DLA Piper Intelligence

Data Protection
Laws of the World

Law

China
China

There is not a single comprehensive data protection law in the People's Republic of China (PRC). Instead, rules relating to personal data protection and data security are part of a complex framework and are found across various laws and regulations. Provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law have generally been used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit.

On June 1, 2017, the PRC Cybersecurity Law came into effect and became the first national-level law to address cybersecurity and data privacy protection. However, there remains quite a bit of uncertainty as to how the PRC Cybersecurity Law will be applied, and what practical steps need to be taken to achieve compliance and the regulatory environment continues to evolve rapidly. Draft guidelines are currently published almost weekly, however, it is expected that some guidelines and national standards will be finalized in the coming months to further assist organizations in complying with the data protection obligations imposed under the PRC Cybersecurity Law. These include (this is not an exhaustive list):

  • Draft Guidelines on Multi-Level Protection Scheme for Information Systems released on June 27, 2018;
  • Draft National Standard of Information Security Technology – Guidelines for Personal Information Security Impact Assessment released on June 11, 2018;
  • Draft National Standard of Information Security Technology – Guidelines on Data Security Capability Maturity Model released on September 29, 2018; and
  • Draft Guideline for Internet Personal Information Security Protection released on November 30, 2018.

In addition to the PRC Cybersecurity Law, the following (together with a number of new laws and regulations released and passed to supplement the PRC Cybersecurity Law) form the backbone of general data protection rules currently in the PRC:

  • The Decision on Strengthening Online Information Protection, effective from December 28, 2012 (Decision)
  • National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services, effective from February 1, 2013 (Guideline)
  • National Standard of Information Security Technology – Personal Information Security Specification, effective from May 1, 2018 (PIS Specification)

The purpose of the Decision is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law. While the Guideline and PIS Specification are only technical guides and thus not legally binding, they are highly persuasive. Unlike the Decision (which is more of a general overview of the guiding principles relating to data protection), the Guideline and the PIS Specification cover in detail key issues such as data transfers, sensitive personal information, and data subject rights. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the Guideline and PIS Specification are important references. Therefore, compliance with the Guideline and PIS Specification is recommended as best practice.

Provisions contained in other laws and regulations may also apply depending on the industry or type of information involved (for example, personal information obtained by financial institutions, e-commerce businesses, certain healthcare providers, or telecom or Internet service/content providers is subject to special regulation). For example (this is not an exhaustive list):

  • The PRC Criminal Law prohibits sale or illegal provision of, or illegal access (such as theft) to citizens' personal information;
  • The Provisions on Telecommunication and Internet User Personal Information Protection (effective from September 1, 2013), which are applicable to telecom and Internet service providers;
  • The Guidelines for Data Governance of Banking Financial Institutions, which are applicable to banking financial institutions established within the territory of the PRC licensed by the PRC banking regulatory authorities;
  • The People's Bank of China's Circular on Further Intensifying Management of Credit Information Security (effective from May 2, 2018) setting out obligations to strengthen credit information security in relation to access to database for financial credit information;
  • The PRC Consumer Rights Protection Law (effective from March 15, 2014) (Consumer Protection Law) contains data protection obligations which are applicable to most if not all types of businesses that deals with consumers. The Consumer Protection Law was supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (effective from March 15, 2015).
  • Further, the draft Implementation Regulations for the PRC Consumer Protection Law released on 5 August 2016 will, if implemented, reiterate and clarify some of the data protection obligations as regards consumers' personal information; and
  • The PRC E-Commerce Law (effective from January 1, 2019), reiterating requirements to protect personal information in an e-commerce context (E-commerce Law).

Applicability of other laws or regulations will invariably depend on the factual context of each case and further independent analysis is recommended, (for example, businesses in the banking, healthcare or securities sectors may be subject to industry-specific data protection regulations; and employee personal data attracts some protections under employment laws).

Finally, the above only refers to national level laws. Provincial level laws may also need to be considered.

