While the perception that China does not respect personal data has certain shifted, the picture remains complex. On the one hand, consumer anxiety about the security of personal data is higher than ever. The ubiquity of some digital services in China, which have achieved levels of penetration and depth far beyond that of even the most prominent comparable Western services, has given rise to an unprecedented level of consumer activism, such as calling out bad data practices online – attracting the attention of regulators and forcing companies to change their privacy policies, sometimes within days of launching (the recent case of the Zao face-swapping app being a paradigm of this phenomenon). Enforcement by the privacy authorities is gearing up too, but remains patchy, and private litigation is also picking up pace. On the other hand, the Chinese government is currently experimenting with the largest ever mass accumulation and mining of personal data in the form of the social credit system, and it is believed to have installed more than 200 million surveillance cameras across the country (with plans to install 400 million more advanced facial recognition systems in the next two years), its cities being the most closely monitored in the world. This a tense dichotomy.
Until recently, China’s data privacy framework was similarly splintered across rules found in various laws, measures and sector-specific regulations. The Cybersecurity Law (CSL), effective as of 1 June 2017, has for the first time introduced a framework for comprehensive regulation of the privacy of electronically stored data. Despite this, the CSL has only added further complexity to the system, and other sources of law also remain in effect. As with many significant Chinese laws, the CSL sets up a multilayered pyramid of implementing regulations and measures, guidance notices, national and technical standards, narrowing to highly granular rules at the top. At the time of writing, much of this interlocking matrix remains in draft form, with substantial changes still being made between versions.
Meaningful guidance on the key concepts of ‘critical information infrastructure’, ‘important data’ and the basis for approving cross-border transfers of personal data under the law remains elusive. Partly, this reflects the desire for regulatory authorities to preserve their flexibility in enforcement. Indeed, the underlying policy intent of the law (namely, the security and controllability of Chinese information networks) creates its own frictions in the way the law is being applied. As the law beds down it is proving to be a Swiss army knife for regulators, with consumer protection being only one of its blades. In this uncertain environment, we are aware of some Chinese companies taking an extremely cautious approach by declining to contract directly with any foreign company in situations that may involve a data transfer, insisting instead on contracting only with domestic companies. The combination of all these factors has left many international companies reaching for answers as to what to do.
The Cybersecurity Law
The CSL included for the first time a comprehensive set of data protection provisions in the form of national-level legislation. The law is of general application to personal data collected over information networks. Numerous draft regulations, guidelines and other subsidiary measures have since been promulgated, most of which have still to be finalised.
A detailed national standard known as the Personal Information Security Specification (the PI Security Specification) entered into effect on 1 May 2018. This non-binding guideline contains detailed requirements on data handling and data protection. No direct penalties apply for a contravention of the PI Security Specification. However, Chinese government agencies are known to apply the Specification as an important measure of compliance with the binding laws and regulations. Two drafts of proposed revisions to the PI Security Specification were issued in January and June 2019.
Since the start of 2019, further draft amendments have been published, some of which represent a significant shift from the previous versions. In general, these draft amendments propose a greater degree of regulatory oversight in the key areas, including with regard to the transfer of personal data (and other forms of data) out of China. In the meantime, the government is reported to be working on a new omnibus data privacy law, but details remain scarce at this time.
Scope of application
The CSL imposes data privacy obligations on network operators. The term ‘network operator’ includes both owners and administrators of a network, as well as network service providers.
A ‘network’ is defined as any system that consists of computers or other information terminals, and related equipment for collecting, storing, transmitting, exchanging and processing information.
Accordingly, the data privacy provisions in the CSL apply to all organisations in China that provide services over the internet or another information network. The prudent view is that internal networks and systems, such as company human resources systems, are caught as well.
Personal data and sensitive personal data
The CSL (and the regulations, guidelines and other subsidiary measures yet to be adopted under it) regulates both personal data and sensitive personal data.
Personal data is defined as information that identifies a natural person either by itself or in combination with other information. The term includes a person’s name, address, telephone number, date of birth, identity card number and biometric identifiers.
