On 7th November 2016, the PRC’s Cyber Security Law was approved by the Standing Committee of the National People’s Congress and will enter into force on 1 June 2017. Once promulgated, the Cyber Security Law attracts widespread attention from all sectors of the community and a series of concepts immediately become hot topics, such as the “cyberspace sovereignty”, the “grading protection of cyber security” and the “critical information infrastructure”, etc.

One of highlights of the Cyber Security Law is its section concerned with the protection of personal information. A draft of the Personal Information Protection Law was first submitted to the State Council for review in 2008 but never progressed any further. Therefore, before the Cyber Security Law is promulgated, regulations relating to the protection of personal information are scattered across many different laws, regulations and regulatory documents, which include Tort Law, Criminal Law, Penalties for the Violation of Public Security Administration Law, Consumer Rights and Interests Protection Law and Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection. The promulgation of the Cyber Security Law contains several “first time” highlights for the personal information protection which are particularly eye-catching.

1. New legal standards for personal information protection

For the first time establishing a general definition of “personal information” and setting up the basic rules governing personal information protection in law

Article 76 defines personal information as information recorded by electronic or other means that can be used to identify an individual natural person independently or when combined with other information, including but not limited to names, dates of birth, ID numbers, personal biometric information, addresses and telephone numbers etc.

“Personal information”, “personal electronic information”[1], “personal financial information”[2] and other similar definitions are found in a number of different regulations and regulatory documents. The Cyber Security Law for the first time puts the term “personal information” on a legal footing and expands the scope of personal information protection. It is worth noting that all recorded information falls under the scope of personal information protection, regardless of the way it is recorded. Even if information can only identify a person when combined with other information, it still constitutes personal information protected by the Cyber Security Law.

For the first time expressly providing exceptions to the prohibition on sharing personal information with other parties

The Cyber Security Law provides that without the consent of the persons whose data is collected personal information shall not be provided to others. It also expressly provides an exception to the above prohibition: if the information has been processed in a way that makes it impossible to identify an individual, and that the information cannot be restored, the sharing of such information will not be restricted.

Individual consent is usually required in order to collect personal information, and no exceptions are provided. However, if information has been processed so as to make individuals unidentifiable and cannot be restored, there is a low probability of infringing personal rights. By granting this exemption for non-sensitive information, the Cyber Security Law will ensure the legitimacy of companies’ ability to conduct data mining and other research with such non-sensitive information, thus encouraging and promoting the development of the data industry and “big data”.

For the first time in law creating requirements regarding the storage location of personal information to ensure national information security

The Cyber Security Law imposes special requirements on critical information infrastructure operators regarding the location of data storage. It requires that personal information and important data gathered during operations in China must be stored in China.

Currently, the special requirement regarding the storage site of personal information is only provided in certain sectors. For example, the People’s Bank of China requires personal financial information collected in China to also be stored, processed and analyzed in China and financial institutions shall not transfer personal financial information collected within China abroad. Due to lack of explicit regulations defining critical information infrastructure, this provision of the Cyber Security Law increases the potential risk and uncertainty for enterprises when storing personal information.

For the first time in law comprehensively introducing legal administrative responsibilities for violations of personal information protection regulations

When a company infringes personal information related rights, it will be subject to warnings, confiscation of illegal gains, fines, suspension of the relevant operation, halting of business for rectification, suspending the website and revocation of the business permits or licenses. Among the above, the fine imposed on the responsible individuals may be up to CNY 100,000, and for network operators up to CNY 1,000,000.

Before the promulgation of the Cyber Security Law, penalties for violations relating to personal information protection are found in various independent laws, regulations and regulatory documents, which include Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection, Criminal Law, Penalties for the Violation of Public Security Administration Law and Consumer Rights and Interests Protection Law. Compared with previous provisions, the fine limit for violations of the Cyber Security Law has increased significantly. Additionally, in comparison with the Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection, the Cyber Security Law provides for fines imposed on responsible individuals and expressly provides for several kinds of penalties for severe violations relating to personal information. Such penalties include the suspension of the relevant operation, suspending the business for rectification, and the revocation of the business licenses.

2. Systematic regulations for compliance with personal information collection

Chapter 4 of the Cyber Security Law summarizes the general provisions regarding personal information protection scattered in many laws and regulations and creates systematic regulation for the collection and use of personal information. For your reference, we summarize these provisions as below.