Last modified 4 Jan 2019
Law
China

There is not a single comprehensive data protection law in the People's Republic of China (PRC). Instead, rules relating to personal data protection and data security are part of a complex framework and are found across various laws and regulations. Provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law have generally been used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit.

On June 1, 2017, the PRC Cybersecurity Law came into effect and became the first national-level law to address cybersecurity and data privacy protection. However, there remains quite a bit of uncertainty as to how the PRC Cybersecurity Law will be applied, and what practical steps need to be taken to achieve compliance and the regulatory environment continues to evolve rapidly. Draft guidelines are currently published almost weekly, however, it is expected that some guidelines and national standards will be finalized in the coming months to further assist organizations in complying with the data protection obligations imposed under the PRC Cybersecurity Law. These include (this is not an exhaustive list):

  • Draft Guidelines on Multi-Level Protection Scheme for Information Systems released on June 27, 2018;
  • Draft National Standard of Information Security Technology – Guidelines for Personal Information Security Impact Assessment released on June 11, 2018;
  • Draft National Standard of Information Security Technology – Guidelines on Data Security Capability Maturity Model released on September 29, 2018; and
  • Draft Guideline for Internet Personal Information Security Protection released on November 30, 2018.

In addition to the PRC Cybersecurity Law, the following (together with a number of new laws and regulations released and passed to supplement the PRC Cybersecurity Law) form the backbone of general data protection rules currently in the PRC:

  • The Decision on Strengthening Online Information Protection, effective from December 28, 2012 (Decision)
  • National Standard of Information Security Technology – Guideline for Personal Information Protection within Information System for Public and Commercial Services, effective from February 1, 2013 (Guideline)
  • National Standard of Information Security Technology – Personal Information Security Specification, effective from May 1, 2018 (PIS Specification)

The purpose of the Decision is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. The Decision has the same legal effect as a law. While the Guideline and PIS Specification are only technical guides and thus not legally binding, they are highly persuasive. Unlike the Decision (which is more of a general overview of the guiding principles relating to data protection), the Guideline and the PIS Specification cover in detail key issues such as data transfers, sensitive personal information, and data subject rights. Given the lack of binding laws and regulations which provide detailed guidance on data processing, the Guideline and PIS Specification are important references. Therefore, compliance with the Guideline and PIS Specification is recommended as best practice.

Provisions contained in other laws and regulations may also apply depending on the industry or type of information involved (for example, personal information obtained by financial institutions, e-commerce businesses, certain healthcare providers, or telecom or Internet service/content providers is subject to special regulation). For example (this is not an exhaustive list):

  • The PRC Criminal Law prohibits sale or illegal provision of, or illegal access (such as theft) to citizens' personal information;
  • The Provisions on Telecommunication and Internet User Personal Information Protection (effective from September 1, 2013), which are applicable to telecom and Internet service providers;
  • The Guidelines for Data Governance of Banking Financial Institutions, which are applicable to banking financial institutions established within the territory of the PRC licensed by the PRC banking regulatory authorities;
  • The People's Bank of China's Circular on Further Intensifying Management of Credit Information Security (effective from May 2, 2018) setting out obligations to strengthen credit information security in relation to access to database for financial credit information;
  • The PRC Consumer Rights Protection Law (effective from March 15, 2014) (Consumer Protection Law) contains data protection obligations which are applicable to most if not all types of businesses that deals with consumers. The Consumer Protection Law was supplemented by the Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (effective from March 15, 2015).
  • Further, the draft Implementation Regulations for the PRC Consumer Protection Law released on 5 August 2016 will, if implemented, reiterate and clarify some of the data protection obligations as regards consumers' personal information; and
  • The PRC E-Commerce Law (effective from January 1, 2019), reiterating requirements to protect personal information in an e-commerce context (E-commerce Law).

Applicability of other laws or regulations will invariably depend on the factual context of each case and further independent analysis is recommended, (for example, businesses in the banking, healthcare or securities sectors may be subject to industry-specific data protection regulations; and employee personal data attracts some protections under employment laws).

