technical guide and thus not legally binding, it is considered important because its scope extends to any “processing of personal information through information systems” (not necessarily connected to the Internet), and because of the fact that it covers in detail key issues such as data exports, sensitive data, data subject access and the right to rectification. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the Guideline can be a good reference. Therefore, compliance with the Guideline is recommended as good practice.

In addition to the General Data Protection Law, provisions contained in other laws and regulations may be applicable depending on the industry or type of information at issue (for example, personal information obtained by financial institutions, e-commerce businesses, certain healthcare providers, or telecom or Internet service/content providers is subject to special regulation). For example (this is not an exhaustive list):

  • The Criminal Law of the People’s Republic of China prohibits sale or illegal provision of, or illegal access (such as theft) to citizens' personal information.
  • Provisions of the Supreme People’s Court on Several Questions relating to the Applicable Law of Civil Disputes Concerning the Use of Informational Network to Harm Personal Rights and Interests (promulgated on 21 August 2014, and effective on 10 October 2014), which are applicable to Internet users and Internet service providers who use information networks to infringe the privacy rights of a third party.
  • The Provisions on Telecommunication and Internet User Personal Information Protection (promulgated on 19 July 2013 and effective on 1 September 2013), which are applicable to telecom and Internet service providers.
  • The Guidelines for the Supervision of Information Technology Outsourcing Risks of Banking Financial Institutions, which would be applicable to banks who are outsourcing information technology services.
  • The Consumer Rights Protection Law of the People’s Republic of China (promulgated 25 October 2013 and effective on 15 Mar 2014; the ‘Consumer Protection Law’) contains data protection obligations which are applicable to most if not all types of businesses that deals with consumers. The Consumer Protection Law was supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (promulgated in January 2015) ('Consumer Protection Measures'). Further, the draft Implementation Regulations for the Consumer Protection Law of the People's Republic of China (Draft for Review) ('Draft Consumer Protection Regulations') were formulated and published for consultation in 2016 by the State Administration for Industry and Commerce and reiterate and clarify some of the data protection obligations as regards consumers' personal data.

 

A significant recent development is the Cybersecurity Law, which was passed on 7 November 2016 and comes into force on 1 June 2017. The new law, which has been widely reported in both the local and international press, introduces a range of new rules relating to networks and online activities in the PRC, including enhanced data protection/security obligations. It has significant implications for the data protection and data/cyber security practices of both Chinese companies and international organisations doing business in the PRC. In short, as regards data protection it imposes new security and data protection obligations on "network operators"; and puts restrictions on transfers of certain data (including personal information of PRC citizens) outside of the PRC by "key information infrastructure operators" ('KIIOs'). Some of the data protections within the Cybersecurity Law formalise as binding legal obligations some data protection safeguards that were previously only perceived as good practice in the PRC.

 

Please note that our discussion here only includes the General Data Protection Law, the Cybersecurity Law and the Consumer Protection Law as such laws will have the most direct, general and broad application to most if not all types of businesses in the PRC. Applicability of other laws or regulations will invariably depend on the factual context of each case and further independent analysis is recommended, (for example, businesses in the banking, healthcare or securities sectors will be subject to industry-specific data protection regulations; and employee personal data attracts some protections under employment laws).

Last modified 26 Jan 2017
Definitions

Definition of personal data

There is no single, pervasive definition of personal data in the PRC, but the definitions in the various laws, regulations and guidance that comprise the data protection framework in the PRC are starting to become more aligned. Personal data (which is referred to as ‘personal information’ in the Decision) means any electronic information which can enable you to identify a citizens individual identity and which relates to personal privacy.

Personal information under the Decision means any electronic information which can enable identification of a citizen's individual identity and which relates to personal privacy. This definition was further clarified in the Guideline as any data or information in connection with a specific individual, which can be used, separately or in combination with other data, to identify the individual.