The PI Security Specification further distinguishes between general and ‘sensitive’ personal data. Sensitive personal data is defined as personal data that, if disclosed or illegally processed, might endanger personal and property security, damage personal reputation, or physical or psychological health, or lead to discriminatory treatment, etc. Sensitive personal data may include personal ID card numbers, biometric data, bank account numbers, personal communications, credit records, geolocation data and health data, as well as the personal data of children under the age of 14 years.
Data collection and processing obligations
Consent and notification requirement
Before collecting personal data from an individual (the data subject), a network operator is required to explicitly inform the individual of the purpose, means and scope of the collection and use of their data, and obtain consent for collection. Any processing of personal data must be done in accordance with the scope of those consents. The purpose limitations under the CSL are thus entirely consent based.
The PI Security Specification states that an individual’s express consent is required to collect sensitive personal data. The consent must be recorded in writing or through other affirmative action. On the other hand, Chinese law is effectively silent on the nature of the consent required for the collection and use of personal data that is not sensitive personal data. We are, however, aware that officials have expressed a preference for consent to be given by means of an active expression of intent on the part of the relevant data subject in all circumstances. The PI Security Specification provides that: ‘[a]ffirmative action includes the personal data subject, on his or her initiative, making a statement (in electronic form or on paper), checking a box, or clicking “agree”, “sign up”, “send”, “dial”, etc.’
Organisations are not permitted to collect the sensitive personal data of children under 14 years old without the express consent of the child’s parents or other legal guardians.
It is unclear whether the same standards are intended to apply to employee information and other personal data held solely on internal company systems. However, the definition of a ‘network’ is certainly wide enough to include internal systems. The policy intent of the law also seems equally applicable to data held on internal systems.
In any event, the Provisions on Employment Service and Employment Management (in effect since 2008) impose a general obligation on employers to keep employees’ personal data confidential and to obtain written consent before disclosing their personal data to third parties.
Network operators are prohibited from collecting personal data that is not relevant to the services they offer.
Prohibition of bundled consent and forced consent
The draft amendments to the PI Security Specification require organisations that provide multiple products or services to obtain individual consents before the start of each service. Where an individual user only chooses to use part of those products or services being offered, it will not be permissible to seek a ‘bundled’ consent in a single data collection request.
The draft amendments also prohibit the use of other means to obtain a ‘forced’ consent (in the language of the PI Security Specification), such as frequently sending requests (defined as more than once every 24 hours), or refusing to provide the product or service or lowering its quality after an individual has declined a data collection request.
When providing a product or service that has more than one ‘function’ (such as map navigation, car booking, instant messaging, social networking, online payment, etc), the consent interface should categorise between ‘primary functions’ and ‘extended functions’ (to be determined with reference to the provider’s promotional materials and descriptions of its products and services). The provider of the service will need to obtain consent from a user in relation to primary functions and extended functions. The practical implication is that a single tick box covering all features and functionality of a service will usually be non-compliant:
- Separate consent will need to be obtained for newly added primary functions or functions which have been re-categorised as primary functions.
- Before providing extended functions to a user, businesses must notify the user of the extended functions it proposes to provide and the types of personal data that needs to be collected for each. A separate consent should be obtained for each extended function.
Exemptions to the consent requirement
Certain exemptions are made to the consent requirement, such as where the use of the personal data is directly related to criminal investigations and law enforcement. Additionally, unlike in some systems of law, personal data that an individual has voluntarily made public or personal data that has been legally and publicly disclosed (eg, news reports, data published by the government) is no longer protected.
Data storage and security obligations
The CSL requires network operators to keep users’ personal data in strict confidence. This includes an obligation to implement technical measures to monitor and record the operational status of their networks and the occurrence of cybersecurity incidents.
There is no legal requirement to encrypt personal data collected in China. The PI Security Specification does, however, require organisations to employ enhanced security measures, such as encryption, when storing sensitive personal data. The PI Security Specification also lays down specific requirements for the design of information systems that collect or hold sensitive personal data. Systems should be designed to automatically track the usage of sensitive personal data and provide for encryption.
