China: Privacy

Legal framework of personal information protection in China

The Personal Information Protection Law of the People’s Republic of China (PIPL), which became effective on 1 November 2021, is the first comprehensive and omnibus legislation in the People’s Republic of China (China)^[1]. The PIPL regulates the collection, use, storage, transfer, provision, disclosure and deletion of personal information concerning individuals in China. In addition to the PIPL, the current data protection regime of China also includes various implementation regulations, measures and sectoral rules issued by various Chinese authorities.

The right to privacy of correspondence is a constitutional right under China’s Constitution, with interference with this right being subject to criminal investigations or national security-related investigations by the police or prosecutors in accordance with prescribed procedures.

In addition to the PIPL, China’s privacy and data protection legal framework consists of three suites of laws and regulations:

• civil law: the Civil Code, which confers and protects the legitimate rights and interests of individuals concerning their personal information, as well as allowing data subjects in China to bring claims against organisations and individuals who unlawfully collect or process their personal information;
• administrative law: aside from the PIPL, which imposes prescriptive requirements on personal information processing activities, key legislation includes the Cyber Security Law (CSL), which requires network operators to adopt technical and managerial measures to protect the personal information contained in their IT systems, and the Data Security Law (DSL), which requires data processors to classify and grade their data (including personal information) and take security measures accordingly; and
• criminal law: article 253A of the Criminal Law of the People’s Republic of China (amended and effective on 1 March 2021) and the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues regarding Legal Application in Criminal Cases Infringing upon the Personal Information of Citizens, which criminalise certain activities that seriously infringe the right to personal information protection.

Various judicial interpretations and sectoral administrative rules on privacy and personal information protection in specific scenarios have also been developed and enforced, such as the following (in chronological order):

• the Provisions on Relevant Issues on the Application of Laws in Hearing Civil Cases Related to the Application of Facial Recognition Technology in Processing Personal Information;
• the Provision for the Scope of Necessary Personal Information for Usual Types of Apps;
• the Rules for Determining Illegal and Non-Compliant Collection and Use of Personal Information on Apps;
• the Provisions on the Protection of Minor’s Online Personal Information; and
• the Provisions on the Protection of Personal Information Concerning Telecommunications and Internet Users.

Many recommended national standards have important reference value for compliance purposes as they reflect Chinese authorities’ expectations for best practices in privacy protection that companies should follow. From time to time, the authorities may incorporate part or all of a standard in sectoral administrative rules so that the incorporated portion becomes mandatory. Under the personal information protection regime, a number of those national standards are issued to clarify or specify the compliance requirements proposed by the formal legal sources. The critical national standards include (in chronological order):

• GB/T 41391-2022 the Information Security Technology – Basic Requirements for Collection of Personal Information by Mobile Applications (implemented on 1 November 2022);
• GB/T 39335-2020 the Information Security Technology – Guidance for Personal Information Security Impact Assessment (implemented on 1 June 2021);
• GB/T 35273-2020 the Information Security Technology – Personal Information Security Specification (the PI Security Specification, implemented on 1 October 2020); and
• GB/T 37964-2019 the Information Security Technology – Guidelines for De-identification of Personal Information (implemented on 1 March 2020).

China has also recognised certain international standards by transposing relevant rules into the national standards. For example, Information Technology – Security Techniques – Information Security Management Systems – Requirements has been localised by the Chinese government as GB/T 22080-2016 on an equivalent substitution basis.

Regulators of Chinese data protection regime

There is no omnibus data protection authority in China, and the Chinese government has reached internal consensus that no single regulator in China can address all data-related issues and concerns.

For now, the PIPL and other data protection-related legislations are primarily administered by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS) and the State Administration for Market Supervision (SAMR).

• The CAC is authorised by the PIPL, the DSL and the CSL to take charge of regulation and supervision of cybersecurity, data security and personal information protection in both public and private sectors. The CAC is leading and coordinating with other ministries on rule-making and law enforcement actions related to personal information protection. For example, the CAC is mandated to lead the government-led security assessment for cross-border transfer of data.
• The MIIT is responsible for regulating industrial and telecommunications licensing schemes, so the protection of personal information was part of its remit long before the passage of the CSL. The MIIT and its local branches have been some of the most active regulators, launching enforcement campaigns to identify privacy issues and data security issues in mobile apps with a focus on technical aspects.
• The MPS actively enforces data protection and criminal law against illegal collection and offering of personal information, regularly checks on network operators’ cybersecurity compliance in accordance with the CSL and administers the multiple-level protection scheme for information systems in China.
• The SAMR is responsible for consumer protection, which includes but is not limited to consumer personal information protection.

Various sectoral regulators may also make rules to address personal information protection issues within their sectors, as prescribed by applicable laws or regulations. For example, the People’s Bank of China and the China Banking and Insurance Regulatory Commission regulate banking and financial institutions; the China Securities Regulatory Commission regulates securities companies and listed companies, among others; and the National Health Commission regulates the healthcare and medical sector.

