Key statutes, regulations and adopted international standards
There is no unified privacy and data protection law in China, but the legal regime mainly comprises:
- the Cybersecurity Law (CSL);
- the National Security Law;
- the Anti-Terrorism Law;
- the General Rules of the Civil Law;
- the Criminal Law;
- the Law on the Protection of Rights and Interests of Consumers;
- the Tort Law;
- Provisions on the Security Management of Personal Information of Users of Posting and Delivering Services;
- Provisions on Regulating the Order of the Internet Information Service Market; and
- Provisions on Protecting the Personal Information of Telecommunications and Internet Users.
China’s legal regime on privacy and data protection also includes judicial interpretations made by the Supreme People’s Court or the Supreme People’s Procuratorate, such as the ‘Interpretation of several issues regarding the application of law to criminal cases of infringement of citizens’ personal information handled by the Supreme People’s Court and the Supreme People’s Procuratorate’; and the ‘Provisions of the Supreme People’s Court on the application of law to cases involving civil disputes over infringement of personal rights and interests by using information networks’.
Privacy and data protection standards
National standards are another key part of the privacy and data protection legal regime in China. In spite of their lack of compulsory effect, implementing these specific rules is generally regarded as good practice. Regulatory authorities may also refer to these national standards in their enforcement activities. These standards mainly include:
- the Personal Information Security Specification (the Specification);
- the Risk-Assessment Specification for Information Security (draft for comment).
- the Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services;
- the Guidelines for Cross-Border Data Transfer Security Assessment (draft for comment);
- the Guidelines for De-Identification of Personal Information (draft for comment);
- the Guidelines for Personal Information Security Impact Assessment (draft for comment); and
- the Security Requirements for Data-Exchange Services (draft for comment).
China has not yet concluded any international data protection framework or agreements.
China has not yet established a designated data protection authority. The following regulatory authorities have supervision and enforcement responsibilities according to their respective scope of authority:
- the Cyberspace Administration of China (CAC) and its local offices;
- the Ministry of Public Security (MPS) and its local offices;
- the Ministry of Industry and Information Technology (MIIT) and its local offices;
- various industry authorities and their respective local offices; and
- relevant departments of local governments at or above the county level.
According to the CSL, the CAC is responsible for the overall planning and coordination of cybersecurity work and relevant supervision and administration work; the MIIT, MPS and other industry authorities are responsible for protecting, supervising and administering cybersecurity within the scope of their respective responsibilities in accordance with the CSL and other relevant laws and administrative regulations. Relevant departments of the local governments at or above the county level are also responsible for cybersecurity and data protection matters according to the authorisation by relevant laws and regulations.
The effect of local laws on foreign business
Foreign companies doing business in China are facing more complex data privacy requirements in China. Although the CSL only sets out some high-level data privacy requirements, which appear to be relatively loose and easy to follow, companies also have to pay close attention to various national standards (even though they have no legally binding effect) as well as various formal and informal guidelines issued by the government or their affiliated institutions, as such national standards and guidelines are generally regarded as some sorts of ‘good practice’ documents recommended by the government.
Foreign companies also need to pay close attention to various campaigns launched by the government against the wrongful or unlawful collection and processing of personal information, and make corrections to their data handling practice and privacy policies in relation to websites and apps, failing which they may be penalised and suffer reputational damages.
See ‘China: Data Localisation’, ‘The effect of local laws on foreign business’ in this book.
Core principles on personal data
The CSL provides that network operators must abide by ‘lawful, justifiable and necessary’ principles to collect and use personal data by clearly stating the purposes for and scope of collection and use of this data, and the methods used to obtain such data. Network operators must also obtain the consent of the individual affected.
According to the Specification, the basic principles for personal information protection include:
- Consistency between rights and liabilities: the data controller must bear liabilities for any damage caused by its activities of processing personal information to the legal rights and interests of personal information subjects.
- Clear purposes: the data controller must have lawful, justified, necessary and clear purposes in processing personal information.
- Solicitation for consent: the data controller must explicitly specify the purposes, manners, scope and rules in respect of the processing of personal information, and seek their authority and consent.
- Minimum sufficiency: the data controller must process the minimum categories and amount of personal information necessary for achieving the purposes authorised and consented to by personal information subjects, unless otherwise agreed with personal information subjects. It shall delete the personal information in a timely manner as agreed once these purposes are achieved.
- Openness and transparency: the data controller must make public the scope, purposes, rules, etc, in respect of the processing of personal information in an explicit, easily understandable and reasonable manner, and accept public oversight.
- Guarantee of security: the data controller must be capable of ensuring the security of a certain degree corresponding to the security risks it faces, and take sufficient management measures and technological approaches to safeguard the confidentiality, completeness and availability of personal information.
- Involvement of personal information subjects: the data controller must provide personal information subjects with opportunities to access, modify and delete their own personal information, and to withdraw their consent and cancel their own account.
Automated processing, profiling and data analytics
Under Chinese law, there are no comprehensive rules governing the use of automated processing, profiling and data analytics. In the area of e-commerce, the E-Commerce Law provides that e-commerce businesses must provide customers with search results for goods and services based on consumers’ preferences as well as options that have not been customised and targeted, to ‘respect and equally protect the legitimate rights and interests of consumer’.
The Specification is more specific:
The Specification also provides that, if a decision that will have a dramatic impact on an individual’s rights is made pursuant to the information system’s automated decision-making (eg, determing the subject’s credit status based on user profiling), the data controller ‘shall make it possible for the personal information subject to lodge a complaint’.