Transfers to third parties
Under the CSL, it is necessary to obtain the informed consent of data subjects to transfer or disclose any of their personal data to a third party (whether within or outside of China).
The latest version of the draft Security Assessment Measures states only that the network operator must inform the data subject of:
- the type of personal data being transferred;
- the purpose of the transfer (which presumably implicates also explaining to the data subject who the recipient of the data transfer is and what country they are located in); and
- the retention period.
The consent requirement in the CSL is, however, overriding. Nevertheless the lack of detailed requirements for this consent leaves uncertainty as to the nature of the consent that will qualify.
Under the non-binding Guidelines for Cross-Border Data Transfer Security Assessment (the Guidelines for Cross-Border Data Transfer) released by the National Information Security Standardisation Technical Committee (TC260) in August 2017, consent to an overseas data transfer may be implied by an individual’s actions, such as when making international telephone calls, sending international emails or instant messages, and conducting international transactions over the internet. This is extended to other ‘proactive’ (ie, voluntary) personal actions that indicate that the data subject has consented to the data export. No further examples are given.
The Guidelines for Cross-Border Data Transfer state that transfers of data within an internal cross-border network constitute a data transfer for the purposes of the draft Security Assessment Measures.
Operators of ‘critical information infrastructure’ are under a general requirement under the CSL to store in China all personal data collected over a network.
In addition, the latest draft of the draft Security Assessment Measures issued by the Cyberspace Administration of China (CAC) requires all network operators to obtain regulatory approval before any personal data can be moved outside of China (including remote access from overseas). If the Measures are implemented in the form of the current draft, network operators would need to obtain regulatory approval for each transfer of personal data to a different data recipient. The approving body will be the relevant provincial branch of the CAC.
Separate approval would not be required for repeat (or continuous) transfers of personal data to the same recipient, unless there is a change to the type of data being transferred, the purpose for the transfer or the permitted retention period, which will need to be approved separately. The transferring party will also need to re-apply for approval every two years as a matter of routine.
Network operators must also enter into a written data transfer agreement with the data recipient (to be submitted together with the application for approval). The draft Security Assessment Measures require data subjects to be given enforceable rights under the agreement. Although this requirement is not expressly elaborated on, other provisions of the Measures stipulate that the data recipient should, among other things, be required to comply with data subjects’ exercise of their individual rights (eg, rights of access, correction and deletion).
See ‘China: Data Localisation’ for further information on this topic.
The CSL requires network operators to allocate persons responsible for network security as part of their internal security management systems. The PI Security Specification provides that organisations are expected to designate a person or agent to manage personal data.
Under the PI Security Specification, if an organisation has more than 200 personnel and its main business involves processing personal data, or if the organisation is expected to handle the personal data of more than 1 million people over the next 12 months, then it should establish a department with dedicated staff to handle personal data security.
Responsible persons may have direct personal liability for breaches of the core data privacy provisions under the law.
The PI Security Specification requires entities that process personal data to conduct an impact assessment at least once a year or in conjunction with any major change in their operating model, information systems or following a data security incident. This requirement is more limited than under the GDPR.
The impact assessment should consider, among other things, whether the organisation’s data processing activities have an adverse impact on the lawful rights and interests of individuals, including harm to personal security or reputation, or could lead to discriminatory treatment. Other matters to be reviewed include the effectiveness of information security measures, the risk that a concentration of anonymised and desensitised personal data might lead to re-identification and the adverse impact of transfers of personal data.
The CSL imposes a mandatory obligation to promptly inform data subjects of a data breach or other loss of personal data. A network operator is also required to report the incident to the relevant sector regulator and to take immediate remedial action.
Draft Ministry of Public Security (MPS) Regulations on the Graded Protection of Cyber Security require network operators to report cyber incidents to the local branch of the MPS within 24 hours. There is no de minimis threshold, and the draft Regulations do not specify what the substance of the report ought to be.
