Key statutes, regulations and adopted international standards
There is no unified privacy and data protection law in China, but the legal regime mainly comprises:
- the Cybersecurity Law (CSL);
- the Civil Code;
- draft Personal Information Protection Law (PIPL);
- draft Data Security Law (DSL);
- the National Security Law;
- the Anti-Terrorism Law;
- the Criminal Law;
- the Law on the Protection of Rights and Interests of Consumers;
- Provisions on the Security Management of Personal Information of Users of Posting and Delivering Services;
- Provisions on Regulating the Order of the Internet Information Service Market; and
- Provisions on Protecting the Personal Information of Telecommunications and Internet Users.
China’s legal regime on privacy and data protection also includes judicial interpretations made by the Supreme People’s Court or the Supreme People’s Procuratorate, such as the ‘Interpretation of several issues regarding the application of law to criminal cases of infringement of citizens’ personal information handled by the Supreme People’s Court and the Supreme People’s Procuratorate’; and the ‘Provisions of the Supreme People’s Court on the application of law to cases involving civil disputes over infringement of personal rights and interests by using information networks’.
Privacy and data protection standards
National standards are another key part of the privacy and data protection legal regime in China. In spite of their lack of compulsory effect, implementing these specific rules is generally regarded as good practice. Regulatory authorities may also refer to these national standards in their enforcement activities. These standards mainly include:
- the Personal Information Security Specification (the Specification);
- the Guidelines for Personal Information Notices and Consent (draft for comment);
- the Basic Specification for Collecting Personal Information in Mobile Internet Applications (draft);
- the Risk-Assessment Specification for Information Security (draft for comment);
- the Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services;
- the Guidelines for Cross-Border Data Transfer Security Assessment (draft for comment);
- the Guidelines for De-Identification of Personal Information (draft for comment);
- the Guidelines for Personal Information Security Impact Assessment (draft for comment); and
- the Security Requirements for Data-Exchange Services (draft for comment).
China has not yet concluded any international data protection framework or agreements.
China has not yet established a designated data protection authority. The following regulatory authorities have supervision and enforcement responsibilities according to their respective scope of authority:
- the Cyberspace Administration of China (CAC) and its local offices;
- the Ministry of Public Security (MPS) and its local offices;
- the Ministry of Industry and Information Technology (MIIT) and its local offices;
- various industry authorities and their respective local offices; and
- relevant departments of local governments at or above the county level.
According to the CSL, the CAC is responsible for the overall planning and coordination of cybersecurity work and relevant supervision and administration work; the MIIT, MPS and other industry authorities are responsible for protecting, supervising and administering cybersecurity within the scope of their respective responsibilities in accordance with the CSL and other relevant laws and administrative regulations. Relevant departments of the local governments at or above the county level are also responsible for cybersecurity and data protection matters according to the authorisation by relevant laws and regulations.
There are similar provisions in the draft PIPL, under which the CAC is responsible for the overall planning and coordination of personal information protection, and related supervision and regulation. Relevant authorities under the State Council are responsible for personal information protection, and the supervision and regulation thereof within their respective scope of duties according to the provisions of this draft PIPL and relevant laws and administrative regulations. The duties for personal information protection, and the supervision and management thereof to be performed by the relevant authorities at the county level or above, shall be determined according to relevant state regulations.
The effect of local laws on foreign business
Foreign companies doing business in China are facing more complex data privacy requirements in China. Although the CSL only sets out some high-level data privacy requirements, which appear to be relatively loose and easy to follow, companies also have to pay close attention to various national standards (even though they have no legally binding effect) as well as various formal and informal guidelines issued by the government or their affiliated institutions, as such national standards and guidelines are generally regarded as some sorts of ‘good practice’ documents recommended by the government.
As the draft PIPL has been released, companies should also pay attention to its provisions and keep a close eye on the revision and finalisation of it.
Foreign companies also need to pay close attention to various campaigns launched by the government against the wrongful or unlawful collection and processing of personal information, and make corrections to their data handling practice and privacy policies in relation to websites and apps, failing which they may be penalised and suffer reputational damages.
