Key statutes, regulations and adopted international standards
There is no unified privacy and data protection law in China, but the legal regime mainly comprises:
- the Cybersecurity Law (CSL);
- the Civil Code;
- the Personal Information Protection Law (PIPL);
- the Data Security Law (DSL);
- the National Security Law;
- the Anti-Terrorism Law;
- the Criminal Law;
- the Law on the Protection of Rights and Interests of Consumers;
- Provisions on the Security Management of Personal Information of Users of Posting and Delivering Services;
- Provisions on Regulating the Order of the Internet Information Service Market; and
- Provisions on Protecting the Personal Information of Telecommunications and Internet Users.
China’s legal regime on privacy and data protection also includes judicial interpretations made by the Supreme People’s Court or the Supreme People’s Procuratorate, such as the ‘Interpretation of several issues regarding the application of law to criminal cases of infringement of citizens’ personal information handled by the Supreme People’s Court and the Supreme People’s Procuratorate’; and the ‘Provisions of the Supreme People’s Court on the application of law to cases involving civil disputes over infringement of personal rights and interests by using information networks’.
Privacy and data protection standards
National standards are another key part of the privacy and data protection legal regime in China. In spite of their lack of compulsory effect, implementing these specific rules is generally regarded as good practice. Regulatory authorities may also refer to these national standards in their enforcement activities. These standards mainly include:
- the Personal Information Security Specification (the Specification);
- the Guidelines for Personal Information Notices and Consent (draft for comment);
- the Basic Specification for Collecting Personal Information in Mobile Internet Applications (draft);
- the Guidelines for Personal Information Security Impact Assessment;
- the Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services;
- the Guidelines for Cross-Border Data Transfer Security Assessment (draft for comment);
- the Guidelines for De-Identification of Personal Information; and
- the Security Requirements for Data-Exchange Services.
China has not yet concluded any international data protection framework or agreements.
China has not yet established a designated data protection authority. The following regulatory authorities have supervision and enforcement responsibilities according to their respective scope of authority:
- the Cyberspace Administration of China (CAC) and its local offices;
- the Ministry of Public Security (MPS) and its local offices;
- the Ministry of Industry and Information Technology (MIIT) and its local offices;
- various industry authorities and their respective local offices; and
- relevant departments of local governments at or above the county level.
According to the CSL, the CAC is responsible for the overall planning and coordination of cybersecurity work and relevant supervision and administration work; the MIIT, MPS and other industry authorities are responsible for protecting, supervising and administering cybersecurity within the scope of their respective responsibilities in accordance with the CSL and other relevant laws and administrative regulations. Relevant departments of the local governments at or above the county level are also responsible for cybersecurity and data protection matters according to the authorisation by relevant laws and regulations.
There are similar provisions in the PIPL, under which the CAC is responsible for the overall planning and coordination of personal information protection, and related supervision and regulation. Relevant authorities under the State Council are responsible for personal information protection, and the supervision and regulation thereof within their respective scope of duties according to the provisions of the PIPL and relevant laws and administrative regulations. The duties for personal information protection, and the supervision and management thereof to be performed by the relevant authorities at the county level or above, shall be determined according to relevant state regulations.
The effect of local laws on foreign business
Foreign companies doing business in China are facing more complex data privacy requirements in China. Although the CSL only sets out some high-level data privacy requirements, which appear to be relatively loose and easy to follow, companies also have to pay close attention to various national standards (even though they have no legally binding effect) as well as various formal and informal guidelines issued by the government or their affiliated institutions, as such national standards and guidelines are generally regarded as ‘good practice’ documents recommended by the government.
As the PIPL has been promulgated, companies should also pay attention to its provisions and keep a close eye on its complementary guidelines and specifications.
Foreign companies also need to pay close attention to various campaigns launched by the government against the wrongful or unlawful collection and processing of personal information, and make corrections to their data processing practice and privacy policies in relation to websites and apps, failing which they may be penalised and suffer reputational damage.
See ‘China: Data Localisation’, ‘The effect of local laws on foreign business’ in this book.
