Data protection and privacy in China

Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The legal framework governing the protection of PII in the People’s Republic of China (the PRC, or China) is undergoing rapid development. No single overarching data protection law has been promulgated. Instead, data protection-related legal provisions are distributed among various laws, regulations, implementing measures and other guidance, including industrial sector-specific rules and industrial standards. In China, laws are generally promulgated by China’s highest-level legislative body, while regulations and other implementing measures are promulgated by the State Council (the highest-level administrative body) and designated administrative authorities.

The PRC’s legal framework for data protection is principally encompassed by the umbrella laws listed below.

• The Decision on Strengthening the Protection of Online Information, promulgated by the Standing Committee of the National People’s Congress (effective 28 December 2012, the 2012 NPC Network Decision), which codifies several essential principles of PII protection, establishing a general framework which has since supported the development of more detailed laws and regulations.
• The General Provisions of the Civil Law (effective 1 October 2017, the Civil Law), which recognises an individual’s rights over personal information as constituting fundamental civil rights.
• The Tort Liability Law (effective 1 July 2010), which accords tort liability for infringement on the privacy rights of PRC citizens.
• The Criminal Law, in particular the 7th and 9th Amendments (effective from 28 February 2009 and 1 November 2015 respectively), which imposes criminal penalties on individuals or organisations for certain violations of data protection laws and regulations, encompassing infringement on PII.
• The Cyber Security Law (effective 1 June 2017), which consolidates data protection provisions previously distributed among different rules, as well as imposing new protection requirements such as security assessments for transfers of personal information outside of the PRC.

In addition to the key laws described above, certain national technical standards also furnish relevant guidance. The most influential of such standards include the Information Security Technology - Guidelines for Personal Information Protection within Information System for Public and Commercial Services (effective 1 February 2013, the Data Protection Guidelines) (GB/Z 28828-2012); and the Information Security Technology - Personal Information Security Specifications (GB/T 3527302017) (effective 1 May 2018, the PI Security Specifications), each of which comprises non-mandatory, national-level technical standards governing personal information processing activities of an individual or organisation that oversees personal information administration, and which may be relied upon by any Chinese governmental authority when evaluating the preparedness and performance of a company that handles the PII of a PRC citizen. In essence, these guidelines furnish non-binding recommended best practices and managerial and technical standards.

Other laws and regulations, including industrial sector-specific rules in sectors such as banking and finance, consumer protection, credit reporting, healthcare, postal and courier services, telecommunications and the internet, among others, provide relevant guidance to subject individuals and organisations. (See question 7 for an indicative listing of such additional relevant rules.)

Data protection laws in China may be informed by international dialogues on privacy and data protection such as the Asia-Pacific Economic (APEC) Privacy Framework, but are not directly founded on such, accommodating other national imperatives such as state security, in addition to the protection of personal privacy, as key objectives.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

There is no single regulatory authority in China that exercises sole responsibility for the oversight of China’s data protection law. Broadly speaking, legal authority is divided into criminal and administrative components.

With respect to the criminal legal component, the Ministry of Public Security (the MPS) is the primary law enforcement agency responsible for the investigation of instances where an alleged infringement of PII may involve criminal culpability.

With respect to the administrative legal component, power is allocated among competent authorities or industry-specific regulators, who are assigned responsibility for the regulation of specific industrial sectors. The Cyberspace Administration of China (the CAC), established in 2011, is assigned general responsibility for overseeing cybersecurity protection, including data protection matters, in conjunction with other relevant authorities, including the administrations listed below.

• The China Banking and Insurance Regulatory Commission (the CBIRC). In early 2018, the PRC launched a governmental authority reorganisation reform involving 40 central departments. Pursuant to this reform, the China Insurance Regulatory Commission (the CIRC), the insurance industry regulator, merged with the China Banking Regulatory Commission (the CBRC), the banking industry regulator, together forming a new central regulator, the CBIRC, which is a ministerial-level agency of the central government of the PRC. The CBIRC is supported by the People’s Bank of China (the PBOC), which exercises responsibility for formulating major laws and regulations and basic prudential regulations for the banking and insurance industries.
• The State Market Regulatory Administration (the SMRA). Also in early 2018, the State Administration for Industry and Commerce (the SAIC), the General Administration of Quality Supervision, Inspection and Quarantine (the AQSIQ) and certain other relevant authorities combined to form the SMRA, which is charged with responsibility for the protection of consumers’ rights, including rights in PII.
• The Ministry of Industry and Information Technology (the MIIT), which oversees telecommunications, information technology (IT) and other major industrial sectors.