See ‘China: Data Localisation’, ‘The effect of local laws on foreign business’ in this book.
Core principles on personal data
The CSL provides that network operators must abide by ‘lawful, justifiable and necessary’ principles to collect and use personal data by clearly stating the purposes for and scope of collection and use of this data, and the methods used to obtain such data. Network operators must also obtain the consent of the individual affected.
The principles for personal information protection in the Civil Code is similar to that in the CSL. According to the Civil Code:
The processing of personal information shall be subject to the principle of legitimacy, rightfulness and necessity, with no excessive processing, and shall meet the following conditions:
(1) Obtaining the consent of the natural person or the guardian thereof, unless otherwise provided by laws or administrative regulations;
(2) Disclosing rules on processing information;
(3) Expressly stating the purpose, method and scope of information to be processed; and
(4) Not violating the provision of the laws and administrative regulations and the agreement of both parties.
Processing of personal information includes the collection, storage, use, processing, transmission, provision and disclosure of personal information, etc. 
According to the Specification, the basic principles for personal information protection include:
- Consistency between rights and liabilities: the data controller shall take technical and other necessary measures to ensure the security of personal information and bear liabilities for any damage caused by its activities of processing personal information to the legal rights and interests of personal information subjects.
- Clear purposes: the data controller must have explicit, clear and specific purposes in processing personal information.
- Solicitation for consent: the data controller must explicitly specify the purposes, manners, scope and rules in respect of the processing of personal information, and seek their authority and consent.
- Minimum sufficiency: the data controller must process the minimum categories and amount of personal information necessary for achieving the purposes authorised and consented to by personal information subjects. It shall delete the personal information in a timely manner as agreed once these purposes are achieved.
- Openness and transparency: the data controller must make public the scope, purposes, rules, etc, in respect of the processing of personal information in an explicit, easily understandable and reasonable manner, and accept public oversight.
- Guarantee of security: the data controller must be capable of ensuring the security of a certain degree corresponding to the security risks it faces, and take sufficient management measures and technological approaches to safeguard the confidentiality, completeness and availability of personal information.
- Involvement of personal information subjects: the data controller must provide personal information subjects with methods of accesssing, modifying and deleting their own personal information, and withdrawing their consent and cancelling their own account and making complaints.
The draft PIPL also sets out the principles for processing personal data:
- Personal information processing shall be conducted in a legal and legitimate manner and in line with the principle of good faith. Personal information shall not be processed in a fraudulent or misleading way.
- Personal information processing shall have a clear and reasonable purpose and shall be limited to the minimum scope required for achieving the purpose of processing. Any personal information processing that is irrelevant to the purpose of processing shall not be conducted.
- Personal information processing shall be conducted in line with the principles of openness and transparency, and the rules on personal information processing shall be explicitly publicised.
- In order to achieve the purpose of processing, personal information to be processed shall be accurate and updated in a timely manner.
- Personal information processors shall be responsible for their personal information processing activities and take necessary measures to safeguard the security of the personal information which they process.
- No organisation or individual may process personal information in violation of the provisions of laws or administrative regulations, or engage in personal information processing activities that endanger national security or public interests.
Automated processing, profiling and data analytics
Under Chinese law, there are no comprehensive rules governing the use of automated processing, profiling and data analytics. In the area of e-commerce, the E-Commerce Law provides that e-commerce businesses must provide customers with search results for goods and services based on consumers’ preferences as well as options that have not been customised and targeted, to ‘respect and equally protect the legitimate rights and interests of consumer’.
