Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Data controllers must take all practicable steps to ensure that the personal information they hold is protected against disclosure, tampering, damage or loss. Should any of these occur, or should there be a risk of them occurring, remedial measures must be taken immediately.

Article 13 of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users imposes the following security requirements on telecommunications operators and internet service providers:

  • Specify the responsibilities of each department, post and branch in terms of managing the security of personal information;
  • Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information;
  • Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures;
  • Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures;
  • Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved;
  • Undertake communications network security protection work as required by the relevant telecommunications authority; and
  • Take other necessary measures as prescribed by the relevant telecommunications authority.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users also require that telecommunications operators and internet service providers provide staff members with training in the relevant skills and responsibilities relating to the protection of personal information. They must also conduct at least one self-audit of their data protection measures, record the results and promptly eliminate any security risks discovered during the audit.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There are no national-level requirements regarding notification of breaches. However, under certain local consumer protection regulations, such as those in Shanghai, security breaches must be reported to the data subjects.

The draft Cybersecurity Law provides that in case of disclosure or loss of, or damage to, information, remedial measures must be taken immediately, users who might be affected must be informed and reports must be submitted to the competent departments in accordance with the regulations.

Are data owners/processors required to notify the regulator in the event of a breach?

In the telecommunications and internet sector, if personal information is disclosed or may potentially be disclosed, service providers must take remedial measures immediately. If the incident has or may have serious consequences, the service provider must report it immediately to the relevant telecommunications administrations and cooperate in the investigation carried out by the telecommunications administrations pursuant to the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.

Click here to view the full article.