Such authorities are delegated power to regulate and supervise organisations in the relevant sector, and are also invested with the power to investigate non-compliance with data protection obligations.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

There is no single regulatory authority in China that exercises responsibility for the oversight of China’s data protection law. Among administrative authorities, the CAC is responsible for coordinating with other authorities (the CBIRC, the PBOC, the SMRA, the MIIT, etc.) to oversee and manage network security and data protection matters. However, there is no explicit legal obligation for one government authority to cooperate with another for data protection matters. Further regulations and enforcement practices will likely provide more clarity on the division of authority and cooperation among respective authorities.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Organisations and individuals that fail to comply with data protection laws may be subject to investigation, administrative sanctions and civil actions and, in the case of an infraction with serious consequences, criminal penalties.

Administrative sanctions are identified in the specific rules promulgated and implemented by the competent authorities or industry-specific regulators. For example, in the telecommunications sector, if a telecommunications service operator collects PII without consent from an individual, then the MIIT may issue a warning or an order for remediation, and may impose a fine of between 10,000 and 30,000 yuan. In the consumer protection context, if a business operator infringes on the PII of consumers, then the SMRA may issue a warning or an order for remediation, confiscate illegal gains, impose a fine or revoke the operator’s business licence.

Criminal sanctions are specified in the PRC Criminal Law, which prohibits acts such as the illegal sale or provision of PII, as well as the theft or unlawful receipt of PII (whether through purchase, exchange or other means).

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

PRC data protection law provides that the state will protect information that is able to identify the identity of individual citizens and information concerning the personal privacy of citizens. The law does not exempt any sector or institution from adherence to the requirements of due process in the performance of their respective offices, and no areas are beyond its scope; provided, however, that a particular aspect of the data protection law may, in some cases, be pre-empted by another law in such areas as national security or policing.

The PI Security Specifications identify certain potential exemptions, pursuant to which data subject consent for the collection and use of PII may not be requisite in the circumstances outlined below:

• matters that are directly related to national security or the security of national defence;
• matters that are directly related to public security, public health or public interest;
• matters that are directly related to the detection of crime or such prosecution, trial or the enforcement of a judgment;
• matters that involve the protection of life, personal property or other material and legitimate interests of the subject individual or related persons, but where obtaining individual consent is impractical;
• if the PII has already been voluntarily disclosed and made public by the subject individual;
• if the PII is to be collected from public information that has been legally disclosed;
• when necessary for the execution or performance of a contract as requested by the subject individual;
• when necessary for the maintenance of a product or service, eg, to detect and deal with the malfunction of a product or service;
• collection by a news agency for the lawful purpose of reporting; and
• collection by an academic research institution for the purpose of statistics or research, and where such PII has been de-identified prior to its publication.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The interception of communications is governed by the PRC Telecommunication Regulations, which prohibit the unlawful interception of communications of other persons by any person or organisation. Lawful interception is permitted including, for example, required monitoring of any telecommunications network by its operator, which is obligated to terminate the transmission of illegal content, to maintain records and to report incidents to the relevant government authorities.

Electronic marketing is regulated by the PRC Advertisement Law, the Protection of Consumer Rights and Interests Law, and the Administrative Measures on Internet Email Services (the MIIT Email Measures), as well as certain industry-specific regulations, such as the CBRC’s Measures for the Supervision and Administration of Credit Card Business of Commercial Banks and the CBIRC’s Administrative Measures for Telemarketing of Life Insurance.

Unlawful monitoring and surveillance of individuals is governed by the PRC Postal Law, the PRC Criminal Law and the PRC Telecommunication Regulations, among others.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

China’s data protection-related legal provisions are distributed among various laws, regulations, implementing measures and other guidance. In addition to certain umbrella laws such as those identified in question 1, industrial sector-specific laws and regulations provide relevant guidance to subject individuals and organisations in numerous discrete areas, including those listed below.

