Q&A: the data protection legal framework in China

Law and the regulatory authority

Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?

In China, rules relating to PI protection and data security are part of a complex framework and are found across various laws and regulations. The Personal Information Protection Law (PIPL), which came into effect on 1 November 2021, works together with China's existing Cybersecurity Law (CSL) and Data Security Law (DSL) to establish a broader framework governing cybersecurity and data privacy protection in China.

The CSL came into operation on 1 June 2017 and was the nation’s first comprehensive legislation covering both data privacy and cybersecurity. The CSL sets out a high-level framework regulating the collection, storage, transmission and use of PI by critical information infrastructure (CII) operators and network operators in China.

The DSL, which came into effect on 1 September 2021, regulates the processing of data (including PI), both in an electronic and a non-electronic format. The primary purpose of the DSL is to regulate data processing activities that may impact national security, in particular ‘important data’ and ‘national core data’. 

The PIPL, which came into effect on 1 November 2021, is the first omnibus law in China that regulates PI, in particular the processing of PI of individuals within China as well as some processing activities performed outside China. The PIPL imposes obligations on data controllers (although the actual terminology for data controllers in the PIPL is the slightly confusing: ‘personal information processor’).

Under the Civil Code of the PRC, which took effect on 1 January 2021, individuals have express and codified rights to the privacy and protection of PI.

The PIPL, the DSL and the CSL are to be accompanied by an extensive series of implementing regulations in the form of guidelines and measures. Some of these implementing regulations have already been finalised (eg, the Revised Cybersecurity Review Measures, effective 15 February 2022, and the Internet Information Service Algorithmic Recommendation Management Provisions, effective 1 March 2022), but many are yet to be formulated.  

A number of these regulations are presently in draft form and, while non-binding in such form, compliance is advisable as they reflect regulatory attitudes.

Some relevant draft regulations, both general and industry-specific, include the:

• Measures on Security Assessment of the Cross-Border Transfer of Personal Information (issued 13 June 2019);
• Measures on Data Security Management (issued 28 May 2019);
• Notice on Strengthening Cybersecurity Work in the Internet of Vehicles (Smart Connected Vehicles) (issued 22 June 2021);
• Measures on Data Export Security Assessment (issued 29 October 2021);
• Regulations on Network Data Security Management (issued 14 November 2021);
• Mobile Internet Application Programme Information Service Management Regulations (issued 5 January 2022);
• Guidelines for the Identification of Important Data (issued 13 January 2022);
• Internet Information Service Deep Synthesis Management Provisions (issued 28 January 2022);
• Measures on Industry and Information Technology Data Security Management (issued 10 February 2021);
• Regulations on the Administration Of Internet Pop-Up Push Notifications (issued 2 March 2022); and
• Regulations on the Online Protection of Minors (issued 14 March 2022).

Any references to China refer to mainland China and do not include Macau and Hong Kong, which are subject to separate laws and regulations.

Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?

There is no single authority that is responsible for overseeing the enforcement of data protection laws in China, but the main authority is the Cyberspace Administration of the PRC (CAC) and its respective local offices. Multiple regulatory authorities are granted various investigatory and enforcement powers concerning data protection matters, including the ability to impose administrative sanctions. Under the PIPL, the departments that perform PI protection duties are responsible for enforcing the PIPL. However, people’s procuratorates (eg, the equivalent to a public prosecutor in China), statutorily designated consumer organisations and organisations designated by the CAC may also file a lawsuit with a people’s court against data controllers that violate the PIPL.

The CAC is the primary data protection regulator under the CSL, DSL and PIPL and has broad responsibilities and enforcement powers. The Cybersecurity Review Office, which is based in the CAC, is responsible for formulating cybersecurity review systems and standards and organising cybersecurity reviews.

The Ministry of Industry and Information Technology and the telecommunication administrations at the provincial level are tasked with overseeing the protection of PI in the telecoms and information services sector, including the supervision and administration of PI of telecommunication and internet users.

The Ministry of Public Security (MPS) is China's key police and security authority and is granted wide investigatory and enforcement powers to combat cybercrimes. The MPS is empowered to carry out inspections and criminal investigations, which may include inspecting the servers and systems of CII operators and network operators.

The State Administration for Industry and Commerce and its local counterparts are responsible for the supervision and administration of PI of consumers, under the Provisions on Regulating the Market Order of Internet Information Services.

Industry-specific regulations may also be enforced by the relevant industry regulators.

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

There is no legal obligation on the Chinese authorities to cooperate with data protection authorities in other jurisdictions.

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Any violations of the laws relating to data protection may result in fines, corrective orders or warnings, public naming and shaming, confiscation of illegal gains, orders for the suspension or shutting down of operations, the shutting down of websites, revocation of business permits or licences or potential criminal liability.

Scope

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The obligations under the Cybersecurity Law (CSL) apply to critical information infrastructure (CII) providers and network operators. CIIs include key sectors such as finance, transportation, energy, water, government and communications, and any other industries where the destruction, loss of function or data leakage by such industry could result in serious damage to national security, national economy and people’s livelihood and public interests. Network operators are broadly defined under the CSL as owners or managers of networks and providers of network services, and could potentially apply to any entity that uses IT systems in China or operates a Chinese website, irrespective of their industry.

The Data Security Law (DSL) applies to handling processing activities inside China and, in certain circumstances, outside China. Given the expansive definitions of ‘data’ and ‘data processing’, the DSL applies not only to  internet service providers and big tech companies, but all sectors and types of organisations involved in the recording and processing of information.