Finally, the above only refers to national level laws. Provincial level laws may also need to be considered.

Last modified 4 Jan 2019
Definitions

Definition of personal data

There is no single, pervasive definition of personal data in the PRC, but the concept of personal data in the various laws, regulations and guidance that comprise the data protection framework in the PRC are starting to become more aligned.

In summary, personal data (which is generally referred to as ‘personal information’ in the PRC) means all kinds of information (including sensitive personal information) recorded by electronic means or otherwise that can be used to independently identify or be combined with other information to identify a natural person's information.

Definition of sensitive personal data

Similar to personal information, there is no single, pervasive definition under binding laws in the PRC for sensitive personal data (which is generally referred to as 'sensitive personal information' in the PRC).

However, the PIS Specification – which as noted above is a non-binding, highly persuasive standard – provides some distinction between sensitive personal information and general personal information. Sensitive personal information is defined in the PIS Specification as personal information which, if disclosed or abused, will lead to adverse impact to the data subject. Examples of sensitive personal information as set out in the PIS Specification include personal identification number, mobile phone number, individual biometric information, bank account number, correspondence records and contents, property information, credit information, location tracking, lodging information, health and physiological information and transaction information etc.

Last modified 4 Jan 2019
Authority

The Cyberspace Administration of China (CAC) is currently considered the primary data protection authority in the PRC, although there are also enforcement regulators such as the Ministry of Public Security, and sector-specific regulators that may monitor and enforce data protection issues, such as the People's Bank of China or China Banking Regulatory Commission which regulate banks and financial institutions.

Last modified 4 Jan 2019
Registration

There is no legal requirement in the PRC for data users to register with the data protection authority.

Last modified 4 Jan 2019
Data Protection Officers

There is no general requirement under binding PRC laws for organizations to appoint a data protection officer.

However, the PIS Specification requires that an organization to appoint a data protection officer and a data protection department if the organization’s main business line involves data processing and the organization has either:

  • more than 200 employees
  • personal information of more than 500,000 individuals are processed, or personal information of more than 500,000 individuals is expected to be processed within 12 months
Last modified 4 Jan 2019
Collection & Processing

In general, express consent is required from the data subject before personal information can be collected, used, transferred or otherwise processed. In certain circumstances, such as collecting or processing sensitive personal information, overseas data transfers and direct marketing, specific consent (i.e., consent specific to the processing activity/transfer (rather than just general consent to the privacy notice, expressed through an affirmative action) is required from the data subject. As a matter of best practice, and given the wide definition of sensitive personal information, explicit consent is recommended.

In addition, a data controller (i.e. the organization who has the authority to determine the purposes, means or method of processing) should provide data subjects with a privacy policy or other form of notice, informing them of the scope and ways in which their personal data is collected, processed and disclosed, including the following information:

  • the identity of the data controller, including its registered name, registered address, principal office, a telephone number and/or an e-mail address
  • a list of personal information collected for each business purpose, location of storage, retention period, means and scope of the personal information collected
  • the purposes sought by the data controller, i.e., what the data controller uses the data for (for instance, supplying goods and services, creating a user account, processing payments, managing subscriptions to the newsletters, etc.). These should be comprehensive, as additional purposes will require new consent
  • circumstances under which the data controller will transfer, share, assign personal data to third parties or publicly disclose personal data, the types of personal data involved in the sharing, assignment or disclosure, and the types of third party data recipients
  • data security capabilities of the data controller, as well as the data protection measures to be adopted by the data controller
  • the rights of data subjects and mechanisms for them to exercise these rights, e.g. methods to access, rectify, delete their personal information, methods to de-register their accounts, withdraw their consent, and to obtain copies of their personal information, methods to restrict automated decision by the data system etc., and
  • potential risks for providing personal data, as well as possible impacts for not providing the data; and channels and mechanism for making inquiries and lodging complaints by data subjects, as well as external dispute settlement body and contact information.

