Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

China does not have a comprehensive national law that specifically addresses the collection, storage, transmission and use of personal information. Rather, a piecemeal approach to data protection is taken, with provisions found in the Constitution, telecommunications regulations, criminal law, tort law, consumer rights law and elsewhere. China has not signed any treaties with the European Union or any other sovereignty on data protection, and is not a member of the Cross-border Privacy Enforcement Arrangement or the Asia-Pacific Privacy Authorities.

Are any changes to existing data protection legislation proposed or expected in the near future?

A draft Privacy Law was prepared and circulated in 2003. The draft law was added to the five-year legislative plan in 2009. However, there are no indications that the draft law will be enacted in the immediate future.

China has recently taken significant steps to develop its data protection law. For example, the draft Cybersecurity Law was released last year for public comment and is expected to be passed in the near future.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

The various laws, regulations and guidelines that address the protection of personal information include:

  • the draft Cybersecurity Law;
  • the Decision on Strengthening Protection of Network Information;
  • the Law on the Protection of Consumer Rights and Interests;
  • the Measures for the Administration of Online Transactions;
  • the Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems – these are voluntary, non-binding standards jointly issued by the General Administration of Quality Supervision, Inspection and Quarantine and the Standardisation Administration in 2012 to provide guidance on enforcement actions and litigation for the protection of personal information;
  • the Provisions on Protecting the Personal Information of Telecommunications and Internet Users;
  • Several Provisions on Regulating the Market Order of Internet Information;
  • the Medical Records Administration Measures of Medical Institutions;
  • the Measures for Administration of Population Health Information;
  • the Measures for the Administration of Internet Email Services;
  • the Standards for the Assessment of Internet Enterprises' Protection of Personal Information, which are not binding; and
  • the Administrative Provisions on Short Message Services.

Scope and jurisdiction
Who falls within the scope of the legislation?

Any entity (other than a government authority) that collects, stores, uses and processes personal information within the territory of China is subject to the legislation.

What kind of data falls within the scope of the legislation?

There is no consistent definition of ‘personal information’ under the legislation.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users stipulate that ‘personal information’ is data collected by telecommunication business operators and internet information service providers in the course of their activities that can be used – either individually or in combination with other data – to identify a user. Examples include a user’s name, date of birth, identification number, address, telephone number, service identification and password, and tracking information on when and where the user uses the services.

The Notice of the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Citizens provides that ‘personal information’ includes the name, age, identification number, marital status, location of work, educational background,curriculum vitae, home address, phone number and other information or data that can be used to identify an individual.

Key definitions under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems include the following:

  • ‘Personal information’ is computer data that:
    • can be processed using information systems;
    • relates to a specific natural person; and
    • can be used – either independently or in combination with other data – to identify a specific natural person.
  • Personal information can be classified as sensitive personal information or general personal information.
  • ‘Sensitive personal information’ is personal information that could have an adverse effect on the data subject if it were leaked or modified. What constitutes sensitive personal information in different industries shall be determined according to the consent of the data subjects who receive the services and the nature of the various industries. For example, sensitive personal information may include identification numbers, mobile phone numbers, racial/ethnic origin, political opinions, religious beliefs, genes, fingerprints and so on.
  •  
  • ‘General personal information’ refers to any personal information other than sensitive personal information.

Are data owners required to register with the relevant authority before processing data?

No. 

Is information regarding registered data owners publicly available?

Not applicable.

Is there a requirement to appoint a data protection officer?

No. However, under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, internet companies must appoint a data protection officer.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

China has no single authority responsible for enforcing provisions relating to the protection of personal information.

The Ministry of Industry and Information Technology and the telecommunication administrations at the provincial level are responsible for the supervision and administration of personal information of telecommunication and internet users, pursuant to the Internet Information Service Provisions.

The State Administration for Industry and Commerce and its local counterparts are responsible for the supervision and administration of personal information of consumers, pursuant to the Provisions on Regulating the Market Order of Internet Information Services.

Pursuant to the draft Cybersecurity Law, the national cyberspace administrations are responsible for the planning and coordination of cybersecurity and relevant supervisory and administrative work; while the Ministry of Industry and Information Technology, the public security department and other relevant departments are responsible for the supervision and administration of cybersecurity protection.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal information can be collected only for a lawful purpose that directly relates to a function or activity of the data user. The personal information collected must be no more than is necessary for that purpose (or a directly related purpose) – that is, it must not be excessive.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Data users should not retain personal information for longer than is necessary to fulfil the original purpose (or a directly related purpose) of collection, unless deletion of the personal information is prohibited by law.

No specific retention period is specified under Chinese law. To determine the appropriate maximum retention period, a data controller will need to assess each type of personal information that it collects and the purposes of the collection on a case-by-case basis. However, personal information must be deleted upon the expiry of the retention period of which the data subjects were notified when their personal information was collected.