The Consumer Protection Law does not provide a definition for personal information, but the Consumer Protection Measures and Draft Consumer Protection Regulations define consumer personal information as a consumer's name, gender, occupation, date of birth, identification document number, residential address, contact information, status of income and assets, health status, consumption habits, identifying biological characteristics and other information collected by business operators during their provision of goods or services that may, independently or in combination with other information, identify the consumer.

Under the Cybersecurity Law, personal information is defined as including all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person's identity, including, but not limited to, the natural persons' full name, date of birth, identification numbers, personal biometric information, addresses, telephone numbers and so forth.

Definition of sensitive personal data

The Guideline makes a distinction between sensitive personal information and general personal information. In the Guideline, sensitive personal information is defined as personal information the leakage or alteration of which may result in adverse impact to the data subject. What comprises sensitive personal information in practice depends on the intention of the data subject as well as the nature of the activities to be undertaken. Examples may include personal identification number, mobile phone number, race, political view, religious belief, genes or fingerprints. General personal information is personal data other than personal sensitive information.

The Decision, the Consumer Protection Law and the Cybersecurity Law do not make such distinction.

Last modified 26 Jan 2017
Authority

There is no national data protection authority in the PRC.

Last modified 26 Jan 2017
Registration

The PRC does not maintain a register of data administrators, personal data processing activities or databases containing personal information.

Last modified 26 Jan 2017
Data Protection Officers

There is no legal requirement in the PRC for organizations to appoint a data protection officer.

The Guideline however recommends that a specific institution or specific personnel be appointed to be responsible for the internal management of personal data protection.

Last modified 26 Jan 2017
Collection & Processing

Under the Guideline, the organisation ('Data Administrator') should have a specific, clear and reasonable purpose when collecting personal information. Before a Data Administrator collects and processes personal information, they should notify the data subject of the following:

  • the purpose of the data processing
  • the methods of collection, scope of the data collected and the intended use
  • retention period

 

  • whether the data will likely be disclosed to a third party and the type of personal information that may be disclosed
  • the measures protecting the personal information
  • the name, address and contact information of the Data Administrator
  • the potential risks to the data subject of providing the requested personal information
  • the consequences of not providing the requested personal information
  • channels for data subjects to check and/or correct personal information and submit complaints, and
  • if personal information is to be transferred to or entrusted with another organisation or institution: (i) purposes of transfer or entrustment, (ii) scope of data transferred or entrusted and the intended use, and (iii) the name, address, contact method of the data recipient.

Under the Guideline, consent is required from the data subject before the personal information can be processed. Consent can be explicit or implicit. Implicit consent is sufficient for collection of general personal information. Explicit consent is required for collection of sensitive personal information. If the data subject clearly objects - and data subjects have the right to vary or withdraw consent - collection, use and disclosure should be discontinued or the personal information should be destroyed. Furthermore, personal information should be collected on a minimally required basis. Indirect or hidden collection methods are prohibited. Collection from those with limited or no capacity for civil conduct (generally persons under 16 years old) is prohibited unless consent is obtained from their parent/legal guardian.

Under the Guideline, the Data Administrator should process personal data for the stated purposes and within the scope notified to the data subject. Furthermore, personal information should be kept accurate and up to date during processing.

Under the Decision, the Consumer Protection Law and the Cybersecurity Law, organisations caught by those rules may collect and use personal information if the following conditions are met:

  • abide by the principles of legality, legitimacy and necessity, and may not be excessive
  • explicitly notify the purposes, means and scope of collection, use and disclosure of personal information

 

  • obtain the data subject's clear consent to the personal information collection, use and disclosure;
  • not violate laws, regulations or agreements between the organisation and the data subject when collecting or using the personal information, and
  • make publicly available the organisation's rules regarding collection and use of personal information.

Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided in the Cybersecurity Law.

The rules do not apply to truly (and irreversibly) anonymised data according to the Cybersecurity Law and the Draft Consumer Protection Regulations.