• Banking: for example, the CBRC Circular on the Guidelines for Banking Consumer Protection (effective 30 August 2013); the CBRC Guidelines for Commercial Banks on Management of Information Technology Risks (effective 1 June 2009); the CBRC Guidelines for the Regulation of Information Technology Outsourcing Risks of Banking Financial Institutions (effective 16 February 2013); the PBOC Circular on Doing a Good Job by Banking Financial Institutions in Protecting Personal Financial Information (effective 1 May 2011); and the PBOC Opinion on Further Strengthening the Information Security of Banking Financial Institutions (effective 18 April 2006).
• Consumer Protection: for example, the Protection of Consumer Rights and Interests Law (effective 15 March 2014); the Measures for Punishments against Infringements on Consumer Rights and Interests (effective 15 March 2015); and the Measures on the Administration of Online Trading (effective 15 March 2014).
• Credit Reporting: for example, the Administrative Regulations on the Credit Reporting Industry (effective 15 March 2013); the Circular of the PBOC on Further Intensifying Management of Credit Information Security (effective 2 May 2018); the Administrative Measures for the Basic Databases of Personal Credit Information (effective 1 October 2005); and the Circular on the Relevant Issues on Regulating Commercial Banks’ Obtaining Authorisation to Inquire about Individual Credit Reports (effective 17 November 2005).
• Healthcare: for example, the Prevention and Treatment of Infectious Diseases Law (effective 2 February 1989 and most recently amended 29 June 2013); the Trial Measures for the Administration of Population Health Information (effective 5 May 2014); and the Administrative Provisions on the Medical Records of Medical Institutions (effective 1 January 2014).
• Postal and Courier Services: for example, the Security Measures on the Protection of Users’ Personal Information for Mailing and Courier Services (effective 26 March 2014).
• Telecommunications and the internet: for example, the PRC Telecommunication Regulations (effective 25 September 2000, and most recently amended 6 February 2016); the Administrative Measures for the Protection of International Networking Security of Computer Information Networks (effective 30 December 1997); the Interim Provisions on the Administration of the Development of Instant Messaging Services (effective 7 August 2014); the Several Provisions on Regulating the Market Order for Internet Information Services (effective 15 March 2013); the Notice on Strengthening Administration over Network Access by Mobile Intelligent Terminals (effective 1 November 2013); and the Provisions on Protection of Personal Information of Telecommunication and Internet Users (effective 1 September 2013).

Other significant, relevant legal provisions include the Resident Identity Cards Law (effective 28 June 2003, and most recently amended 1 January 2012), the Protection of Minors Law (effective 1 January 2013), and the Administrative Measures for Records of Individual Social Insurance Rights and Interests (effective 1 July 2011).

PII formats

What forms of PII are covered by the law?

Generally, PRC laws and regulations apply a functional definition to the identification of PII, often including a non-exclusive listing of examples. For example, in the Interpretation on Several Issues regarding Application of Law in Criminal Cases involving Infringement of Citizen’s Personal Information, jointly promulgated by the Supreme People’s Court and the Supreme People’s Procuratorate, PII is defined as ‘information which is recorded electronically or by other means and which, by itself, or together with other information, could be used to identify a citizen or reflect a citizen’s movement, including but not limited to a name, identification number, contact information, home address, bank or other account number and password, property details and track of movements’. Early legislation (eg, the 2012 NPC Network Decision) specified ‘electronic’ media; however, more recent legislation, such as the Cyber Security Law, expressly encompasses any personal data ‘kept in electronic form or any other forms’.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

PRC law does not expressly address the potential extraterritorial reach of the law with respect to PII-related matters. In principle, any organisation or individual, including any foreign entity with or without legal presence in China, would be subject to PRC data protection laws if it collects, processes or uses the PII of PRC citizens within the territory of China, or if they transfer such data into or out of China. In addition, it should be noted that recent draft legislation has expressly proposed that in the case of any offshore entity that collects domestic customer PI via the internet or other means, its legal representative or entities in China would be charged with the legal obligations of network operators (see ‘Update and trends’).

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

All processing or use of the PII of PRC citizens is covered under various data protection laws and regulations; however, no distinction is drawn between PII controllers and PII processors. Broadly speaking, the law invests each respective citizen with discretionary authority over the distribution and usage of their PII, and obligates each recipient to limit PII use to the scope of permitted usage.

The Data Protection Guidelines and PI Security Specifications provide relevant non-binding, recommended best practices and managerial and technical standards. For example, before a data controller entrusts PII to a third party for processing, it should conduct a security impact assessment to ensure that such data processor has the necessary data security capability. The data processor must strictly abide by the requirements of the data controller on data processing activities and should assist the data controller to fulfil its obligations to the data subject.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

The requirement for basing the legitimacy of PII processing on specific grounds is an established theme in PRC law, and recent legislative developments have reflected an increased emphasis on this topic. Data subject consent as a basis for processing legitimacy was originally established in the 2012 NPC Network Decision. Subsequently, the Protection of Consumer Rights and Interests Law restated and expanded this principle. Most recently, the Cyber Security Law has mandated data subject consent as a prerequisite for cross-border data transfer, and more detailed implementing rules are under development (see ‘Update and trends’).

In the dimension of criminal culpability, the Interpretation on Several Issues regarding Application of Law in Criminal Cases involving Infringement of Citizen’s Personal Information, jointly promulgated by the Supreme People’s Court and the Supreme People’s Procuratorate, recognises legal obligations as a mitigating factor in assessing culpability for alleged infringement on PII.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

PRC law imposes relatively more stringent processing rules for specific types of PII, including:

• personal financial information;
• personal credit information; and
• personal health information, as further described below.