Similarly, the Personal Information Protection Law (PIPL) applies to PI processing within China and, in some circumstances, on processing activities outside China. Given the broad definitions of ‘PI’ and ‘PI processing’, it is clear that the PIPL applies to both the public and the private sectors.

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?

Yes. The PIPL addresses electronic marketing insofar as it establishes rules on the use of automated decision-making. The PIPL also grants the state a wide array of powers when investigating PI processing activities, including:

• interviewing parties and investigating circumstances related to PI processing activities;
• consulting and reproducing a party’s contracts, records and receipts, as well as other relevant material related to PI processing activities;
• conducting on-site inspections and investigations of suspected unlawful PI processing activities; and
• inspecting equipment and articles relevant to personal PI processing activities, and when there is evidence the equipment or articles are used to engage in illegal PI processing activities, after receiving approval from the head of the relevant department, they may seal or confiscate them.

These may allow the state to access private and individual communications when investigating PI processing activities.

Regarding the interception of communications, article 40 of the PRC Constitution Law further grants the state power to obtain access to private and individual communications in situations related to public security or criminal investigations. Article 13 of the PRC Counter-espionage Law also provides that national security authorities are entitled to inspect ‘electronic communication instruments, appliances, other similar equipment belonging to any organisation or individual’ for purposes of countering espionage activities. Further, article 65 of the Telecommunications Regulations grants relevant security authorities the power to carry out examinations of private telecommunications based on national security or criminal investigations.

Regarding electronic marketing, the Measures for the Administration of Internet Email Services 2006 requires, among other things, that express consent of data subjects has been obtained before sending any email advertisements to recipients via an opt-in approach, and that the word ‘ad’ or ‘advertisement’ in the subject line of the email advertisement in English or Chinese be included to denote the commercial nature of the email.

Are there any further laws or regulations that provide specific data protection rules for related areas?

• Employee information: the Labour Contract Law governs the collection and use of employee’s personal information for the purposes of recruitment and employment.
• Internet service providers: the Regulations on Standardising the Order of the Internet Information Service Market 2011 requires that data subjects are clearly informed by internet service providers of the collection method and purpose for collecting and processing their personal information. In 2022, the CAC passed several regulations and issued draft regulations to further regulate the collecting and processing of personal information in the context of specific internet service provider activities, such as push notification, algorithmic recommendation and deep synthesis (deep fake) service providers. These regulations (draft or otherwise) were issued pursuant to a number of laws, including the CSL and the PIPL.
• Credit information: credit reporting agencies and other companies that collect credit information are subject to the data localisation requirement under the Administrative Regulations on the Credit Reporting Industry 2013.
• Personal finance information: all banks in China are required by the People’s Bank of China to store, use and process all personal information within China.
• Children: on 1 October 2019, the new Online Protection of Children’s Personal Data Regulation came into force, which sets out requirements aimed at protecting children’s personally identifiable information. It is in line with the CSL. On 14 March 2022, the CAC released new draft regulations on the online protection of minors pursuant to the Law on Protection of Minors, the CSL and the PIPL and to impose more value-based obligations on the online product and service providers, data controllers and manufactures or sellers of smart terminals.
• Other various laws, regulations and guidelines that also address the protection of personal information include:
  • the Decision on Strengthening Protection of Network Information;
  • the Law on the Protection of Consumer Rights and Interests;
  • the Measures for the Administration of Online Transactions;
  • the Provisions on Protecting the Personal Information of Telecommunications and Internet Users;
  • Several Provisions on Regulating the Market Order of Internet Information;
  • the Medical Records Administration Measures of Medical Institutions;
  • the Measures for Administration of Population Health Information;
  • the Measures for the Administration of Internet Email Services;
  • the Standards for the Assessment of Internet Enterprises’ Protection of Personal Information, which are not binding; and
  • the Administrative Provisions on Short Message Services.

What categories and types of PI are covered by the law?

All types of PI are covered by the CSL, the DSL, the PIPL and other related regulations.

‘Personal information’ in the PIPL refers to various information related to identified or identifiable natural persons recorded electronically or by other means, but does not include anonymised information.

Under the CSL, ‘personal information’ is defined as all kinds of information recorded in electronic or other forms that can be used independently or in combination with other information to identify a natural person’s personal identity, including, but not limited to, their names, dates of birth, identity numbers, biological data, addresses and telephone numbers. This definition is also in line with the definition of ‘personal information’ under the new Civil Code of the PRC, which also includes email addresses, health information and location information.

The DSL applies not only to PI but to all kinds of data; ‘data’ is defined as any record of information, whether in electronic or non-electronic form.

Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?

The law has extraterritorial effect.

The PIPL applies both to the processing of personal information of individuals within China and to any processing activities performed outside China, if this processing:

• is for the purpose of providing products or services to individuals located in China;
• is for the purpose of analysing or evaluating the activities of individuals located in China; or
• falls within any other circumstances specified under local laws or regulations.

Likewise, the DSL also has extraterritorial effect and applies to data processing activities conducted outside China that may harm or damage national security, the public interest or the lawful rights and interests of Chinese citizens or organisations.

Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?

Yes. Between the DSL, which applies to all data (not just PI) processing activities, and the PIPL, which applies to all PI processing activities, all processing or use of PI is covered.

The PIPL distinguishes between data controllers and data processors, and imposes obligations on data controllers, who remain responsible for the actions of the data processors they engage.

Data processors are only statutorily obliged to adopt necessary measures to protect the PI entrusted to them in accordance with the PIPL and other relevant laws and regulations, and to assist the data controller in complying with their obligations under the PIPL.

Law stated date

Give the date on which the information above is accurate.

24 May 2022.