Do individuals have a right to access personal information about them that is held by an organisation?

Telecommunications business operators and internet service providers must provide ways for users to inquire about or correct their personal information. Individuals have the right to request access to personal information held by an organisation, pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

Do individuals have a right to request deletion of their data?

Not under the existing legislation; although the Provisions on Protecting the Personal Information of Telecommunications and Internet Users do require that telecommunications operators and internet service providers stop the collection and use of users’ personal information. However, individuals have the right to request deletion of their personal information pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems and the draft Cybersecurity Law.

Consent obligations
Is consent required before processing personal data?

Consent is required for the collection and use of an individual’s personal information pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users. However, there are no detailed requirements under current law on the specific form or content of the consent (ie, whether it can be implied or inferred).

Prior express consent is required if the personal information will be used or transferred for direct marketing purposes pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Measures for the Administration of Online Transactions.

If the personal information will be used for any other purpose, express consent is also required where the personal information will be used or transferred in a manner that is not covered by the original purpose and scope of collection, unless one of the exemptions apply, pursuant to the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

If consent is not provided, are there other circumstances in which data processing is permitted?

Under the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, even if consent is not provided, personal data can still be processed and used for: 

  • purposes specified under certain laws and regulations, such as maintenance of public security;
  • the purposes of academic research or social public interest;
  • the enforcement of administrative authorities according to law; and
  • the enforcement of judicial authorities according to decisions and judgments.

What information must be provided to individuals when personal data is collected?
 

Under the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, telecommunications operators and internet service providers must provide the following information when they collect personal information:

  • the purpose, method and scope of the information to be collected or used;
  • the ways in which users can inquire about and correct information; and
  • the consequences of failure to provide the information.

Under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, a data subject must be explicitly informed, prior to the collection of his or her personal information, of:

  • the purposes for which the personal information is being collected, used and processed;
  • the method and the scope of collection, use and processing;
  • the period for which the personal information will be retained;
  • the personal information protection measures in place;
  • relevant information regarding the data controller, such as its name, address and contact information;
  • any risks relating to the disclosure of personal information;
  • the consequences of failure to provide personal information;
  • the channels for checking and correcting personal information and filing a complaint; and
  • information relating to the transfer of personal information (eg, purpose, method and scope of transfer, the scope of use by data recipients, contact information of data recipients).

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Data controllers must take all practicable steps to ensure that the personal information they hold is protected against disclosure, tampering, damage or loss. Should any of these occur, or should there be a risk of them occurring, remedial measures must be taken immediately.

Article 13 of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users imposes the following security requirements on telecommunications operators and internet service providers:

  • Specify the responsibilities of each department, post and branch in terms of managing the security of personal information;
  • Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information;
  • Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures;
  • Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures;
  • Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved;
  • Undertake communications network security protection work as required by the relevant telecommunications authority; and
  • Take other necessary measures as prescribed by the relevant telecommunications authority.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users also require that telecommunications operators and internet service providers provide staff members with training in the relevant skills and responsibilities relating to the protection of personal information. They must also conduct at least one self-audit of their data protection measures, record the results and promptly eliminate any security risks discovered during the audit.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There are no national-level requirements regarding notification of breaches. However, under certain local consumer protection regulations, such as those in Shanghai, security breaches must be reported to the data subjects.

The draft Cybersecurity Law provides that in case of disclosure or loss of, or damage to, information, remedial measures must be taken immediately, users who might be affected must be informed and reports must be submitted to the competent departments in accordance with the regulations.

Are data owners/processors required to notify the regulator in the event of a breach?

In the telecommunications and internet sector, if personal information is disclosed or may potentially be disclosed, service providers must take remedial measures immediately. If the incident has or may have serious consequences, the service provider must report it immediately to the relevant telecommunications administrations and cooperate in the investigation carried out by the telecommunications administrations pursuant to the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

Under the Decision on Strengthening Protection of Network Information and the Law on the Protection of Consumer Rights and Interests, commercial information cannot be sent to consumers:

  • unless the consumer has requested the information;
  • unless the consumer has consented to receive the information; or
  • if the consumer has expressly refused to receive the information.

Under the Measures for the Administration of Internet Email Services, where an email recipient has clearly consented to receive emails containing commercial advertisements, but later withdraws this consent, the sender must stop sending such emails unless otherwise agreed by both parties. When sending emails containing commercial advertisements, the sender must provide its contact information, including its email address, and a guarantee that this contact information will remain valid for 30 days. 

Under the Administrative Provisions on Short Message Services, SMS providers and short message content providers must not send commercial messages to users without their consent or request, and must explain the type and frequency of the commercial messages that will be sent. A user’s failure to respond will be regarded as a refusal of consent.