The information in the privacy policy must be true, accurate and complete. The contents of the privacy policy must be clear and easy to understand, and ambiguous language should be avoided. The privacy policy should be made available to the data subject when collecting consent, and published publicly and easily accessible. When changes occur to the information provided in the privacy policy, the data subject should be notified of such changes and further consent may need to be obtained.

Collection from individuals under 14 years old is prohibited unless explicit consent is obtained from their legal guardians.

Last modified 4 Jan 2019
Transfer

If a data controller wishes to share, disclose or otherwise transfer an individual's personal information to a third party (including group companies), the data controller must:

  • not share or transfer any personal biometric information or other types of particularly sensitive personal information where prohibited under relevant laws or regulations
  • perform a personal information impact assessment, and take effective measures to protect the data subjects according to the assessment results (for example putting in place a data transfer agreement or similar contractual protections)
  • inform the data subject of the purposes of the sharing, disclosure or transfer of the personal information and the types of data recipient, and obtain prior express consent from the data subject
  • record accurately and keep the information in relation to the sharing, disclosure or transfer of the personal information, including the date, scale, purpose and basic information of the data recipient of the sharing or assigning

Cross-border transfers

Where the sharing, disclosure or transfer of the personal information is to a third party outside of the PRC additional rules will apply. Data localization is an increasing trend in the PRC, with various draft measures as well as sector specific regulations prohibiting the transfer of certain personal information outside the borders of the PRC – although to what extent these rules apply remains unclear and further clarification from the regulators is expected.

Under the current prevailing understanding, in order to transfer or access personal information outside of the PRC, the data controller must:

  • inform the data subject of the transfer outside of the PRC, and obtain explicit consent of the data subject before the personal information is shared, disclosed or transferred
  • store a copy of the data within the PRC
  • conduct a security assessment (in addition to the personal information impact assessment described above), which is likely to be a self-assessment but for those organizations deemed critical information infrastructure operators (CIIO) regulatory input may be required,

In addition to the above requirements, additional restrictions apply to transfers of certain information outside of the PRC:

  • certain personal information within prescribed thresholds (yet to be finalized) may still not be able to leave the PRC
  • certain personal information governed by sector specific regulations, such as banking and online mapping, may also not leave the PRC
  • certain categories of regulated (personal and non-personal) data are not permitted to leave the PRC at all, such as ‘important data’ and state secrets.
Last modified 4 Jan 2019
Security

Organizations must take appropriate technical and organizational measures against unauthorized or unlawful processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security appropriate to the harm that may result from such unauthorized or unlawful processing, accidental loss, destruction or damage, and appropriate to the nature of the data.

Under the PRC Cybersecurity Law, network operators (i.e. organizations that own or operate IT networks/infrastructure and, it is thought, even just websites in China) must implement technical and other necessary measures to ensure the security of personal information and to prevent the data from being accidentally disclosed, tampered with or destroyed. Remedial measures must be taken immediately if personal information is being or is likely to be disclosed, tampered with or destroyed. Network operators should also establish systems to handle complaints or reports about personal information security, publish the means for individuals to make such complaints or reports, and promptly handle any such complaints or reports received. Organizations deemed CIIOs (see above) must apply additional security safeguards.

The PRC Cybersecurity Law implemented a multi-level protection scheme for cybersecurity protection of information systems by network operators. Information systems are classified into 5 tiers and the security standard goes higher from tier 1 to tier 5. Organizations should conduct a self-evaluation and determine the tier(s) to which its information systems belong, based on relevant laws, regulations and guidelines, including the Classification Guide for Classified Protection of Information System. Filing to the Public Security Bureau is required and, in certain circumstances, assessment by accredited third party may also be required, depending on the determined tier level of a respective information system. Further guidelines and draft measures have been published recently to provide further details and requirements on the process and technical aspect of the tiered system.

If a data controller appoints a data processor to process personal information on its behalf, the data controller should ensure sufficient measures are adopted by the data processor to protect the personal information: for example, to conduct due diligence and regular audits on data processor to ensure the data processor adopts sufficient and adequate security measures; and put in place an appropriate data processing agreement with the data processor.

