Data Security and Cybercrime in China

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

China does not have a single over-arching national law that specifically addresses the collection, storage, transmission and use of personal information. Rather, a piecemeal approach to data protection is taken, with provisions found in the Constitution, the Cybersecurity Law, telecommunications regulations, criminal law, tort law, consumer rights law and elsewhere. In particular, the Cybersecurity Law that came into operation on June 1 2017, along with its supplementary measures, broadly regulates the collection, storage, transmission and use of personal information by network operators and critical information infrastructure operators. Unlike the regulatory regimes of many other Asia-Pacific countries, China's Cybersecurity Law imposes strict data localisation requirements and cross-border transfer restrictions on personal information and important data. However, China has not signed any treaties with the European Union or any other nation on data protection. China is also not a member of the Cross-border Privacy Enforcement Arrangement or the Asia-Pacific Privacy Authorities.

Are any changes to existing data protection legislation proposed or expected in the near future?

A draft Privacy Law was prepared and circulated in 2003. The draft law was added to the five-year legislative plan in 2009. However, there are no indications that the draft law will be enacted in the immediate future.

Currently, China is still taking a piecemeal approach and has recently taken significant steps to develop its data protection laws. For example, the Cybersecurity Law was passed in November 2016 and came into effect on June 1 2017, and regulatory measures are being periodically issued to supplement its provisions. Further, on May 9 2017, the Supreme People's Court and the Supreme People's Procuratorate of China issued the Interpretation on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens' Personal Information.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The various laws, regulations and guidelines that address the protection of personal information include:

the Cybersecurity Law;
Security Assessment Measures for Cross-border Data Transfer of Personal Information and Important Data;
the Decision on Strengthening Protection of Network Information;
the Law on the Protection of Consumer Rights and Interests;
the Measures for the Administration of Online Transactions;
the Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems – these are voluntary, non-binding standards jointly issued by the General Administration of Quality Supervision, Inspection and Quarantine and the Standardisation Administration in 2012 to provide guidance on enforcement actions and litigation for the protection of personal information;
the Provisions on Protecting the Personal Information of Telecommunications and Internet Users;
Several Provisions on Regulating the Market Order of Internet Information;
the Medical Records Administration Measures of Medical Institutions;
the Measures for Administration of Population Health Information;
the Measures for the Administration of Internet Email Services;
the Standards for the Assessment of Internet Enterprises' Protection of Personal Information, which are not binding; and
the Administrative Provisions on Short Message Services.

Scope and jurisdiction

Who falls within the scope of the legislation?

Network operators and operators of critical information infrastructure fall within the scope of the Cybersecurity Law. Network operators are defined broadly in the law as owners or managers of networks and providers of network services, and could potentially apply to any entity that uses IT systems in China or operates a Chinese website, irrespective of their industry.

What kind of data falls within the scope of the legislation?

'Personal information' is broadly defined in the Cybersecurity Law to mean various types of information recorded in electronic or other formats, used alone or in combination with other information to recognise the identity of a natural person, including names, dates of birth, identification numbers, biological data, addresses and telephone numbers.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users stipulate that ‘personal information’ is data collected by telecommunication business operators and internet information service providers in the course of their activities that can be used – either individually or in combination with other data – to identify a user. Examples include a user’s name, date of birth, identification number, address, telephone number, service identification and password, and tracking information on when and where the user uses the services.

The Notice of the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry of Public Security on Legally Punishing Criminal Activities Infringing upon the Personal Information of Individuals provides that ‘personal information’ includes the name, age, identification number, marital status, location of work, educational background, curriculum vitae, home address, phone number and other information or data that can be used to identify an individual.

Key definitions under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems include the following:

‘Personal information’ is computer data that:
- can be processed using information systems;
- relates to a specific natural person; and
- can be used – either independently or in combination with other data – to identify a specific natural person.

Personal information can be classified as sensitive personal information or general personal information.

‘Sensitive personal information’ is personal information that could have an adverse effect on the data subject if it were leaked or modified. What constitutes sensitive personal information in different industries shall be determined according to the consent of the data subjects who receive the services and the nature of the various industries. For example, sensitive personal information may include identification numbers, mobile phone numbers, racial/ethnic origin, political opinions, religious beliefs, genes, fingerprints and so on.
‘General personal information’ refers to any personal information other than sensitive personal information.

Are data owners required to register with the relevant authority before processing data?

No.

Is information regarding registered data owners publicly available?

Not applicable.

Is there a requirement to appoint a data protection officer?

No. However, under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, internet companies must appoint a data protection officer.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

China has no single authority responsible for enforcing provisions relating to the protection of personal information.