Types of Rules

Content

Basic Principles

When network operators collect and use personal information, they shall abide by the principles of lawfulness, legitimacy and necessity.

Information Collection

  • Disclosure rules for information collection and use;
  • Expressly provide the purpose, manner and scope of information collection and use;
  • Obtain consent of the persons whose personal information is gathered.

Information Use

Scope of Use

Network operators shall strictly maintain the confidentiality of personal information, and shall not provide such personal information to others, except information which has been irrevocably processed to prevent specific individuals from being identifiable.

Manner of Use

Network operators shall adopt technical measures and other necessary measures to ensure the security of the personal information they collect and prevent such information from being divulged, tampered or destroyed.

Information Processing

Network operators shall process personal information they keep in accordance with the provisions of laws and administrative regulations and their agreements with the users.

3. More comprehensive protection for personal information

By establishing basic rules for personal information protection, the Cyber Security Law expands the range of rights relating to personal information in several ways thereby providing more comprehensive protection for personal information.

Expanding citizens’ right to know

Articles 22 and 42 of the Cyber Security Law provide that when personal information has been or may be divulged, tampered or destroyed, or risks such as security defects or bugs were found in network products or services, network operators or network products and services providers shall immediately inform users of these risks.

Therefore when enterprises need to collect and use personal information, they should not only disclose their rules, purpose, manner and scope of information collection and use, but also pay attention to fulfilling their legal obligation of immediately informing users of potential risks when these risks have occurred or are likely to do so, so that users can take measures to reduce potential damage. Accordingly, enterprises may need to improve their internal crisis management mechanisms, focusing closely on information security to ensure a prompt and effective response to emergency.

Affirming the right to delete divulged information

Article 43 of the Cyber Security Law provides that where network operators violate the provisions of laws or the agreements mutually concluded regarding personal information collection and use, individuals are entitled to require the network operators to delete such information. The rationale behind the establishment of the right to delete by the Cyber Security Law is consistent with the principles of legitimacy and necessity in information collection and use — if either the provisions of laws or the scope and term of collecting and using information agreed by both parties are violated, enterprises would lose any plausible reason for retaining and using such information and shall delete them. Therefore for legal compliance purposes, when enterprises draw up terms on personal information collection and use in contracts, they should pay full attention to the agreed contract in order to lower the potential risk in their internal processes design.

Establishing the right to remedy incorrect information

Article 43 of the Cyber Security Law provides that if individuals find errors in their personal information collected or stored by network operators, they are entitled to require the network operators to make corrections.

Before the Cyber Security Law, such rights are provided only in certain specific fields in China. For example, Tentative Measures for the Administration of Personal Credit Information Basic Database provides that an individual is entitled to submit an application of demurral to the credit information service center to correct their credit information.[3] This time, the Cyber Security Law provides individuals with the right to correct personal information with error in a broader sense.

4. Still a long way to go for corporate compliance

Since “network operators” are the regulated entities subject to relevant personal information protection provisions in the Cyber Security Law and the definitions of “network operators”[4] and “network”[5] are so broad, no particular operators could easily be excluded from the scope of application without further practical guidance. In other words, regarding personal information protection in law, the range of regulated subject in the Cyber Security Law is broader than ever.

For the first time, the Cyber Security Law systematically affirms relevant provisions of personal information protection in law, strengthens legal responsibility and provides higher requirements on network operators in personal information collection and use. However, specific operation of some regulations still needs clarification, which also brings new challenges to the establishment and optimization of internal information security management mechanism in corporations. Moreover, the lack of particular regulatory authority responsible for personal information protection in the Cyber Security Law also adds to the uncertainty of law enforcement to some extent.

From the perspective of compliance, enterprises shall pay adequate attention to personal information protection. Enterprises may formulate contracts and other relevant policies with their users and other third parties regarding personal information collection and use. Enterprises may also keep an eye on the latest developments of relevant legislation to ensure their compliance management. The director of Network Security Coordination Bureau of Cyberspace Administration of China said recently that the formulation of normative standards on personal information collection is in process for a better protection of personal information. Thus, it is foreseeable that enterprises will encounter stricter regulation while collecting or using personal information in the future. We will also closely monitor the development of legislation and law enforcement of personal information protection.