Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

China does not have a single overarching national law that specifically addresses the collection, storage, transmission and use of PII. Rather, a piecemeal approach to data protection is taken, with provisions found in the Constitution, the Cybersecurity Law, telecommunications regulations, consumer rights law, tort law, criminal law, and elsewhere, as well as further interpretations, measures and guidelines issued concerning each.

In particular, the Cybersecurity Law (CSL), which was passed on 7 November 2016 and came into operation on 1 June 2017, along with its supplementary measures, is the nation’s first comprehensive legislation covering both data privacy and cybersecurity. The CSL sets out a high-level framework regulating the collection, storage, transmission and use of personal information by critical information infrastructure (CII) operators and network operators in China. Further, under the Civil Code of the People’s Republic of China (the Civil Code), which took effect on 1 January 2021, individuals now have express and codified rights to privacy and protection of personal information.

There are also several measures and guidelines concerning data protection requirements that are non-binding but nevertheless carry significant weight with regulators, including the Information Security Technology – Guidelines on Personal Information Protection of Public and Commercial Service Information Systems (2012) and the updated Information Security Technology – Personal Information Security Specification 2020 (the 2020 PI Specification).

Also, the new draft Measures for Data Security Management and the draft Measures on Security Assessment of the Cross-Border Transfer of Personal Information were issued in May and June 2019, respectively, and will impose further obligations on CII operators and network operators concerning personal information if brought into operation.

Finally, the second draft of the new Personal Information Protection Law (the Draft PIPL) was released on 29 April 2021, and the final draft of the new Data Security Law (the Draft DSL) was passed on 10 June 2021 and will come into effect on 1 September 2021. The Draft PIPL will become China’s first comprehensive law that protects personal information, and the Draft DSL will further regulate data processing activities that could impact national security, particularly ‘important data’ but excluding personal information. Together with the CSL, these laws are set to form the basis of personal data protection in China.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

There is no single authority that is responsible for overseeing the enforcement of data protection laws in China. Multiple regulatory authorities are granted various investigatory and enforcement powers concerning data protection matters, including the ability to impose administrative sanctions.

The Cyberspace Administration of China is the primary data protection regulator under the CSL and has broad responsibilities and enforcement powers, particularly concerning cybersecurity.

The Ministry of Industry and Information Technology and the telecommunication administrations at the provincial level are tasked with overseeing the protection of PII in the telecoms and information services sector, including the supervision and administration of personal information of telecommunication and internet users.

The Ministry of Public Security (MPS) is China’s key police and security authority and is granted wide investigatory and enforcement powers to combat cybercrimes. The MPS is empowered to carry out inspections and criminal investigations, which may include inspecting the servers and systems of CII operators and network operators.

The State Administration for Industry and Commerce and its local counterparts are responsible for the supervision and administration of personal information of consumers, under the Provisions on Regulating the Market Order of Internet Information Services.

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

There is no legal obligation on the Chinese authorities to cooperate with data protection authorities in other jurisdictions.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Any violations of the laws relating to data protection may result in fines, corrective orders or warnings, public naming and shaming, confiscation of illegal gains, orders for the suspension or shutting down of operations, the shutting down of websites, revocation of business permits or licences or potential criminal liability.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The obligations under the Cybersecurity Law (CSL) apply to critical information infrastructure (CII) providers and network operators. CIIs include key sectors such as finance, transportation, energy, water, government and communications, and any other industries where the destruction, loss of function or data leakage by such industry could result in serious damage to national security, national economy and people’s livelihood and public interests. Network operators are broadly defined under the CSL as owners or managers of networks and providers of network services, and could potentially apply to any entity that uses IT systems in China or operates a Chinese website, irrespective of their industry.

There is also much sector-specific legislation that includes data protection provisions concerning those specific sectors, such as healthcare, telecommunications and banking, as follows.

 

Healthcare

Several regulations and measures provide guidance on the collection, processing and use of healthcare data, including the Administrative Measures for Population Health Information (for Trial Implementation) 2014 and the Measures on the Administration of National Health and Medical Big Data Standards, Security and Services (Trial) 2018. A draft of the new Guide for Health Information Security was also released on 26 December 2018 for public consultation but has yet to be finalised.

 

Telecommunication

The main additional regulations governing data protection in the telecoms sector include the Decision of the National People’s Congress Standing Committee to Strengthen Internet Information Protection and the Protection Guidelines of Personal Information in Public and Commercial Service Information Systems.