Core principles on personal information (data)
The PIPL sets out several principles for processing personal information:
- Personal information processing shall be conducted in a lawful, legitimate and necessary manner and in line with the principle of good faith. Personal information shall not be processed in a fraudulent, misleading or coercive way.
- Personal information processing shall have a clear and reasonable purpose and shall be conducted for a purpose directly relevant to the purpose of processing and in a way that has the minimum impact on individual’s rights and interests. Collection of personal information shall be limited to the minimum scope necessary for achieving the purpose of processing and shall not be excessive.
- Personal information processing shall be conducted in line with the principles of openness and transparency, and the rules, purposes, methods and scope of personal information processing shall be explicitly publicised.
- The quality of personal information shall be ensured when the personal information is processed in order to avoid any negative impact on individual’s rights and interests due to any inaccuracy or incompleteness of the personal information processed.
- Personal information processors shall be responsible for their personal information processing activities and take necessary measures to safeguard the security of the personal information which they process.
- No organisation or individual may illegally collect, use, process, or transmit any personal information of another person, or illegally deal in, provide, or disclose any personal information of another person, or engage in any personal information processing activity that endangers national security or public interests.
The CSL provides that network operators must abide by ‘lawful, justifiable and necessary’ principles to collect and use personal information by clearly stating the purposes for and scope of collection and use of this data, and the methods used to obtain such data. Network operators must also obtain the consent of the individual affected.
The principles for personal information protection in the Civil Code is similar to that in the CSL. According to the Civil Code:
The processing of personal information shall be subject to the principle of legitimacy, rightfulness and necessity, with no excessive processing, and shall meet the following conditions:
(1) Obtaining the consent of the natural person or the guardian thereof, unless otherwise provided by laws or administrative regulations;
(2) Disclosing rules on processing information;
(3) Expressly stating the purpose, method and scope of information to be processed; and
(4) Not violating the provision of the laws and administrative regulations and the agreement of both parties.
Processing of personal information includes the collection, storage, use, processing, transmission, provision and disclosure of personal information, etc.
According to the Specification, the basic principles for personal information protection include:
- Consistency between rights and liabilities: the personal information processor shall take technical and other necessary measures to ensure the security of personal information and bear liabilities for any damage caused by its activities of processing personal information to the legal rights and interests of personal information subjects.
- Clear purposes: the personal information processor must have explicit, clear and specific purposes in processing personal information.
- Solicitation for consent: the personal information processor must explicitly specify the purposes, manners, scope and rules in respect of the processing of personal information, and seek their authority and consent.
- Minimum sufficiency: the personal information processor must process the minimum categories and amount of personal information necessary for achieving the purposes authorised and consented to by personal information subjects. It shall delete the personal information in a timely manner as agreed once these purposes are achieved.
- Openness and transparency: the personal information processor must make public the scope, purposes, rules, etc, in respect of the processing of personal information in an explicit, easily understandable and reasonable manner, and accept public oversight.
- Guarantee of security: the personal information processor must be capable of ensuring the security of a certain degree corresponding to the security risks it faces, and take sufficient management measures and technological approaches to safeguard the confidentiality, completeness and availability of personal information.
- Involvement of personal information subjects: the personal information processor must provide personal information subjects with methods of accessing, modifying and deleting their own personal information, and withdrawing their consent and cancelling their own account and making complaints.
Automated processing, profiling and data analytics
Under Chinese law, there are no comprehensive rules governing the use of automated processing, profiling and data analytics. In the area of e-commerce, the E-Commerce Law provides that e-commerce businesses must provide customers with search results for goods and services based on consumers’ preferences as well as options that have not been customised and targeted, to ‘respect and equally protect the legitimate rights and interests of consumer’.
The PIPL provides certain restrictions on using automated decision-making:
- where personal information is used by personal information processors in automated decision-making, transparency of the decision-making and fairness and impartiality of the results shall be ensured, and no unreasonable differential treatment of individuals in terms of transaction prices or other transaction terms may be implemented;
- if direct business marketing or push-based information delivery is conducted toward an individual by means of automated decision-making, an option not targeting at personal characteristics of the individual or an easy way to refuse to receive such information shall be provided to the individual; and
- if a decision made by a personal information processor through automated decision-making has a material impact on an individual’s rights and interests, the individual shall have the right to demand the personal information processor to provide an explanation, as well as the right to refuse the decisions made by the personal information processor solely by means of automated decision-making.