Under the Cybersecurity Law, the Cyberspace Administration of China is responsible for the planning and coordination of cybersecurity and relevant supervisory and administrative work, while the Ministry of Industry and Information Technology, the public security department and other relevant departments are responsible for the supervision and administration of cybersecurity protection.

The Ministry of Industry and Information Technology and the telecommunication administrations at the provincial level are responsible for the supervision and administration of personal information of telecommunication and internet users, pursuant to the Internet Information Service Provisions.

The State Administration for Industry and Commerce and its local counterparts are responsible for the supervision and administration of personal information of consumers, pursuant to the Provisions on Regulating the Market Order of Internet Information Services.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Under the Cybersecurity Law, network operators may only collect, store, process, disclose and use personal information if individuals are notified of the purpose, manner and scope of such activities, and have consented to it.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

No specific retention period is specified under Chinese law. To determine the appropriate maximum retention period, a data controller will need to assess each type of personal information that it collects and the purposes of the collection on a case-by-case basis. However, personal information must be deleted upon the expiry of the retention period of which the data subjects were notified when their personal information was collected.

Do individuals have a right to access personal information about them that is held by an organisation?

Telecommunications business operators and internet service providers must provide ways for users to inquire about or correct their personal information. Individuals have the right to request access to personal information held by an organisation, pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

Do individuals have a right to request deletion of their data?

Yes. Under the Cybersecurity Law, if an individual discovers that a network operator collects and uses his or her personal information in a manner that violates laws or administrative regulations or the agreement between the parties, he or she has the right to demand that the network operator delete his or her personal information. Additionally, if he or she discovers errors in the personal information collected and stored by the network operator, he or she has the right to demand that the network operator correct the information. The network operator is required to take measures to delete or correct the information accordingly. Individuals also have the right to request deletion of their personal information pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

Consent obligations

Is consent required before processing personal data?

Yes. Under the Cybersecurity Law, a network operator must obtain the consent of an individual for the collection and use of their personal information.

Consent is required for the collection and use of an individual’s personal information pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users. However, there are no detailed requirements under current law on the specific form or content of the consent (ie, whether it can be implied or inferred).

Prior express consent is required if the personal information will be used or transferred for direct marketing purposes pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Measures for the Administration of Online Transactions.

If the personal information will be used for any other purpose, express consent is also required where the personal information will be used or transferred in a manner that is not covered by the original purpose and scope of collection, unless one of the exemptions apply, pursuant to the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.

If consent is not provided, are there other circumstances in which data processing is permitted?

Yes. Under the Cybersecurity Law, data processing is permissible if the personal information is anonymised and cannot be restored to its original state.

Under the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, even if consent is not provided, personal data can still be processed and used for:

purposes specified under certain laws and regulations, such as maintenance of public security;
the purposes of academic research or social public interest;
the enforcement of administrative authorities according to law; and
the enforcement of judicial authorities according to decisions and judgments.

What information must be provided to individuals when personal data is collected?

Under the Cybersecurity Law, network operators collecting and using individuals' personal information must inform them of the purpose, manner and scope for the collection and use, and obtain consent for such collection and use. Network operators must also make their policies on the collection and use of personal information publicly accessible.

Under the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, telecommunications operators and internet service providers must provide the following information when they collect personal information:

the purpose, method and scope of the information to be collected or used;
the ways in which users can inquire about and correct information; and
the consequences of failure to provide the information.

Under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, a data subject must be explicitly informed, prior to the collection of his or her personal information, of:

the purposes for which the personal information is being collected, used and processed;
the method and the scope of collection, use and processing;
the period for which the personal information will be retained;
the personal information protection measures in place;
relevant information regarding the data controller, such as its name, address and contact information;
any risks relating to the disclosure of personal information;
the consequences of failure to provide personal information;
the channels for checking and correcting personal information and filing a complaint; and
information relating to the transfer of personal information (eg, purpose, method and scope of transfer, the scope of use by data recipients, contact information of data recipients).

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Yes. Under the Cybersecurity Law, network operators must adopt technological measures and other necessary measures to ensure the security of personal information they gather, and prevent personal information from being leaked, destroyed or lost.

Article 13 of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users imposes the following security requirements on telecommunications operators and internet service providers:

Specify the responsibilities of each department, post and branch in terms of managing the security of personal information;
Establish the authority of different staff members and agents, review the export, duplication and destruction of information, and take measure to prevent the leak of confidential information;
Properly retain the carriers that record users’ personal information, such as hard-copy media, optical media and magnetic media, and take appropriate secure storage measures;
Conduct access inspections of the information systems that store users’ personal information, and put in place intrusion prevention, anti-virus and other measures;
Record operations performed with users’ personal information, including the staff members who perform such operations, the time and place of such operations and the matters involved;
Undertake communications network security protection work as required by the relevant telecommunications authority; and
Take other necessary measures as prescribed by the relevant telecommunications authority.