Cookies
Are there rules governing the use of cookies?

To the extent that cookies amount to personal information, they will be governed by Chinese law. Otherwise there is no legislation that specifically governs cookies.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

No overarching regulation governs cross-border transfers of personal information, except in specific sectors such as finance, healthcare and telecommunications. 

Article 35 of the second draft Cybersecurity Law provides that “operators of critical information infrastructure must store personal information and important transaction data collected and generated exclusively within the territory of mainland China. If, for legitimate business reasons, the data must be provided to a foreign organization or person outside China, the entity must complete a security evaluation jointly formulated by the National Cyberspace Administration and State Council”. ‘Critical information infrastructure’ includes public communications, broadcasting and television transmission services, energy, transportation, water conservancy, finance, electricity, water and gas supply, medical treatment and healthcare, social security, and computer networks and systems with a large number of users. The details of the security evaluation are not specified.

The non-binding Provisions on Protecting the Personal Information of Telecommunications and Internet Users allow for the cross-border transfer of personal information if the data subjects have expressly consented or if the transfer has been approved by the administration authorities or by national laws and regulations.

Are there restrictions on the geographic transfer of data?

Not other than in the cross-border context.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Consent must be obtained from the data subjects where their personal information will be processed by a third party.

The non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems set out the following requirements where personal information will be transferred to a third party:

  • The personal data must be transferred for and to the extent of the purposes notified to the data subjects when their personal information was collected.
  • Before personal information is transferred to third parties, the data controller must evaluate whether such third parties are capable of processing the information in accordance with the guidelines, and the liability of such third parties in relation to the protection of the personal information must be determined and specified by contract.
  • The data controller must ensure that the personal information will not be accessed by any entity other than the recipient in the course of the transfer.
  • The data controller must ensure that the personal information remains complete, available and up to date in the course of transfer.

Personal information may not be transferred to overseas recipients, including any individual overseas or any organisation or institution registered overseas, unless the data subject has expressly consented, the transfer is explicitly required by law or the competent department has issued its approval.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?
 

Under the Law on the Protection of Consumer Rights and Interests, a company shall incur civil liabilities if it:

  • collects or uses consumers’ personal information without consent;
  • discloses, sells or illegally provides others with consumers’ personal information; or
  • sends commercial information to consumers without their consent or request, or after the consumer has expressly refused consent.

Additionally, the administrations of industry and commerce and their local counterparts may issue a corrective order or warning, confiscate illegal gains and/or impose a fine of between one and 10 times the value of the illegal gains, or up to Rmb500,000 where no illegal gains were made. If the circumstances are severe, the company may be suspended from operations or have its licence revoked.

Violations of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users and the Provisions on Regulating the Market Order of Internet Information Services are subject to corrective orders, warnings, fines of between Rmb10,000 and Rmb30,000 and criminal liabilities.

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Under civil law and tort law, individuals are expressly entitled to seek compensation for any damage arising from privacy infringements.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

The Criminal Law covers cybercrime, while the draft Cybersecurity Law covers cybersecurity. 

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

The other statutes that should be considered in this regard are:

  • the National Security Law, issued on July 1 2015; and
  • the Counter-terrorism Law, issued on December 27 2015.

Which cyber activities are criminalised in your jurisdiction?

Cybercrime is covered under the Criminal Law and includes the following offences:

  • illegally accessing computer systems (Article 285);
  • illegally accessing or controlling data held on computer systems (Article 285);
  • providing programs and tools to access or illegally control computer systems (Article 285);
  • destroying computer systems (Article 286); and
  • committing financial crimes using a computer (Article 287).

Which authorities are responsible for enforcing cybersecurity rules?

Pursuant to the draft Cybersecurity Law, the national cyberspace administrations are responsible for the overall planning and coordination of cybersecurity work and relevant supervisory and administrative work; while the Ministry of Industry and Information Technology, the Public Security Department and other relevant departments are responsible for the supervision and administration of cybersecurity protection.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, although this is not yet as common as in the United States and the European Union.

Are companies required to keep records of cybercrime threats, attacks and breaches?

No overarching statute requires that such records be kept.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Pursuant to the draft Cybersecurity Law, upon the occurrence of a cybersecurity incident, network operators must immediately initiate contingency plans, take remedial measures and report to the relevant departments.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No overarching statute imposes any reporting requirements.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

Depending on the cybercrime, the relevant offence may incur a penalty of life imprisonment and/or a maximum fine of Rmb500,000 (Articles 285, 286 and 287 of the Criminal Law). 

What penalties may be imposed for failure to comply with cybersecurity regulations?

Pursuant to the draft Cybersecurity Law, non-compliance may incur penalties such as warnings, corrective orders, fines of up to Rmb1 million and (in worst-case scenarios) withdrawal of a licence.