Personal financial information (PFI)

The PBOC Circular on Doing a Good Job by Banking Financial Institutions in Protecting Personal Financial Information (effective 1 May 2011) provides an expansive definition of PFI, emphasises the statutory obligation of banking financial institutions to protect PFI, and establishes detailed requirements governing its collection, processing and retention. For the purposes of this rule, PFI encompasses:

• personal identity information;
• personal property information;
• personal account information;
• personal credit information;
• personal financial transaction information;
• derivative information, including personal consumption habits, investment willingness and other information that reflects the circumstances of a certain individual and that is formed by processing or analysing the source information; and
• other personal information obtained or stored in the process of establishing business relationships with individuals.

PFI collected within China must be stored, processed and analysed within China. No transfers of domestic PFI overseas are permitted unless otherwise authorised. Any employees with access to PFI must make confidentiality undertakings in writing before assuming such posts. Where a banking financial institution obtains the written authorisation or consent of a client through standard terms, it must also explicitly warn of the possible consequences of such consent in a prominent location in the agreement, using simple words, and remind the client to consider the above warning when such client signs the agreement. When conducting business through outsourcing, banking financial institutions must assess the ability of outsourcing service suppliers in protecting PFI, and treat such ability as an important indicator for choosing outsourcing service suppliers. In the event of a data breach involving PFI, the relevant banking financial institution must report relevant information as well as preliminary opinions regarding incident management to the local branch of the PBOC within seven working days of the occurrence of discovery.

Personal credit information (PCI)

The Administrative Regulations on the Credit Reporting Industry (effective 15 March 2013) provide detailed guidance with respect to credit information, particularly with respect to adverse personal information that may have a negative impact on the credit status of the individual or entity, for example, information concerning a failure to perform contractual obligations in such activities as borrowing; purchases on credit; guarantees; leasing; insurance; using credit cards; information on administrative punishments; information on court judgments; rulings requiring the individual or entity to perform his, her or its obligations; and information on enforcement and other adverse information specified by the relevant authorities.

Without a data subject’s consent, no PCI may be collected by a credit reporting entity other than such information as is required to be disclosed in accordance with the law. Additionally, any information provider intending to provide a credit reporting entity with any adverse information on any individual must first notify the individual, with the exception of information that is required to be disclosed in accordance with the law. Credit reporting entities are expressly prohibited from collecting personal information in relation to religion, genes, fingerprints, blood type, disease and medical history and other information that is prohibited by law.

The assembly, storage and processing of information collected by a credit reporting entity from within the territory of China must also be carried out within the territory of China. A credit reporting entity may not retain adverse information for more than five years after the date when the corresponding misconduct or adverse event ended, and during this period it must maintain records on any explanation provided by the data subject for such adverse information.

Throughout the storage term, each credit reporting entity must maintain a record of its employees’ access to such individual credit information, including the names of employees who have accessed such information, the time when they accessed such information, the information they accessed, and the purposes for which they accessed such information.

An individual or entity concerned may apply to a credit reporting entity to access information held on themselves. Where an individual or entity deems that there is any error or omission in such information, the individual or entity is entitled to raise an objection and require necessary corrections. An application to a credit reporting entity for access to information on an individual must be subject to the written consent of the individual and agreement between the applicant and individual specifying the purposes for which such information may be used, with the exception of information that may be accessed without the consent of the individual in accordance with law.

Personal health information (PHI)

The Trial Measures for the Administration of Population Health Information emphasise the statutory obligation of PRC health and family planning authorities and service institutions to protect population health information, including PHI, and establishes detailed requirements governing collection, processing and retention. For the purposes of these measures, PHI means the health information, medical records and other related information arising from the lawful process of PRC health and family planning services and management. PHI may not be stored in overseas servers (including servers hosted in and leased from foreign countries).

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Subsequent to lawful collection, and in the absence of a change with respect to the consented treatment of PII, PRC law does not establish any general obligation to provide notice to or consult with a data subject with respect to collected PII.

The Data Protection Guidelines propose that a consent notice to a prospective data subject should encompass identification of the following:

• the purpose and method of collection;
• the detailed content of collection;
• the retention period;
• the scope of use;
• security measures;
• the data administrator’s contact details;
• the potential risks and consequences if the PII is or is not provided;
• the complaint procedures; and
• anticipated transfers to third parties.

Standards for the evaluation of issues such as change in consented purpose, content, retention period, scope of use, security and other such matters have not received meaningful attention with respect to legislation, litigation or judicial interpretation in China. Accordingly, in the absence of specific contractual provisions, the relevant threshold for a notification obligation would be uncertain. However, draft regulations have been proposed that, if implemented, would require any third party to ensure that relevant consent has been lawfully obtained prior to any overseas data transfer, and would preclude such transfer unless proper consent had been obtained (see question 46).

Exemption from notification

When is notice not required?