The Specification sets forth more detailed rules for profiling, which provides that restrictions on the use of user profiling for the personal information processor include:
- the description of the characteristics of the personal information subject in the user profiling should not contain:
- obscenity, pornography, gambling, superstition, terror and violence; and
- discrimination against ethnicity, race, religion, disability, and disease;
- user profiling used in business operations or external business cooperation should not:
- infringe upon the legitimate rights and interests of citizens, legal persons and other organisations; and
- endanger national security, honour and interests, incite subversion of state power and the overthrow of the socialist system, incite to split the country and destroy national unity, advocate terrorism and extremism, advocate national hatred and discrimination, disseminate violent and obscene information, fabricate and disseminate false information, and disturb economic and social order; and
- except for being necessary for realising the purpose authorised and consented to by the subject of the personal information, clear identity signifiers should be eliminated when using personal information to avoid the accurate identification of specific individuals (eg, to accurately evaluate personal credit status, direct user profiling can be used, while indirect user profile should be used for commercial advertising purposes).
The Specification also provides that, if a decision that will have a dramatic impact on an individual’s rights is made pursuant to the information system’s automated decision-making (eg, determining the subject’s credit status based on user profiling or for automatic screening of interviewers), the personal information processor shall:
- conduct personal information security impact assessments during the planning and design stage or before first use, and take effective measures to protect personal information subjects based on the assessment results;
- conduct regular personal information security impact assessments (at least once a year) during use, and improve measures to protect personal information subjects based on the assessment results; and
- provide personal information subjects with complaint channels for the results of automatic decision-making and support manual review of the results of automatic decision-making.
Communications and marketing
The Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection requires that no organisation or individual may send commercial electronic information to the fixed-line, mobile telephone or email inbox of an individual unless the electronic information recipient has agreed or made a request, or the recipient explicitly expresses his or her rejection. Further, the Advertising Law provides that ‘no organisation or individual shall, without obtaining the consent or request of the party concerned, distribute advertisements to the party’s residence, transportation vehicle, etc., or distribute advertisements to them via electronic means.’ It goes on to say that any advertisement distributed electronically must state the identity and contact details of its source, as well as offer the recipient the opportunity to decline any future correspondence. The Law on the Protection of Rights and Interests of Consumers also provides that business operators must not send ‘commercial information’ to consumers without their consent.
As for the rights of the individual, the PIPL provides that the individual shall have the following rights in respect of the processing of his or her personal information:
- the right to know;
- the right to decide;
- the right to restrict or refuse the processing activities;
- the right to access and copy;
- the right to request a transfer;
- the right to correct and add;
- the right to delete; and
- the right to obtain an explanation regarding the processing activity by the processor.
Under the PIPL, in terms of deceased natural persons, a close relative of the individual may exercise the rights to access, make copies of, correct, delete, among other things, to the relevant personal information of the deceased person. The PIPL also provides that an explanation is needed if the processor refuses to help individuals exercise their rights.
The CSL provides that each individual is entitled to have his or her information deleted by a personal information processor upon request if he or she finds that the collection of the data violates the law, administrative regulations or the agreement held between the personal information processor and subject. Further, the CSL states that the individual is entitled to make corrections to his or her data if errors are found by contacting the network operator that has collected and stored this information. The network operator must then take measures to either delete or correct the error.
The Civil Code provides that:
A natural person may consult or copy his or her personal information with any information processor in accordance with the law; if any error is found in the information, the natural person has the right to raise an objection and request the information processor to take necessary measures such as corrections in a timely manner.
Where a natural person discovers that an information processor has processed his or her personal information in violation of the provisions of laws and administrative regulations or the agreement between both parties, he or she shall have the right to request that the information processor promptly delete the information.