 

Banking

The Notice of the People’s Bank of China on Urging Financial Institutions to Further Effectively Protect Clients’ Personal Financial Information (2012) and the Interim Measures for the Administration of the Basic Data of Individual Credit Information are key regulations governing data protection by financial institutions.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

No, the CSL does not cover interception of communications, electronic marketing or surveillance of individuals.

In respect of interception of communications, article 40 of the People’s Republic of China (PRC) Constitution Law grants the state power to obtain access to private and individual communications in situations related to public security or criminal investigations. Article 13 of the PRC Counter-espionage Law also provides that national security authorities are entitled to inspect ‘electronic communication instruments, appliances, other similar equipment belonging to any organisation or individual’ for purposes of countering espionage activities. Further, article 65 of the Telecommunications Regulations grants relevant security authorities the power to carry out examinations of private telecommunications based on national security or criminal investigations.

In respect of electronic marketing, the Measures for the Administration of Internet Email Services 2006 requires, among other things, that express consent of data subjects has been obtained before sending any email advertisements to recipients via an opt-in approach, and that the word ‘ad’ or ‘advertisement’ in the subject line of the email advertisement in English or Chinese be included to denote the commercial nature of the email.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

  • Employee information: the Labour Contract Law governs the collection and use of employee’s personal information for the purposes of recruitment and employment.
  • Internet service providers: the Regulations on Standardising the Order of the Internet Information Service Market 2011 requires that data subjects are clearly informed by internet service providers of the collection method and purpose for collecting and processing their personal information.
  • Credit information: credit reporting agencies and other companies that collect credit information are subject to the data localisation requirement under the Administrative Regulations on the Credit Reporting Industry 2013.
  • Personal finance information: all banks in China are required by the People’s Bank of China to store, use and process all personal information within China.
  • Children: on 1 October 2019, the new Online Protection of Children’s Personal Data Regulation came into force, which sets out requirements aimed at protecting children’s personally identifiable information. It is in line with the CSL.
  • Other various laws, regulations and guidelines that also address the protection of personal information include:
    • the Decision on Strengthening Protection of Network Information;
    • the Law on the Protection of Consumer Rights and Interests;
    • the Measures for the Administration of Online Transactions;
    • the Provisions on Protecting the Personal Information of Telecommunications and Internet Users;
    • Several Provisions on Regulating the Market Order of Internet Information;
    • the Medical Records Administration Measures of Medical Institutions;
    • the Measures for Administration of Population Health Information;
    • the Measures for the Administration of Internet Email Services;
    • the Standards for the Assessment of Internet Enterprises’ Protection of Personal Information, which are not binding; and
    • the Administrative Provisions on Short Message Services.
PII formats

What forms of PII are covered by the law?

All types of PII are covered by the CSL and the related regulations. Under the CSL, ‘personal information’ is defined as all kinds of information recorded in electronic or other forms, which can be used independently or in combination with other information, to identify a natural person’s personal identity, including but not limited to their names, dates of birth, identity numbers, biological data, addresses and telephone numbers. This definition is also in line with the definition of ‘personal information’ under the new Civil Code of the People’s Republic of China (the Civil Code), which also includes email addresses, health information, and location information.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

Under the CSL and the related regulations and measures that sit underneath it, there is no distinction between domestic network operators or foreign network operators. The CSL, therefore, appears to have an extra-territorial effect and may apply to companies that do not have a physical presence in China, but that have operations that involve the collection of personal information of Chinese residents.

In particular, the draft Measures on Security Assessment of the Cross-Border Transfer of Personal Information (the 2019 Draft Cross-Border PI Measures) provide that if the business activities of any organisation located outside China result in the collection of personal information of persons located in China, through the internet or via other means, then such organisation will be subject to the 2019 Draft Cross-Border PI Measures as a network operator.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

While the CSL does not define ‘controllers’, the non-binding Information Security Technology – Personal Information Security Specification 2020 (the 2020 PI Specification) states that controllers are organisations or individuals that have the right to determine the purposes and means of processing personal information. There is no separate definition of ‘processors’ under the CSL or any of the related regulations. Therefore, unlike the EU’s General Data Protection Regulation, China’s data privacy laws do not distinguish between the concept of data controllers and data processors.

The CSL, Civil Code and 2020 PI Specification include requirements regarding the processing and use of personal information that data controllers are required to comply with.

Law stated date

Correct on

Give the date on which the information above is accurate.

21 June 2021