Subsequent to lawful collection, and in the absence of a change with respect to the consented treatment of the collected PII, PRC law does not establish a general obligation to provide notice to or consult with a data subject with respect to collected PII.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The Cyber Security Law provides a data subject with the right to request any network operator to correct mistakes in any collected PII, as well as a right to request the deletion of PII in the event of a network operator gathering or using such PII in violation of the provisions of laws and regulations or the agreements between the data subject and network operator.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

The Data Protection Guidelines establish a principle of quality assurance, which requires that the data administrator must ensure that any PII being processed is confidential, complete, available and up to date. Consonant with this principle, specific rules, including the Cyber Security Law, permit any data subject to inspect and correct or clarify recorded PII in certain circumstances.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

In principle, PRC law restricts the collection and use of PII to that which is lawful, legitimate and necessary. With limited exceptions, PRC law does not expressly restrict either the amount of PII that may be held or the length of time it may be held. One exception to this general approach is the credit reporting industry, which mandates that a credit reporting entity may not retain adverse information for more than five years after the date when the corresponding misconduct or adverse event ended (see question 12).

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

The ‘finality principle’ has not been adopted in the PRC. There is no express limit on the purposes for which PII may be used, except that such uses must be lawful, legitimate and necessary, and must conform to the purpose notified to and consented by the data subject.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Unless otherwise permitted by law, any new use of PII for a purpose beyond the scope which has been consented by the data subject is prohibited, unless the data subject provides their consent to such new purpose. Standards for the evaluation of issues such as change in consented purpose and scope of use have not received meaningful attention with respect to legislation, litigation or judicial interpretation in China. Accordingly, in the absence of specific contractual provisions, the relevant threshold for a determination of the establishment of a new purpose would be uncertain.

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Overarching legislation such as the 2012 NPC Network Decision and the Protection of Consumer Rights and Interests Law establishes a general requirement that enterprises and public institutions must employ both technical and other necessary measures to ensure information security, and to prevent the PII of PRC citizens collected during business activities from being leaked, damaged or lost. The Cyber Security Law materially strengthens PII protection protocols by establishing a robust security assessment apparatus as a prerequisite for cross-border data transfers.

More detailed direction has been promulgated by competent authorities and industry regulators directing the development and adoption of managerial and technical precautions to prevent the loss, destruction or disclosure of protected information. For example, the Provisions on Protection of Personal Information of Telecommunication and Internet Users, providing detailed guidance, require that telecommunication operators and internet information services providers must, as a minimum, implement the below-listed discrete technical, organisational and other security measures to protect users’ PII:

• determine the PII security management responsibilities of each department, position and branch;
• establish a workflow and security management system for the collection, use and other relevant PII-related activities;
• carry out access management over personnel and agents;
• carry out examinations on the export, reproduction or destruction of information in batch, and implement relevant anti-leakage measures;
• properly store printed, optical and electronic media and other systems for recording PII, and implement corresponding safe storage measures;
• carry out connection examinations for the information system storing PII, and implement relevant anti-hacking and anti-virus measures;
• record the person, time, place, event and other information in connection with any conduct carried out with respect to PII;
• carry out telecommunication network security prevention work pursuant to the requirements of telecommunication authorities; and
• other necessary measures as provided by the telecommunication authorities.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

Overarching legislation such as the 2012 NPC Network Decision and the Protection of Consumer Rights and Interests Law requires that, if it is determined that PII may have been or is leaked, damaged or lost, then responsible enterprises and public institutions are obligated to immediately institute remedial measures. This general approach is repeated in many industry-specific directives, with increasing degrees of specificity. In terms of reporting obligations, some regulations (eg, the Provisions on Protection of Personal Information of Telecommunication and Internet Users) mandate timely notification to the responsible governmental authority. Most recently, the Cyber Security Law mandates that notification be provided to the data subjects in accordance with regulations, without providing further detail. The PI Security Specifications recommend that, when a security incident occurs, the data controller should notify the affected individual by means of email, letter, telephone call or online post. If it is difficult to notify each data subject, a data controller may consider employing a public warning.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

There is no PRC law or rule of general applicability that mandates the appointment of a data protection officer. But such a requirement, separate and distinct from IT appointments, has been established or proposed in certain guidelines, industry-specific regulations or draft regulations. Examples include the PI Security Specifications, the CBIRC’s Guidelines for the Regulation of the Information System Security of Insurance Companies (for Trial Implementation) and the Trial Measures for the Administration of Population Health Information.

The PI Security Specifications recommend that data controllers appoint a responsible person and establish an internal function for PII protection. If a data controller meets any of the following conditions, a dedicated department should be established and a responsible person appointed to undertake PII protection responsibilities: its main business involves processing PII and it has more than 200 staff who engage in such business; or it processes the PII of more than 500,000 individuals, or projects that it will process the PII of more than 500,000 individuals within 12 months.

Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

The requirement to maintain internal records and establish internal processes and documentation is established in industry-specific regulations, and particularly emphasised in such areas as banking and finance, credit reporting, health and telecommunications. In addition, it should be noted that recent draft legislation has expressly proposed the establishment of extensive new record-keeping requirements in connection with cross-border PII transfers (see question 46).

New processing regulations

Are there any obligations in relation to new processing operations?

The PI Security Specifications recommend that data controllers conduct an annual personal information security impact assessment in order to periodically evaluate compliance with relevant data security principles, and the impact of the processing activities on the data subjects. In addition, an ad hoc security impact assessment is recommended whenever there is a change in data protection laws, or a material change occurs in the enterprise’s business model, IT system or operational environment, or upon the occurrence of a security incident.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

PII owner and PII processor registration with a supervisory authority is not mandated by any generally applicable or industry-specific PRC law or regulation.

Formalities

What are the formalities for registration?

See question 25.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

See question 25.

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

See question 25.

Public access

Is the register publicly available? How can it be accessed?

See question 25.

Effect of registration

Does an entry on the register have any specific legal effect?

See question 25.

Other transparency duties

Are there any other public transparency duties?

The PI Security Specifications recommend that data controllers conduct an annual personal information security impact assessment and that the security impact assessment be made available to concerned parties and also be made public in a proper form. However, the PI Security Specifications do not provide further details.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

No PRC law generally governs PII transfer in the context of outsourced processing services. However, the Cyber Security Law requires that any transfer of PII to third parties is subject to consent by the data subject and, if the outsourcing involves an outbound, cross-border PII transfer, then specific security assessment procedures will apply (see question 34).

Generally, circumstances surrounding the transfer of PII to entities that provide outsourced processing services may vary considerably, depending on the industry and enterprise business model. Industrial regulators (eg, those regulating the banking and finance, public health and insurance industrial sectors) may provide general and specific relevant guidance including, for example, outsourcing of sensitive functionality.

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Other than general requirements as to notice, choice or purpose limitation, and data subject consent, restrictions with respect to disclosure of PII to other recipients are not described in any generally applicable PRC law. Industrial regulators may supplement guidance governing regulated individuals and organisations. Unconsented disclosure of PII to a third party is punishable by criminal and administrative penalties pursuant to applicable law.

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

The cross-border transfer of PII is generally regulated by the Cyber Security Law, as supplemented by relevant industry-specific regulations. Recently promulgated and effective from 1 June 2017, the Cyber Security Law, among other things, establishes a framework aimed at safeguarding PRC citizens’ PII and other important information with respect to cross-border transfers. The precise significance of some provisions is unclear, and specific application may vary dependent on the final form of implementing measures to be published separately (see question 46).

The Cyber Security Law’s PII protection framework includes three principle components: data localisation, consent and pre-transfer security assessment.

• Data localisation: business necessity as a pre-requisite for transfer. As a general rule, if PRC citizens’ PII is not required to be transferred overseas, then it should not be transferred.
• Data subject consent: cross-border transfer of PRC citizens’ PII without prior data subject consent is strictly prohibited.
• Pre-transfer security assessment: prior to a PII cross-border transfer, the transferor must complete a security assessment that demonstrates a satisfactory cross-border transfer. In many circumstances, an organisation may complete a self-assessment; however, in the case of large-scale PII transfer operations, the assessment must be accomplished by the competent governmental authority.

In addition to the Cyber Security Law, industry-specific examples of cross-border regulation include the PBOC’s Circular on Doing a Good Job by Banking Financial Institutions in Protecting Personal Financial Information and the Trial Measures for the Administration of Population Health Information, prohibiting cross-border transfers of personal financial information or personal health information.

Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

See question 34.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

The Cyber Security Law contemplates that PRC citizens’ PII transfers outside of the PRC may be subject to restriction or authorisation. The precise requirements are as yet unclear, and will be dependent on the final form of implementing measures to be published separately (see question 46).

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

The Data Protection Guidelines state that PII owners should provide data subjects with PII access routinely and free of charge, unless the cost of informing or frequency of request is unreasonable. This principle has not been reiterated in any PRC law of general applicability, although the credit reporting industry has incorporated responsive provisions in relevant regulations. Within the credit reporting industry, a data subject has the right to make an inquiry with the credit reporting agency with respect to their personal information, and has the right to be provided with a credit report from the credit reporting agency twice annually, free of charge (see question 12).

Other rights

Do individuals have other substantive rights?

The Data Protection Guidelines provide that PII owners should be invested with certain substantive rights, including the right to correct inaccuracies, but does not address the specific topic of data subject control over particular kinds of processing, except to the extent of being informed about the intended uses and being accorded a right to withhold consent. The right to correct inaccuracies has been affirmed in certain industrial contexts, including credit reporting, and most recently included in the new Cyber Security Law, which also provides that, if an individual should discover that a network operator has collected or used their PII in violation of the provisions of laws and regulations or their agreements, they have the right to request that the network operator delete any PII.

Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Pursuant to the Tort Liability Law, an individual or entity that breaches the law and infringes on or harms a PRC citizen’s PII may assume tortious liability. Under such circumstances, in addition to certain other remedies (eg, cessation of the infringement, apology), a tortfeasor may be subject to payment of monetary damages or compensation. For example, a tortfeasor could be required to pay reasonable costs for medical treatment. However, compensation normally will not be awarded unless losses are actually incurred. In theory, the law also recognises serious mental suffering arising from PII damage or infringement as a basis for compensation. However, in practice, the courts have adopted a conservative approach in such determination, and compensation for mental damages has rarely, if ever, been granted.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

An individual or organisation may file a complaint to the relevant supervisory authority, which may order regulated individuals and organisations to fulfil their obligations to protect personal information. Such authorities typically have a variety of administrative sanctions at their disposal to encourage cooperation, including private and public warnings, fines and, in serious cases, control over licensing and the power to refer a matter for criminal prosecution. However, to obtain monetary compensation or a judicial order to enforce rights in PII, an aggrieved individual or organisation must avail themselves of the PRC court system.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

PRC law does not include any additional general derogations, exclusions or limitations.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

PII owners who are unsatisfied by the orders of a supervisory authority may bring a lawsuit against such supervisory authority before a court. The PRC Administrative Litigation Law and the Interpretations on Several Issues concerning the Implementation of the Administrative Litigation Law promulgated by the Supreme People’s Court provide more detailed guidelines regarding the procedures for the judicial review of administrative orders.

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

Requirements or standards with respect to the use of cookies has not received meaningful attention with respect to legislation, litigation or judicial interpretation in China. Accordingly, use of cookies would not be prohibited if users were provided notice of such cookies’ usage, and if the particular application does not otherwise violate PRC legal requirements, for example, by collecting PII.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

Electronic communications marketing is generally regulated by national legislation such as the Protection of Consumer Rights and Interests Law and the MIIT Email Measures. Relevant industry regulators such as the CBIRC have also furnished sector-specific regulation. Pursuant to these laws and regulations, the transmission of unsolicited marketing communications is generally prohibited. For example, pursuant to the Protection of Consumer Rights and Interests Law, a company is prohibited from transmitting commercial information to individuals without their consent. The Email Measures specify more detailed requirements providing, for example, that:

• no organisation or individual may send an email containing commercial advertisements without the express consent of the recipient;
• any organisation or individual that does send emails containing commercial advertisement content must mark them with the word ‘advertisement’ or ‘AD’ at the beginning of the email title;
• emails containing commercial advertisements must provide contact information to the receiver to enable them to refuse receipt of further emails; and
• where an email recipient first agrees to receive emails containing commercial advertisement content, but later withdraws such consent, then the email sender must cease sending such emails unless otherwise agreed.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

Requirements or standards with respect to the use of cloud computing services have not yet received extensive attention with respect to legislation, litigation or judicial interpretation in China. PRC laws that emphasise data localisation may impinge on the use of cloud computing services where they impose limitations on cross-border transfer, potentially encouraging technical protective measures such as anonymisation or encryption, and limiting or restricting storage of certain forms of PII to domestic cloud servers physically located within the geographical limits of China.

MIIT issued the draft Notice on Regulating the Business Activities in the Cloud Computing Service Market (published 24 November 2016), which proposes that cloud computing service providers must adopt certain specific measures for the protection of network data and PII, including:

• to establish and publicise rules on the collection and use of PII;
• to adopt security safeguard measures against theft, and ensure data backup;
• to cease the collection and use of PII whenever a user terminates their service;
• for services targeted at domestic customers, the servers and data must be stored within China and cross-border transfer of data shall comply with relevant regulations; and
• in the event of a data leakage, provide customers with timely notification, take effective remedial actions and report to the telecommunications regulator.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?

In recent years, China has witnessed important regulatory developments relating to data protection. High-level legislation establishes a general framework which, in turn, is supported by a set of relatively more detailed implementing measures. However, the precise application of certain provisions of this law is somewhat unclear, and could vary depending on the final form of implementing measures that are to be promulgated separately by respective, relevant authorities.

Recent key developments include publication of:

• Draft Measures for the Security Assessment of Outbound Transfer of Personal Information (Draft Cross-Border PI Transfer Measures);
• Draft Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment (Draft Cross-Border Data Transfer Guidelines);
• Draft Revised PI Security Specifications;
• Draft Measures for the Administration of Data Security; and
• Draft Provisions on the Network Protection of Children’s PII.