Communications and marketing
The Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection requires that no organisation or individual may send commercial electronic information to the fixed-line, mobile telephone or email inbox of an individual unless the electronic information recipient has agreed or made a request, or the recipient explicitly expresses his or her rejection. Further, the Advertising Law provides that ‘no organisation or individual shall, without obtaining the consent or request of the party concerned, distribute advertisements to the party’s residence, transportation vehicle, etc., or distribute advertisements to them via electronic means.’ It goes on to say that any advertisement distributed electronically must state the indentity and contact details of its source, as well as offer the recipient the opportunity to decline any future correspondence. The Law on the Protection of Rights and Interests of Consumers also provides that business operators must not send ‘commercial information’ to consumers without their consent.
In addition to the above laws, the MIIT, independently and jointly with other departments, has launched campaign to tackle unsolicited ‘harassment calls’ in 2018.
As for the right of the individual, the CSL provides that each individual is entitled to have his or her information deleted by a data controller upon request if he or she finds that the collection of the data violates the law, administrative regulations or the agreement held between the data controller and subject. Further, the CSL states that the individual is entitled to make corrections to his or her data if errors are found by contacting the network operator that has collected and stored this information. The network operator must then take measures to either delete or correct the error.
The Specification provides more detailed guidance in relation to the right of data subjects, including:
- access to personal information;
- modification of personal information;
- deletion of personal information;
- data subjects’ withdrawal of consent;
- data subjects’ cancellation of accounts; and
- data subjects’ request for copies of personal information.
The role of the data protection officer
Chinese law has no universal requirement that companies must appoint a data protection officer (DPO). However, the CSL provides that the network operators should determine the persons responsible for cybersecurity and implement the responsibility for cybersecurity protection.
The Specification recommends that a DPO should be appointed, and provides that:
- a data controller must make clear that its legal representative or the chief in charge of the controller shall undertake the overall leadership responsibility for personal information, including guaranteeing the human resources, financial resources and materials needed for the work to ensure data security;
- a data controller must appoint a head in charge of data protection and set up an agency in charge of data protection;
- it must have in place a full-time head exclusively in charge of data protection and set up an agency specifically in charge of data protection that will undertake the work concerning personal information security if the controller encounters any of the following conditions:
- its major business involves the processing of personal information, and has employed practitioners of over 200; or
- it processes the personal information from more than 500,000 individuals, or is expected to process the personal information of more than 500,000 individuals in 12 months.
Data protection breaches
If there are some undesirable acts of entities that may endanger the protection of personal information, depending on the seriousness of the acts, the CAC and other authorities may request to meet with these entities and request them to correct or improve their practices, or may initiate a formal investigation.
If an entity is deemed to have breached the relevant data protection rules under the CSL, the competent authorities may order the entity to make rectification and it may be subject to one or more of the following penalties, depending on the severity of the circumstances:
- confiscation of illegal earnings;
- a fine equivalent to more than one but less than 10 times the illegal earnings, or a fine less than 1 million Chinese yuan if there are no illegal earnings;
- the person directly in charge and other directly liable persons subject to a fine up to 100,000 yuan; or
- suspension of related business, winding up for rectification, shutdown of website and revocation of business licence of such entity.
If the breach is severe and constitutes a criminal offence, then it may attract the criminal liabilities of fixed-term imprisonment of not more than seven years, criminal detention or a fine.
There are no specific provisions in Chinese laws and regulations regarding surveillance in the workplace. It is generally considered that such monitoring behaviour falls under the enterprise’s scope of business autonomy, which has certain legitimacy. In China, it is not uncommon for companies to obtain images of employees through a camera, employees’ fingerprints through attendance machines, or information about employees’ locations through app location functions, which often involves the collection of sensitive information of employees (whereabouts and tracks, biometric information, etc).
Nevertheless, enterprises should ensure that the above-mentioned monitoring measures, as well as the employee information they collect, are for a legitimate purpose and are necessary for business operations, and avoid collecting or monitoring any employee information during non-working hours and outside the workplace. In addition, according to those privacy protection principles under Chinese law, the type, purpose, manner of collection and protective measures of the information collected should be notified to the employee, and the employee’s written consent should be obtained.
Since its promulgation, the CSL has exerted great influence over China’s cybersecurity and data protection practice.
China has launched a number of enforcement campaigns against the unlawful or unreasonable collection or misuse of personal information, such as:
- In January 2018, the MIIT, in response to the violation of the privacy of users by relevant mobile phone apps, interviewed Baidu, Alipay and Toutiao, requiring the three enterprises to rectify their practice and protect users’ rights to know and choose.
- In November 2018, the China Consumers Association released the Assessment Report on the Collection of Personal Information by 100 Apps and their Privacy Policies.
After the official implementation of the CSL, a number of enterprises were punished for their failure to perform network security protection obligations or for data leakage, such as:
- In May 2018, a company in the Yunnan province was warned and fined by the public organ for failing to take technical measures to prevent computer viruses and cyber attacks, network intrusions and other harmful behaviours.
- In July 2018, Datatang, a well-known domestic data company, was investigated for infringing huge volumes of citizen’s personal information.
- In August 2018, the domestic hotel Huazhu was found to have had a data breach, with a large number of residents’ personal information leaked and sold online. The suspects were arrested.
Updates and trends
China is drafting a unified Personal Information Protection Law and Data Security Law, both of which are expected to be issued in a few years. Accordingly, China is expected to have a more systematic and consistent privacy and data protection legal regime.