Last modified 26 Jan 2017
Transfer

Under the Guideline, a Data Administrator may transfer personal information to third parties if the following conditions are met:

  • the Data Administrator does not transfer in contravention, or outside the scope, of the transfer purposes notified to the data subject;

  • the Data Administrator ensures, by contractual means, that the data recipient has the capability and is responsible for properly processing the personal information in accordance with the Guideline;

  • personal information will be kept confidential (i.e. not disclosed to any individual, organisation or institution) during the transfer and processing by the data recipient;

  • the Data Administrator ensures that the personal information is kept accurate and up to date; and

  • unless explicit consent is obtained from the data subject, or permitted by laws or regulations, or express authorisation is obtained from relevant authorities, personal information must not be transferred to a data recipient outside the borders of the PRC.

With respect to transfers, there are no specific requirements in the Decision.

The Consumer Protection Law provides that organisations caught by the Consumer Protection Law and their employees must keep consumers' personal information they collect strictly confidential and must not disclose, sell, or illegally provide it to others, and the Draft Consumer Protection Regulations clarify that this is unless there is data subject consent.

The Cybersecurity Law prohibits disclosure or transfer of an individual's personal information to others without the individual's consent. It further includes requirements for personal information of Chinese citizens and “important data” collected by KIIOs to be kept within the borders of the PRC. If there are business needs for the KIIOs to transfer this data outside of the PRC, security assessments must be conducted. The definition of KIIOs remains to be finalised.

Data localisation is an increasing trend in the PRC, with various sector specific regulations prohibiting transfer of personal information outside the borders of the PRC.

Last modified 26 Jan 2017
Security

Under the Guideline, a Data Administrator must take appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Furthermore, the Data Administrator should:

  • plan, design and implement a systemic personal information management process
  • design standard personal information management and implement the responsibility of managing personal information
  • designate expert organisations or personnel to be responsible for the internal management of personal information protection, available to process data subject complaints or inquiries
  • design and implement educational training on personal information protection
  • set up an internal management control system for personal information protection, and
  • periodically conduct assessments on the status and implementation of personal information security, protection standards and measures either on its own or through an independent evaluation agency.

The Decision requires technical and other necessary measures to be taken to ensure information security and to prevent the leakage, damage or loss of personal information. Where there is a risk or occurrence of information leakage, damage or loss, remedial measures must be taken.

Similar data security obligations apply under the Consumer Protection Law.

Under the Cybersecurity Law, network operators are required to establish information protection systems. In particular, network operators must implement technical and other necessary measures to ensure the security of personal information and to prevent the collected data from being accidentally disclosed, tampered with or destroyed. Remedial measures must be taken immediately if personal information is being or is likely to be disclosed, tampered with or destroyed. Network operators should also establish systems to handle complaints or reports about personal information security, publish the means for individuals to make such complaints or reports, and promptly handle any such complaints or reports received.

Last modified 26 Jan 2017
Breach Notification

The Guideline recommends that Data Administrators should promptly notify a data breach to affected data subjects, and in case of major breach promptly report to the personal information protection management department.

Under the Cybersecurity Law, network operators must promptly inform data subjects if their personal information is disclosed, tampered with or destroyed, and notification must also be made promptly to the relevant authorities.

Last modified 26 Jan 2017
Enforcement

Possible enforcement of, and sanctions for, a data protection breach in the PRC will depend on the specific data protection laws and regulations breached. The PRC currently lacks a centralised enforcement mechanism for data protection and there is no single data protection authority or any other state agency established to monitor the protection of personal data.

Sanctions in relation to data protection breaches are scattered across various different laws and regulations, and the measures described below may not be comprehensive in all situations, as additional laws or regulations may be applicable depending on the industry or type of information at hand.

Typically, it would be a graded approach - warning and requirement to comply, then possibly fines up to approximately RMB500,000. Affected individuals may also potentially claim for indemnification under the Tort Liability Law. In severe cases, breaches may lead to higher fines being imposed or the revocation of licence. Responsible personnel could be prohibited from engaging in relevant business and their conduct could be recorded in their social credit files. Depending on the severity of the illegal conduct, the responsible person could also be subject to detention or up to seven years of imprisonment, plus a concurrent fine to the organisation if applicable.