The Provisions on Protecting the Personal Information of Telecommunications and Internet Users also require that telecommunications operators and internet service providers provide staff members with training in the relevant skills and responsibilities relating to the protection of personal information. They must also conduct at least one self-audit of their data protection measures, record the results and promptly eliminate any security risks discovered during the audit.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Yes. The Cybersecurity Law provides that in the event of a breach, network operators must inform affected users immediately. Under certain local consumer protection regulations, such as those in Shanghai, security breaches must be reported to the data subjects.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes. The Cybersecurity Law requires network operators to report any cybersecurity breach to the relevant departments immediately.

In the telecommunications and internet sector, if personal information is disclosed or may potentially be disclosed, service providers must take remedial measures immediately. If the incident has or may have serious consequences, the service provider must report it immediately to the relevant telecommunications administrations and cooperate in the investigation carried out by the telecommunications administrations pursuant to the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

Under the Decision on Strengthening Protection of Network Information and the Law on the Protection of Consumer Rights and Interests, commercial information cannot be sent to consumers:

unless the consumer has requested the information;
unless the consumer has consented to receive the information; or
if the consumer has expressly refused to receive the information.

Under the Measures for the Administration of Internet Email Services, where an email recipient has clearly consented to receive emails containing commercial advertisements, but later withdraws this consent, the sender must stop sending such emails unless otherwise agreed by both parties. When sending emails containing commercial advertisements, the sender must provide its contact information, including its email address, and a guarantee that this contact information will remain valid for 30 days.

Under the Administrative Provisions on Short Message Services, SMS providers and short message content providers must not send commercial messages to users without their consent or request, and must explain the type and frequency of the commercial messages that will be sent. A user’s failure to respond will be regarded as a refusal of consent.

Cookies

Are there rules governing the use of cookies?

To the extent that cookies amount to personal information, they will be governed by Chinese law. Otherwise there is no legislation that specifically governs cookies.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

The Cybersecurity Law imposes data localisation requirements on critical information infrastructure operators. Therefore, all critical information infrastructure operators must store within China all personal information and important data collected or generated during their operations in China. Further, the Security Assessment Measures for Cross-border Data Transfer of Personal Information and Important Data, which supplements the Cybersecurity Law, sets out the cross-border transfer restrictions on network operators regarding personal information and what security assessments may be required of such transfers. While there is no express data localisation obligation on network operators under the Cybersecurity Law or the Security Assessment Measures for Cross-border Data Transfer of Personal Information and Important Data, the cross-border transfer restrictions effectively impose an obligation on network operators to retain data in China, unless certain requirements are complied with.

If, for legitimate business reasons, the data must be provided to a foreign organisation or person outside China, the critical information infrastructure and network operators must complete a security evaluation jointly formulated by the National Cyberspace Administration and State Council, and the data subject's consent must have been obtained (except when there is an emergency that may jeopardise the life or property of the relevant data subject). Either way, no transfer of personal information or important data may occur if the transfer may result in risks to national security and public interest and cause harm to the government, economy, science and national defence, or if any relevant regulator deems the transfer to be inappropriate. Critical information infrastructure is defined to include a list of sectors such as public communications, information services, energy, transport, water preservation, finance, public services and e-government affairs, as well as other sectors falling within the following broad catch-all phrase “other key information infrastructure that will result in serious damage to national security, national economy and people’s livelihood and public interests if they are destroyed, there are lost functions, or they are subject to data leakage".

The non-binding Provisions on Protecting the Personal Information of Telecommunications and Internet Users allow for the cross-border transfer of personal information if the data subjects have expressly consented or if the transfer has been approved by the administration authorities or by national laws and regulations.

Are there restrictions on the geographic transfer of data?

Yes.

Both a self-assessment and an official security assessment by the regulatory authorities must be carried out before a critical information infrastructure operator or network operator can transfer personal information and important data outside of China. The official security assessment by the regulatory authorities is required for cross-border transfers of personal information where any one of the following apply:

the data contains personal information of over 500,000 individuals;
the data contains information regarding nuclear facilities, chemistry, biology, national defence, the military, population, health, data on mega-project activities, marine environment, sensitive geographical information or cybersecurity information (eg, security vulnerabilities or specific security measures of critical information infrastructure); or
the data involves other information likely to affect national security or social and public interests;
no transfer of personal information or important data may occur if security assessment reveals that:
- the transfer will violate laws, regulations or regulatory rules;
- the relevant individual has not consented;
- the transfer will be detrimental to public and national interest;
- the transfer poses risk to national security, causes harm to the government, economy, science and national defence; or
- any relevant regulator prohibits the transfer.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Yes. Under the Cybersecurity Law, consent must be obtained before the personal information is disclosed to a third party for any purpose (not just limited to processing).