The Specification is more specific. It provides that restrictions on the use of user profiling for the data controller include:
- the description of the characteristics of the personal information subject in the user profiling should not contain:
- obscenity, pornography, gambling, superstition, terror and violence; and
- discrimination against ethnicity, race, religion, disability, and disease;
- user profiling used in business operations or external business cooperation should not:
- infringe upon the legitimate rights and interests of citizens, legal persons and other organisations;
- endanger national security, honour and interests, incite subversion of state power and the overthrow of the socialist system, incite to split the country and destroy national unity, advocate terrorism and extremism, advocate national hatred and discrimination, disseminate violent and obscene information, fabricate and disseminate false information, and disturb economic and social order; and
- except for being necessary for realising the purpose authorised and consented to by the subject of the personal information, clear identity signifiers should be eliminated when using personal information to avoid the accurate identification of specific individuals (eg, to accurately evaluate personal credit status, direct user profiling can be used, while indirect user profile should be used for commercial advertising purposes).
The Specification also provides that, if a decision that will have a dramatic impact on an individual’s rights is made pursuant to the information system’s automated decision-making (eg, determining the subject’s credit status based on user profiling or for automatic screening of interviewers), the data controller shall:
- conduct personal information security impact assessments during the planning and design stage or before first use, and take effective measures to protect personal information subjects based on the assessment results;
- conduct regular personal information security impact assessments (at least once a year) during use, and improve measures to protect personal information subjects based on the assessment results; and
- provide personal information subjects with complaint channels for the results of automatic decision-making and support manual review of the results of automatic decision-making.
The draft PIPL also provides the restrictions on using automated decision-making:
- When using personal information to conduct automated decision-making, personal information processors shall guarantee the transparency of their decision-making and the fairness and reasonability of their processing results. If an individual considers that an automated decision has a material impact on his or her rights and interests, he or she has the right to require the relevant personal information processor to give an explanation and may prevent the personal information processor from making decisions only by means of automated decision-making.
- When conducting business marketing and information delivery through automated decision-making, personal information processors shall simultaneously provide the option to not target personal characteristics of an individual.
Communications and marketing
The Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection requires that no organisation or individual may send commercial electronic information to the fixed-line, mobile telephone or email inbox of an individual unless the electronic information recipient has agreed or made a request, or the recipient explicitly expresses his or her rejection. Further, the Advertising Law provides that ‘no organisation or individual shall, without obtaining the consent or request of the party concerned, distribute advertisements to the party’s residence, transportation vehicle, etc., or distribute advertisements to them via electronic means.’ It goes on to say that any advertisement distributed electronically must state the identity and contact details of its source, as well as offer the recipient the opportunity to decline any future correspondence. The Law on the Protection of Rights and Interests of Consumers also provides that business operators must not send ‘commercial information’ to consumers without their consent.
In addition to the above laws, the MIIT, independently and jointly with other departments, has launched campaign to tackle unsolicited ‘harassment calls’ in 2018.
As for the right of the individual, the CSL provides that each individual is entitled to have his or her information deleted by a data controller upon request if he or she finds that the collection of the data violates the law, administrative regulations or the agreement held between the data controller and subject. Further, the CSL states that the individual is entitled to make corrections to his or her data if errors are found by contacting the network operator that has collected and stored this information. The network operator must then take measures to either delete or correct the error.
The Civil Code provides that:
A natural person may consult or copy his or her personal information with any information processor in accordance with the law; if any error is found in the information, the natural person has the right to raise an objection and request the information processor to take necessary measures such as corrections in a timely manner.
Where a natural person discovers that an information processor has processed his or her personal information in violation of the provisions of laws and administrative regulations or the agreement between both parties, he or she shall have the right to request that the information processor promptly delete the information.
The Specification provides more detailed guidance in relation to the right of data subjects, including:
- access to personal information;
- modification of personal information;
- deletion of personal information;
- data subjects’ withdrawal of consent;
- data subjects’ cancellation of accounts; and
- data subjects’ request for copies of personal information.
The draft PIPL shares many similarities on the rights of data subjects with the Specification. It provides that the individual shall have the following rights in respect of the processing of his or her personal information:
- the right to know;
- the right to decide;
- the right to restrict or refuse the processing activities;
- the right to access and copy;
- the right to correct and add;
- the right to delete; and
- the right to obtain an explanation regarding the processing activity by the processor.