The PI Security Specification states that an incident notification must explain:
- the nature and impact of the incident;
- the practical recommendations for data subjects to minimise the impact of the incident;
- the measures taken or to be taken in response; and
- the data subjects’ rights and remedies.
The general regulations around cybersecurity incident reporting will also be applicable. Under the National Contingency Plans for Cybersecurity Incidents, which came into effect in January 2017, cybersecurity incidents will have to be reported to the Cybersecurity Coordination Office of the CAC if they relate to:
- important network and information systems that suffer severe system losses, which result in long-term disruption or partial collapse of systems and have a significant impact on the business processing capabilities;
- the loss or alteration of state secrets, important sensitive information or key data to the extent that this poses a serious threat to national security or social stability; and
- cybersecurity incidents that pose a serious threat to or have a serious impact on national security, public policy, economic development or the public interest.
Data subjects’ rights
Right of erasure
Data subjects have the right to ask the controller of the personal data to cease all use and to erase personal data if the entity has breached its legal obligations or an agreement with the data subject (comparable to the GDPR’s ‘right to be forgotten’). The same right extends to information in the possession of data processors.
Personal data should also be deleted or anonymised when users close down accounts.
Right of data portability
Data subjects also have the right to have personal data ported to a third party if technically feasible to do so (comparable to the GDPR’s ‘right of data portability’). This right is of more limited scope than under the GDPR, applying only to basic personal data and personal identity information, health and physiological information, and education and employment information.
The PI Security Specification sets an expectation of 30 days for a response to an access, correction, erasure or data portability request as standard.
An appeal mechanism must be provided in relation to automated decisions that directly impact an individual’s rights and interests, including a manual review of the disputed automated decision (a variation on the approach taken under the GDPR with the right not to be subject to automated decision-making). The examples given are automated credit rating decisions and screenings of job applicants.
Additionally, an entity processing personal data should:
- conduct personal data security impact assessments during the planning and design phase of any process that is reliant on automated decision-making; and
- conduct personal data security impact assessments at least once a year.
Telecommunications and internet information service providers
Telecommunications and internet information service providers are subject to additional personal data protection obligations under the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (effective 16 July 2013).
Telecommunications and internet companies are required to establish a user complaint mechanism and reply to complaints concerning personal data protection within 15 days. They are also required to inform users about the channels through which they may consult and make corrections to their personal data.
Under the Administrative Provisions on Information Services of Mobile Internet Application Programmes (effective 28 June 2016), app providers must clearly indicate to customers if they are collecting geolocation data, accessing address books on their smartphones, or making use of cameras or activating audio recording or other functions, and obtain the user’s consent. The Provisions also prohibit the activation of functions that are unrelated to the service.
On 25 January 2019, the CAC, Ministry of Industry and Information Technology (MIIT), MPS and State Administration for Industry and Commerce jointly issued a Notice on Launching Special Regulations on the Collection and Use of Personal Information for App Violations and Regulations (the Special Regulations Notice). The notice lays down principles requiring app providers to:
- not collect personal data that is not related to the services provided;
- display rules for the collection and use of personal data in an easy-to-understand manner; and
- avoid forced consent in the form of default consent, bundling and interrupting installation, etc.
Building on the Special Regulations Notice, the App Special Governance Working Group issued a draft Behaviour Identification Notice on Apps (the draft Behaviour Identification Notice) on 5 May 2019. Below are some examples that the draft Behaviour Identification Notice put forward of what would be considered unlawful collection or use of personal data by apps:
- the types of sensitive personal data being collected are not individually enumerated;
- personal data is collected only for the purpose of improving programme functions, improving user experience and directional push (this will not be considered necessary data collection);
- using user information and algorithms to push news, ads, etc, without providing the option for the user to terminate the directional push;
- background transfers of personal data when the app is not opened or used;
- changing user-set permissions without the user’s consent;
- not providing functions to correct and delete personal data, or to cancel the user account; and
- collecting personal data of minors under the age of 14 without the consent of a parent or guardian, or using that personal data to push personalised ads without such consent.