The data protection provisions provided by the Criminal Law have been the most widely used provisions to enforce privacy protection in the PRC. Essentially, only the illegal sale or purchase of personal data are subject to enforcement under the Criminal Law.

However, the enforcement environment is evolving rapidly as individuals are increasingly aware of their data protection rights and as data protection obligations expand as laws develop and are added in China. For example, the Cybersecurity Law suggests the possibility of ordering corrections, issuing warnings, confiscation of illegal gains and fines of up to 10 times of illegal gains (or fines of up to RMB1,000,000 where there is no illegal gain) upon discovery of violation in handling personal information. The responsible persons may also be fined between RMB 10,000 to 100,000.

Last modified 26 Jan 2017
Electronic Marketing

Under the Decision, individuals and organisations are prohibited from acquiring personal electronic information by theft or other illegal methods; and from selling or unlawfully providing personal electronic information to anyone else. Similar prohibitions on unlawful sale or supply of personal information apply under the Cybersecurity Law.

The Decision prohibits individuals and organisations from sending commercial electronic information to a personal fixed-line telephone, mobile phone or email address without the consent or request of the electronic information recipient, or where the recipient has explicitly declined to receive such information.

The Consumer Protection Law prohibits sending of commercial information where the consumer has not consented, made any request to receive the information, or has explicitly indicated he/she does not wish to receive the information. The Draft Consumer Protection Regulations would, if implemented, clarify that business operators are prohibited from sending consumers electronic information or telephone calls of a commercial nature without clear consent from consumers. The Draft Consumer Protection Regulations would further clarify that consumers should not bear the costs of consented-to commercial communications unless otherwise agreed.

The "Provisions on Administration of Internet Information Search Services" published by the Cyberspace Administration of China came into force on August 1, 2016 and require Internet search providers to ensure objective, fair and authoritative search results and remove any illegal content. Service providers must establish an information security management system to protect personal information and regularly examine the qualifications of public information. All pay-for-performance searches need to be clearly labelled on an item by item basis.

Last modified 26 Jan 2017
Online Privacy

The Decision indicates that network service providers and other companies should ensure the privacy of personal electronic information. They are not allowed to disclose, falsify, damage, as well as sell or unlawfully provide personal electronic information to anyone else. The Consumer Protection Law and the Cybersecurity Law offer similar protection to consumer/user personal information as well.

The Decision also indicates that network service providers should strengthen management of information provided by users. Also, network service providers should stop the transmission of unlawful information and take necessary measures to remove them and save relevant records, then report to supervisory authorities.

Once citizens find network information that discloses their identity or breaches their legal rights, or are harassed by commercial electronic information, they have the right to require that the network service provider delete related information or take measures to prevent such behaviors.

Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided by the Cybersecurity Law, which generally prescribes data protection and data security obligations by network operators.

Under the Decision, network service providers must require users to provide genuine identification ('real name') information when signing agreements to grant them access to the Internet, fixed-line telephone or mobile phone services or to permit users to make information public.

In relation to online privacy for mobile apps the "Provisions on Administration of Information Services of Mobile Internet Application Programs" require app providers to adopt real-name registrations and verity users' identities based on mobile phone numbers or other information. Providers are prohibited from collecting users' location data, reading their contacts, starting the recording function or camera or any other irrelevant functions without clear notification and users' consent.  Furthermore, app publishers are required to undertake information content review and management mechanisms including to punish anyone releasing illicit information through warnings, limitation of functions, cessation of updates, or shutting down accounts.

There are currently no specific requirements regarding cookies within existing laws or regulations in the PRC.

Last modified 26 Jan 2017
Contacts
Scott Thiel
Scott Thiel
Partner & Co-Chair of Asia-Pac Data Protection and Privacy Group
T +852 2103 0519
Last modified 26 Jan 2017