The draft PIPL also provides that an explanation is needed if the processor refuses to help individuals exercise their rights.
The role of the data protection officer
The current effective Chinese law has no universal requirement that companies must appoint a data protection officer (DPO). However, the CSL provides that the network operators should determine the persons responsible for cybersecurity and implement the responsibility for cybersecurity protection. However, the draft PIPL provides that a personal information processor that processes a volume of personal information above a threshold provided for by the CAC shall appoint a person in charge of personal information protection, with responsibility for, among other things, supervising personal information processing activities and protection measures. The personal information processor shall disclose the name and contact information, etc, of the person in charge of personal information protection, and report that information to the authorities performing personal information protection duties. However, currently the CAC does not specify the threshold of the volume of personal information required to trigger the requirement.
Apart from the provisions of the draft PIPL, which is not yet in legal force, the Specification recommends that a DPO should be appointed, and provides that:
- a data controller must make clear that its legal representative or the chief in charge of the controller shall undertake the overall leadership responsibility for personal information, including guaranteeing the human resources, financial resources and materials needed for the work to ensure data security;
- a data controller must appoint a head in charge of data protection and set up an agency in charge of data protection; and
- it must have in place a full-time head exclusively in charge of data protection and set up an agency specifically in charge of data protection that will undertake the work concerning personal information security if the controller encounters any of the following conditions:
- its major business involves the processing of personal information, and has employed practitioners of over 200;
- it processes the personal information from more than 1 million individuals, or is expected to process the personal information of more than 1 million individuals in 12 months; or
- it processes the personal sensitive information of more than 100,000 individuals.
Data protection breaches
If there are some undesirable acts of entities that may endanger the protection of personal information, depending on the seriousness of the acts, the CAC and other authorities may request to meet with these entities and request them to correct or improve their practices, or may initiate a formal investigation.
If an entity is deemed to have breached the relevant data protection rules under the CSL, the competent authorities may order the entity to make rectification and it may be subject to one or more of the following penalties, depending on the severity of the circumstances:
- confiscation of illegal earnings;
- a fine equivalent to more than one but less than 10 times the illegal earnings, or a fine less than 1 million Chinese yuan if there are no illegal earnings;
- the person directly in charge and other directly liable persons subject to a fine up to 100,000 yuan; or
- suspension of related business, winding up for rectification, shutdown of website and revocation of business licence of such entity.
If the breach is severe and constitutes a criminal offence, then it may attract the criminal liabilities of fixed-term imprisonment of not more than seven years, criminal detention or a fine.
There are no specific provisions in Chinese laws and regulations regarding surveillance in the workplace. It is generally considered that such monitoring behaviour falls under the enterprise’s scope of business autonomy, which has certain legitimacy. In China, it is not uncommon for companies to obtain images of employees through a camera, employees’ fingerprints through attendance machines, or information about employees’ locations through app location functions, which often involves the collection of sensitive information of employees (whereabouts and tracks, biometric information, etc).
However, the draft PIPL provides that image capturing and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with relevant provisions of the state, and conspicuous prompting signs shall be installed. Personal images and the identity information collected may only be used for the purpose of maintaining public security, and may not be publicised or provided to others, unless the individual’s consent is obtained, or it is otherwise required by laws and administrative regulations.
Nevertheless, enterprises should ensure that the above-mentioned monitoring measures, as well as the employee information they collect, are for a legitimate purpose and are necessary for business operations, and avoid collecting or monitoring any employee information during non-working hours and outside the workplace. In addition, according to those privacy protection principles under Chinese law, the type, purpose, manner of collection and protective measures of the information collected should be notified to the employee, and the employee’s written consent should be obtained.
Since its promulgation, the CSL has exerted great influence over China’s cybersecurity and data protection practice.
China has launched a number of enforcement campaigns against the unlawful or unreasonable collection or misuse of personal information, such as:
- In January 2018, the MIIT, in response to the violation of the privacy of users by relevant mobile phone apps, interviewed Baidu, Alipay and Toutiao, requiring the three enterprises to rectify their practice and protect users’ rights to know and choose.