These requirements are additional to the guidance in the PI Security Specification.
Most recently, on 8 August 2019, the TC260 published a draft Basic Specification for Collecting Personal Information in Mobile Internet Applications. The key provisions are that apps should:
- not refuse to provide services on the basis that the user refuses to provide personal data other than the minimum data necessary to ensure the normal operation of the service;
- not collect non-changeable device unique identifiers (eg, IMEI numbers, MAC addresses) except for operational security purposes;
- obtain explicit consent in relation to the collection of personal data to the extent that it is not necessary to ensure the normal operation of a service; and
- when users exit the service, cease collecting personal data and delete or anonymise the personal data collected for the service.
Again, these requirements should be treated as additional to those in other measures.
Under the new E-Commerce Law, which came into effect on 1 January 2019, e-commerce operators are required to delete a user’s personal data if he or she cancels his or her account – unless the terms and conditions of the site allow retention for a longer period.
In addition to the obligations on all network operators under the CSL, e-commerce providers must also implement specific technical measures to ensure the security and normal operation of an e-commerce network and to respond effectively to cyber incidents. They must also prepare emergency response plans to manage incidents and report the incidents to the competent authority.
The Consumer Protection Law (revised with effect on 25 March 2014) prohibits businesses from sending commercial information to consumers that they have not requested or consented to receiving, or if they have expressly objected to receiving the direct marketing.
The Measures for the Administration of Email Services (effective 30 March 2006) prohibit the sending of any email containing commercial advertisements without the recipient’s clear consent, and including the word ‘Ad’ or the Chinese word for ‘advertisement’ in the email subject. If a recipient subsequently opts out from receiving commercial advertisements, the sender must cease sending them.
In conjunction with the E-Commerce Law, the draft amendments to the PI Security Specification will require e-commerce providers to clearly mark their targeted advertising content as ‘personalised display’ (ie, personalised content or search results based on analysis of the individual users’ browsing history, interests, transaction records or behaviour patterns) and provide an ‘opt-out’ mechanism for users.
Penalties for infringements of the core data protection provisions of the CSL may include a fine of up to 10 times the amount of unlawful gains or a fine of up to 1 million yuan. Persons in charge of data protection compliance within an organisation, and other responsible individuals, may be separately subject to a fine of between 10,000 and 100,000 yuan, or between 50,000 and 500,000 yuan for serious cases.
The Interpretations of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues concerning the Application of Law in the Handling of Criminal Cases Involving Infringement of Citizens’ Personal Information (effective 1 June 2018) set out certain circumstances in which the unauthorised collection, transfer or receipt of personal data will constitute a criminal offence under the PRC Criminal Law, and the associated penalties.
For example, the establishment of websites or communication groups for obtaining, selling or transferring personal data can be punished upon conviction by a fine of up to five times the illegal proceeds, and imprisonment for up to three years. A person convicted of illegally obtaining personal data concerning communication records, health information or credit or asset information can be punished by a fine of up to five times the illegal proceeds and imprisonment for up to seven years.
The enforcement landscape under the CSL is still emerging. But in general, enforcement by the central regulatory authorities has been primarily campaign based up to now, rather than incident based.
For example, in one of the first regulatory actions in 2017, the CAC, MIIT, MPS and TC260 reviewed the privacy policies of 10 of the largest technology companies in China, and issued several with remediation notices. The CAC called in more than 100 domestic providers of Wi-Fi services in May 2018 for face-to-face meetings at which it set out its expectations for the transparency of data collection and use practices.
In November 2018, the MIIT ordered the removal of all mobile apps that illegally collected personal data after conducting a nationwide investigation. It also ordered 12 companies to disclose their privacy policies and other rules on the collection and use of personal data after conducting a random investigation of 65 different online services and another seven companies (including several tech giants) to establish internal policies on data collection, sharing and destruction.
In a similar fashion, the current regulatory focus on apps has culminated in an inspection of hundreds of popular apps as well as 50 major internet companies and the three national telecommunications companies between July and October 2019.