Draft Cross-Border PI Transfer Measures

The Draft Cross-Border PI Transfer Measures were released for public comment on 13 June 2019. As compared with the preceding draft released in April 2017, the newly revised Draft Cross-Border PI Transfer Measures propose expanded and more detailed restrictions with respect to cross-border PI transfer. For example:

• Prior to transferring PI overseas, any network operator will be required to file a security assessment with the local provincial branch of CAC for review. A separate security assessment is required for each and every intended PI recipient, but would not be required for sequential or continuous transmissions to the same, single recipient.
• In connection with such security assessment, the network operator must enter into a contract with any overseas recipient of a cross-border PI transfer specifying, among other things, that: the data subject will be the beneficiary of the contract provisions relating to rights and interests of data subject and the data subject will have the right to seek indemnification from the network operator or overseas recipients. A copy of the contract is to be provided to the data subject upon request.
• CAC provincial branch security assessment reviews are intended to be completed within 15 working days of receipt of a completed report, extendable due to the complexity of relevant circumstances. If the security assessment establishes that the cross-border PI transfer is likely to undermine national security or harm public interest, or if it is difficult to effectively guarantee the security of the personal information, it will be prohibited. Such adverse determination will be appealable to the national cyberspace department.
• A new security assessment is required every two years or when the purpose, type or overseas retention period related to the cross-border transfer of PI changes.
• Network operators are required to establish and maintain detailed records of any cross-border PI transfers for a period of at least five years, as well as providing incident and annual reports to the CAC provincial branch, and are subject to inspections organised by the CAC provincial branch.
• If any offshore entity collects domestic customer PI via the internet or other means, its legal representative or entities in China are charged with the legal obligations of network operators.

Draft Cross-Border Data Transfer Guidelines

In May 2017, the Draft Cross-Border Data Transfer Guidelines were released for public comment, proposing detailed guidance with regard to the process, key factors and methodology of the security assessment, supporting implementation of the relatively conceptual Draft Cross-Border PI Transfer Measures. In light of the most recent substantial revision to the Draft Cross-Border PI Transfer Measures, it is anticipated that a correspondingly updated version of the Draft Cross-Border Data Transfer Guidelines will be published in due course.

Draft Revised PI Security Specifications

On 1 February 2019, a draft revision of the recently promulgated PI Security Specifications was released for public comment. These Draft Revised PI Security Specifications would enhance PII protection standards in a number of aspects. For example, network operators would be required to distinguish the basic business functions of a product from the expanded business functions thereof, and the PII to be collected in each function. If a PII subject does not consent to the collection of PII necessary for basic business functions, the network operator may refuse to provide such basic business functions to such PII subject. If the PII subject does not consent to the collection of PII necessary for expanded business functions, the network operator may not refuse to provide basic business functions or reduce the service quality of basic business functions. Where a third party is granted access to the platform of the network operator, including access to collect PII, the network operator must establish access management for third party products, specify security responsibilities of and measures to be taken by such third party, and supervise the third party to strengthen PII security management.

Draft Measures for the Administration of Data Security

On 28 May, 2019, the CAC released the Draft Measures for the Administration of Data Security for public comment. The new draft incorporates some of the non-binding requirements specified in the PI Security Specifications (and the Draft Revised PI Security Specifications), and also introduces new measures to support the protection of ‘important data’.

Among other things, these draft new measures propose stringent requirements for network operators that collect ‘important data’ and sensitive PII for ‘operational purposes,’ including the designation of a responsible person for data security, who must have experience in relevant management functions and have professional knowledge of data security, and who will report directly to the main responsible person of the network operator. The network operator is also required to report data collection and data use policies and practices (excluding the data itself) to the local CAC. Precise determination of the intended meaning and scope of the key terms ‘operational purposes’ and ‘sensitive PII’ remains unclear; however, if enacted, this new draft will likely impose extensive new reporting obligations on network operators.

In addition, the Draft Measures for the Administration of Data Security also require network operators to specify data security requirements and responsibilities that are applicable to any third parties that have access to their platforms to collect data, and to procure and supervise such third parties with respect to data security management. If any security incident occurs involving such third parties that results in losses to users, the network operator would be held fully or partially liable for such losses, unless it can prove the absence of any ‘fault’ on its part.

Draft Provisions on the Protection of Children’s PII Online

On 30 May 2019, the CAC released Draft Provisions on the Protection of Children’s PII Online for public comment, addressing important issues relating to the protection of the PII for any ‘child’, defined as an individual under age of 14. Specific provisions relating to data protection issues particular to children include: the requirement that all network operators must adopt policies and user agreements specifically for the protection of children’s PII; the requirement that ‘explicit consent’ must be obtained from a guardian prior to collection or use of children’s PII; the requirement that network operators must appoint a data protection officer or to designate someone responsible for children’s PII protection; as well the requirement that children’s PII must be encrypted prior to storage.