Last modified 4 Jan 2019
Breach Notification

The PRC Cybersecurity Law introduced a general requirement for the reporting and notification of actual or suspected personal information breaches. Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organizations must promptly take relevant measures to mitigate any damage and notify relevant data subjects and report to relevant government agencies in a timely manner in accordance with relevant provisions.

The PRC Cybersecurity Law does not prescribe a timeline for reporting personal information breaches or security incidents. However, the PIS Specification and other guiding circulars (such as the National Network Security Incident Contingency Response Plan) provide some guidelines on the reporting and notification of personal information breaches or security incidents.

Organizations should also adopt proactive measures to minimize the risk of personal information breaches or security incidents, including but not limited to, formulating a contingency plan, organizing trainings and conducting regular contingency drills.

Last modified 4 Jan 2019
Enforcement

Possible enforcement of, and sanctions for, a data protection breach in the PRC will depend on the specific data protection laws and regulations breached. Sanctions in relation to data protection breaches are scattered across various different laws and regulations, and the measures described below may not be comprehensive in all situations, as additional laws or regulations may be applicable depending on the industry or type of information at hand.

Typically, it would be a graded approach - warning and requirement to comply, then possibly fines up to approximately RMB 500,000. Affected individuals may also potentially claim for indemnification under the Tort Liability Law. In severe cases, breaches may lead to higher fines being imposed or the revocation of license. Responsible personnel could be prohibited from engaging in relevant business and their conduct could be recorded in their social credit files. Depending on the severity of the illegal conduct, the responsible person could also be subject to detention or up to seven years of imprisonment, plus a concurrent fine to the organization if applicable.

The enforcement environment is evolving rapidly as individuals are increasingly aware of their data protection rights and as data protection obligations expand as laws develop and are added in China. For example, the PRC Cybersecurity Law suggests the possibility of ordering corrections, issuing warnings, confiscation of illegal gains and fines of up to 10 times of illegal gains (or fines of up to RMB 1,000,000 where there is no illegal gain) upon discovery of violation in handling personal information. The responsible persons may also be fined between RMB 10,000 to 100,000.

Last modified 4 Jan 2019
Electronic Marketing

Direct marketing by electronic means is only possible if the targeted consumers have explicitly consented to receiving such messages either at the time their electronic address/mobile phone number was collected or at a later time.

Specific information must be stated in each electronic message: for example, the identity of the entity sending the message, and a mark identifying "(advertisement in Chinese)" or "AD" on a direct marketing message.

There are also specific rules applicable to direct marketing by text messages (SMS), and certain specific prescribed information must be provided to data subjects at the time their mobile phone number was collected or prior to sending direct marketing text messages. 

Last modified 4 Jan 2019
Online Privacy

The PRC Cybersecurity Law, Consumer Protection Law and E-Commerce Law offer similar protection to consumer/user personal information. Data controllers should strengthen management of information provided by users, prohibit the transmission of unlawful information and take necessary measures to remove any infringing content, then report to supervisory authorities. Sufficient notice and adequate consent should be obtained from data subjects prior to the collection and use of personal information. Further obligations are imposed on mobile apps providers including but not limited to conducting real-name identification, undertaking information content review.

Under the PRC Cybersecurity Law, Consumer Protection Law, E-Commerce Law and the PIS Specification, data subject have specific rights, such as, to access their data, to correction of their data, to request deletion of data in the event of a data breach, to de-register their account etc.

There are currently no specific requirements regarding cookies within existing laws or regulations in the PRC. However, the use of cookies and/or similar tracking technologies, to the extent they constitute processing of personal information, should be notified to data subjects as part of a privacy policy and adequate consent should be obtained from data subjects for such use.

Last modified 4 Jan 2019
Contacts
Scott Thiel
Scott Thiel
Partner & Co-Chair of Asia-Pac Data Protection and Privacy Group
T +852 2103 0519
Carolyn Bigg
Carolyn Bigg
Of Counsel
T +852 2103 0576
Last modified 4 Jan 2019