- In November 2018, the China Consumers Association released the Assessment Report on the Collection of Personal Information by 100 Apps and their Privacy Policies.
After the official implementation of the CSL, a number of enterprises were punished for their failure to perform network security protection obligations or for data leakage, such as:
- In May 2018, a company in the Yunnan province was warned and fined by the public organ for failing to take technical measures to prevent computer viruses and cyber attacks, network intrusions and other harmful behaviours.
- In July 2018, Datatang, a well-known domestic data company, was investigated for infringing huge volumes of citizen’s personal information.
- In August 2018, the domestic hotel Huazhu was found to have had a data breach, with a large number of residents’ personal information leaked and sold online. The suspects were arrested.
- In March 2020, Sina Weibo, a domestic social network giant, was interviewed by the MIIT in respect of App data leakage caused by malicious access to user interface.
Updates and trends
With the promulgation of the CSL, the Chinese data protection and cybersecurity legal regime has taken shape rapidly. The draft DSL and draft PIPL have been published to solicit public opinions, which are expected to be passed soon and will provide more detailed requirements on privacy and data protection. Companies doing business in China need to keep a close eye on developments in this area to stay compliant.
1 The Specification cited in this chapter refers to the revised version that will take effect on 1 October 2020.
2 Article 8 of the CSL.
3 Article 56 of the draft PIPL.
4 Article 41 of the CSL.
5 Article 1035 of the Civil Code.
6 Article 4 of the Specification.
7 Article 5-10 of the draft PIPL.
8 Article 18 of the E-Commerce Law.
9 Article 7.4 of the Specification.
10 Article 7.7 of the Specification.
11 Article 25 of the draft PIPL.
12 Article 7 of the Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection.
13 Article 43 of the Advertising Law of the PRC.
14 Article 29 of the Law of the PRC on the Protection of Rights and Interests of Consumers.
15 MIIT, ‘13 Authorities Released the Circular on Campaign Plans on Comprehensively Cracking Down Harassment Calls’, http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757020/c6283079/content.html; MIIT, ‘MIIT Office Released the Circular on Pushing Forward the Work Plans on Comprehensively Cracking Down Harassment Calls’, http://www.miit.gov.cn/n1146295/n1652858/n1652930/n3757020/c6466600/content.html.
16 Article 43 of the CSL.
17 Article 1037 of the Civil Code.
18 Article 21 of the CSL.
19 Article 51 of the draft PIPL.
20 Article 11.1 of the Specification.
21 Paragraph 1, article 64 of the CSL.
22 Crime of Infringement on Citizen’s Personal Information, article 253(I) of the Criminal Law of the PRC.
23 Article 27 of the draft PIPL.
24 MIIT, ‘Information and Communications Management Bureau Interviews Related Enterprises for Strengthening Protection of Personal Information’, www.miit.gov.cn/n1146290/n1146402/n1146440/c6010817/content.html.
26 CAC, Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation Released the ‘Announcement on Launching Special Crackdown Campaign Against the Illegal Collection and Use of Personal Information by Apps’, www.cac.gov.cn/2019-01/25/c_1124042599.htm.
27 Baidu, ‘“Network Clearance 2018”: First Punishment in Yunnan for Violating Cybersecurity Law’, http://baijiahao.baidu.com/s?id=1603687566965901708&wfr=spider&for=pc.
28 Sina Finance, ‘Datatang investigated for Infringement on Citizens’ Personal Information: Data Transferred amounts to 4000G’, http://finance.sina.com.cn/spread/thirdmarket/2018-07-10/doc-ihezpzwu8601594.shtml.
29 NetEase Tech, ‘Suspected Leakage of 130 Million Users’ Data, Huazhu Turns to Police for Verification’, http://tech.163.com/18/0828/15/DQAAF0S900097U7R.html; Sohu, ‘Case of Huazhu Data Leakage Solved, With the Suspect Arrested’, www.sohu.com/a/254754485_114774.