The Specification provides more detailed guidance in relation to the right of data subjects, which share similarities with the provisions of the PIPL, including:
- access to personal information;
- modification of personal information;
- deletion of personal information;
- data subjects’ withdrawal of consent;
- data subjects’ cancellation of accounts; and
- data subjects’ request for copies of personal information.
The role of the data protection officer
The current effective Chinese law has no universal requirement that companies must appoint a data protection officer (DPO). The CSL provides that the network operators should determine the persons responsible for cybersecurity and implement the responsibility for cybersecurity protection. The PIPL provides that a personal information processor that processes a volume of personal information above a threshold provided for by the CAC shall appoint a person in charge of personal information protection, with responsibility for, among other things, supervising personal information processing activities and protection measures. The personal information processor shall disclose the contact information of the person in charge of personal information protection, and report its name and contact information, etc, to the authorities performing personal information protection duties. However, currently the CAC does not specify the threshold of the volume of personal information required to trigger the requirement.
Apart from the provisions of the PIPL, which will come into force on 1 November 2021, the Specification recommends that a DPO should be appointed, and provides that:
- a personal information processor must make clear that its legal representative or the chief in charge of the controller shall undertake the overall leadership responsibility for personal information, including guaranteeing the human resources, financial resources and materials needed for the work to ensure data security;
- a personal information processor must appoint a head in charge of data protection and set up an agency in charge of data protection; and
- it must have in place a full-time head exclusively in charge of data protection and set up an agency specifically in charge of data protection that will undertake the work concerning personal information security if the controller encounters any of the following conditions:
- its major business involves the processing of personal information, and has employed practitioners of over 200;
- it processes the personal information from more than 1 million individuals, or is expected to process the personal information of more than 1 million individuals in 12 months; or
- it processes the personal sensitive information of more than 100,000 individuals.
Data protection breaches
If there are some undesirable acts of entities that may endanger the protection of personal information, depending on the seriousness of the acts, the CAC and other authorities may request to meet with these entities and request them to correct or improve their practices, or may initiate a formal investigation.
If an entity is deemed to have breached the relevant data protection rules under the CSL, the competent authorities may order the entity to make rectification and it may be subject to one or more of the following penalties, depending on the severity of the circumstances:
- confiscation of illegal earnings;
- a fine equivalent to more than one but less than 10 times the illegal earnings, or a fine less than 1 million Chinese yuan if there are no illegal earnings;
- the person directly in charge and other directly liable persons subject to a fine up to 100,000 yuan; or
- suspension of related business, winding up for rectification, shutdown of website and revocation of business licence of such entity.
If the breach is severe and constitutes a criminal offence, then it may attract the criminal liabilities of fixed-term imprisonment of not more than seven years, criminal detention or a fine.
For surveillance used in public spaces, the PIPL provides that image capturing and personal identification equipment installed in public places shall be necessary for maintaining public security, comply with relevant provisions of the state, and conspicuous prompting signs shall be installed. Personal images and the identification information collected may only be used for the purpose of maintaining public security, and may not be used for any other purpose, unless the individual’s separate consent is obtained.
For surveillance used in the workplace, there are no specific provisions in Chinese laws and regulations. It is generally considered that such monitoring behaviour falls under the enterprise’s scope of business autonomy, and is necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded, which is one of the lawful grounds of processing personal information provided for in the PIPL. In China, it is not uncommon for companies to obtain images of employees through a camera, employees’ fingerprints through attendance machines, or information about employees’ locations through app location functions, which often involves the collection of sensitive information of employees (whereabouts and tracks, biometric information, etc).
Nevertheless, enterprises should ensure that the above-mentioned monitoring measures, as well as the employee information they collect, are for a legitimate purpose and are necessary for carrying out human resources management under an employment policy legally established or a collective contract legally concluded, and avoid collecting or monitoring any employee information during non-working hours and outside the workplace. In addition, according to those privacy protection principles under Chinese law, the type, purpose, manner of collection and protective measures of the information collected and its retention period should be notified to the employee.
Since its promulgation, the CSL has exerted great influence over China’s cybersecurity and data protection practice.