The non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems set out the following requirements where personal information will be transferred to a third party:

The personal data must be transferred for and to the extent of the purposes notified to the data subjects when their personal information was collected.
Before personal information is transferred to third parties, the data controller must evaluate whether such third parties are capable of processing the information in accordance with the guidelines, and the liability of such third parties in relation to the protection of the personal information must be determined and specified by contract.
The data controller must ensure that the personal information will not be accessed by any entity other than the recipient in the course of the transfer.
The data controller must ensure that the personal information remains complete, available and up to date in the course of transfer.

Personal information may not be transferred to overseas recipients, including any individual overseas or any organisation or institution registered overseas, unless the data subject has expressly consented, the transfer is explicitly required by law or the competent department has issued its approval.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

Network operators which violate the personal data protection provisions and critical information infrastructure operators that breach the data localisation requirements under the Cybersecurity Law can be fined up to Rmb500,000 and may even face revocation of their business licences.

Under the Law on the Protection of Consumer Rights and Interests, a company shall incur civil liabilities if it:

collects or uses consumers’ personal information without consent;
discloses, sells or illegally provides others with consumers’ personal information; or
sends commercial information to consumers without their consent or request, or after the consumer has expressly refused consent.

Additionally, the administrations of industry and commerce and their local counterparts may issue a corrective order or warning, confiscate illegal gains and/or impose a fine of between one and 10 times the value of the illegal gains, or up to Rmb500,000 where no illegal gains were made. If the circumstances are severe, the company may be suspended from operations or have its licence revoked.

Violations of the Provisions on Protecting the Personal Information of Telecommunications and Internet Users and the Provisions on Regulating the Market Order of Internet Information Services are subject to corrective orders, warnings, fines of between Rmb10,000 and Rmb30,000 and criminal liabilities.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Under civil law and tort law, individuals are expressly entitled to seek compensation for any damage arising from privacy infringements.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

The Criminal Law covers cybercrime, while the Cybersecurity Law covers cybersecurity.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Some of the other regulations and measures that should be considered in this regard are:

the Security Assessment Measures for Cross-border Data Transfer of Personal Information and Important Data, which came into force on June 1 2017;
the Security Review Measures for Network Products and Services (Trial), which came into force on June 1 2017;
the National Security Law, issued on July 1 2015; and
the Counter-terrorism Law, issued on December 27 2015.

Which cyber activities are criminalised in your jurisdiction?

Cybercrime is covered under the Criminal Law and includes the following offences:

illegally accessing computer systems (Article 285);
illegally accessing or controlling data held on computer systems (Article 285);
providing programs and tools to access or illegally control computer systems (Article 285);
destroying computer systems (Article 286); and
committing financial crimes using a computer (Article 287).

Which authorities are responsible for enforcing cybersecurity rules?

The national cyberspace administrations are responsible for the overall planning and coordination of cybersecurity work and relevant supervisory and administrative work; while the Ministry of Industry and Information Technology, the Public Security Department and other relevant departments are responsible for the supervision and administration of cybersecurity protection.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, although this is not yet as common as in the United States and the European Union.

Are companies required to keep records of cybercrime threats, attacks and breaches?

No overarching statute requires that such records be kept. However, network operators are obliged under the Cybersecurity Law to maintain network logs for not less than six months.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Yes. Under the Cybersecurity Law, upon the occurrence of a cybersecurity incident, network operators must immediately initiate contingency plans, take remedial measures and report to the relevant departments.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No overarching statute imposes any public reporting requirements.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Depending on the cybercrime, the relevant offence may incur a penalty of life imprisonment and/or a maximum fine of Rmb500,000 (Articles 285, 286 and 287 of the Criminal Law).

Under the Cybersecurity Law, engaging in activities that jeopardise cybersecurity, or providing programs or tools specifically used to engage in activities that jeopardise cybersecurity, is punishable by a fine of up to Rmb500,000.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Under the Cybersecurity Law, non-compliance may incur penalties such as warnings, corrective orders, fines of up to Rmb1 million and (in worst-case scenarios) revocation of a business licence.

Register now for your free, tailored, daily legal newsfeed service.

Data Security and Cybercrime in China

Filed under

Topics

Popular articles from this firm

Treasury Secretary Yellen Remarks on US-China Economic Relationship *

Hong Kong SFC Fines Placing Agent for Disregarding Fundamental Duties *

Japan Eases COVID Requirements for Travelers from China *

USTR Releases 2023 Special 301 Intellectual Property Protection Report, Indicating Continued Concern Regarding China’s Intellectual Property Legal and Enforcement Framework *

Bitesize: how many days' leave is an employee entitled to on marriage? *

Related practical resources PRO

Related research hubs