China has launched a number of enforcement campaigns against the unlawful or unreasonable collection or misuse of personal information, such as:
- in January 2018, the MIIT, in response to the violation of the privacy of users by relevant mobile phone apps, interviewed Baidu, Alipay and Toutiao, requiring the three enterprises to rectify their practice and protect users’ rights to know and choose;
- in November 2018, the China Consumers Association released the Assessment Report on the Collection of Personal Information by 100 Apps and their Privacy Policies; and
After the official implementation of the CSL, a number of enterprises were punished for their failure to perform network security protection obligations or for data leakage, such as:
- in May 2018, a company in the Yunnan province was warned and fined by the public organ for failing to take technical measures to prevent computer viruses and cyberattacks, network intrusions and other harmful behaviours;
- in July 2018, Datatang, a well-known domestic data company, was investigated for infringing huge volumes of citizen’s personal information;
- in August 2018, the domestic hotel Huazhu was found to have had a data breach, with a large number of residents’ personal information leaked and sold online. The suspects were arrested; and
- in March 2020, Sina Weibo, a domestic social network giant, was interviewed by the MIIT in respect of App data leakage caused by malicious access to user interface.
Updates and trends
With the promulgation of the CSL, DSL and PIPL, the Chinese data protection and cybersecurity legal regime is taking shape rapidly. Moreover, with the PIPL entering into force on 1 November 2021, it is expected that more detailed requirements will be provided through complementary regulations, guidelines or standards. Companies doing business in China need to keep a close eye on developments in this area to stay compliant.
 Article 8 of the CSL.
 Article 60 of the draft PIPL.
 Article 73 of the PIPL stipulates that personal information processors refer to ‘any organization or individual that independently determines the purpose and method of processing and other personal information processing matters’. This definition suggests that the term ‘personal information processor’ under the PIPL is akin to the concept of ‘data controller’ under the GDPR.
 Article 5-10 of the PIPL.
 Article 41 of the CSL.
 Article 1035 of the Civil Code.
 The original term used in the Specification is ‘personal information controller’, which has the same meaning as ‘personal information processor’ under the PIPL and other laws and regulations.
 Article 4 of the Specification.
 Article 18 of the E-Commerce Law.
 Article 24 of the PIPL.
 Article 7.4 of the Specification.
 Article 7.7 of the Specification.
 Article 7 of the Decision of the Standing Committee of the National People’s Congress on Strengthening Network Information Protection.
 Article 43 of the Advertising Law of the PRC.
 Article 29 of the Law of the PRC on the Protection of Rights and Interests of Consumers.
 Article 43 of the CSL.
 Article 1037 of the Civil Code.
 Article 21 of the CSL.
 Article 52 of the PIPL.
 Article 11.1 of the Specification.
 Paragraph 1, article 64 of the CSL.
 Crime of Infringement on Citizen’s Personal Information, article 253(I) of the Criminal Law of the PRC.
 Article 26 of the PIPL.
 Article 13 of the PIPL.
 MIIT, ‘Information and Communications Management Bureau Interviews Related Enterprises for Strengthening Protection of Personal Information’, http://www.miit.gov.cn/n1146290/n1146402/n1146440/c6010817/content.html.
 CAC, Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration for Market Regulation Released the ‘Announcement on Launching Special Crackdown Campaign Against the Illegal Collection and Use of Personal Information by Apps’, http://www.cac.gov.cn/2019-01/25/c_1124042599.htm.
 Baidu, ‘“Network Clearance 2018”: First Punishment in Yunnan for Violating Cybersecurity Law’, http://baijiahao.baidu.com/s?id=1603687566965901708&wfr=spider&for=pc.
 Sina Finance, ‘Datatang investigated for Infringement on Citizens’ Personal Information: Data Transferred amounts to 4000G’, http://finance.sina.com.cn/spread/thirdmarket/2018-07-10/doc-ihezpzwu8601594.shtml.
 NetEase Tech, ‘Suspected Leakage of 130 Million Users’ Data, Huazhu Turns to Police for Verification’, http://tech.163.com/18/0828/15/DQAAF0S900097U7R.html; Sohu, ‘Case of Huazhu Data Leakage Solved, With the Suspect Arrested’, http://www.sohu.com/a/254754485_114774.