Effect of local laws on foreign businesses

Similar to the EU’s General Data Protection Regulation (GDPR), the PIPL applies extraterritorially, to the processing of personal information of data subjects in China that takes place outside China, where such processing is:

• for the purpose of provision of goods or services to data subjects who are physically in China;
• for analysing or assessing the behaviour of data subjects who are physically in China; or
• in other circumstances as provided by Chinese laws and regulations.

It is not clear whether Chinese authorities will apply the ‘targeting criterion’ when interpreting the extraterritorial application of the PIPL. Foreign companies should assess any processing of personal information concerning individuals in China, whether intentionally or inadvertently, given the potential application of the PIPL.

Foreign personal information handlers (PI handlers) that are subject to extraterritorial effect of the PIPL are required to appoint a representative in China, responsible for data protection compliance and liaising with Chinese regulators. The representative can be an entity or an individual. A filing of relevant information about such local representative with relevant authorities is required; however, for the time being there is no guidance on how to make such a filing.

Data processing principles

The Civil Code, the DSL and the PIPL set forth several core principles and requirements for processing personal information, which PI handlers in China must abide by. Any personal information processing activity that violates the data protection principles will be a violation of the PIPL.

Lawfulness

PI handlers should have a legal basis for their specific processing of personal information. The PIPL allows companies to choose from several lawful bases other than ‘consent’, including where such processing:

• is necessary for the conclusion or performance of a contract to which the data subject is a party, or necessary for human resources management according to lawfully formulated employment-related company policies and collective agreements;
• is necessary for discharging legal responsibilities or obligations;
• is required for public health purposes or the protection of the life, health and property safety of people in emergencies;
• is reasonably in the public interest, for the purposes, for example, of news, journalism and public supervision;
• has been made public either by the data subjects themselves or by other lawful means within the reasonable and permissible bounds; or
• is permitted by other circumstances provided by laws and regulations.

A separate consent, which is a higher standard of consent, from the data subjects is required in certain specific circumstances, such as the provision of personal information to third parties, the processing of sensitive personal information and the cross-border transfer of personal information. For example, pursuant to article 26 of the PIPL, if a PI handler collects people’s images or identification information in public spaces, then such PI handler must first obtain an individual’s separate consent if it intends to use that personal data for any purpose other than maintaining public security.

Nevertheless, where the processing relies on non-consent legal bases such as contractual necessity, the separate consent requirements that are scattered in various provisions of the PIPL arguably would not apply.

Transparency

Both the PIPL and the Civil Code require a privacy notice to be provided to relevant individuals before processing their personal information.

Pursuant to article 17 of the PIPL, individuals must be notified of the following information in a conspicuous manner and in clear and easy-to-understand language:

• the name and contact information of PI handler;
• the purpose and means of personal information processing, the categories of personal information to be processed and the retention period;
• methods and procedures for individuals to exercise the data subject’s rights; and
• other matters as required by the applicable laws and regulations.

In certain processing scenarios, such as the processing of sensitive personal information, the sharing of personal information to third parties as well as the cross-border transfer of personal information, additional information is required to be disclosed to the concerned individuals. For example, where a business activity involves sensitive personal information processing, the purpose necessitating such processing, as well as the impact on individual’s right and interest as a result of such processing, must be additionally disclosed in the privacy notice.

Data minimisation

Any collection, use, transfer, provision, disclosure, processing or retention of personal information must be limited to the minimum scope or the shortest time that is necessary to fulfil the purpose for which the personal information is collected.

The PIPL sets forth strict requirements on the retention period of personal information. In any of the following circumstances, PI handlers are required to proactively delete personal information:

• the purpose of processing has been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purpose;
• the PI handlers have ceased providing products or services;
• the retention period has come to an end;
• the consent of the individual has been withdrawn;
• the processing of personal information by the handler is in breach of any laws, regulations or agreements; or
• otherwise provided by laws and regulations.

Purpose limitation

The PIPL requires that personal information processing activities have a lawful, legitimate, necessary and clear processing purpose, in line with the principle of good faith. The processing purpose should be directly related to the purpose that has been disclosed to the data subjects and should have the least impact to personal rights and interests, and not be made through misleading, fraudulent, coercive or other means.

Completeness and accuracy

As required by the PIPL, the quality of personal information must be ensured when processing personal information to avoid any adverse impact to personal rights and interests resulting from the inaccuracy or incompleteness of personal information.

Security protection

The PIPL lays down various security and organisational requirements that must be followed by PI handlers, such as requirements on compliance auditing, data classification, record maintenance for processing activities, data protection impact assessments, data breach reporting and remedial measures that must be taken in case of data breaches, and appointment of a responsible data protection person.

The security measures under the PIPL are not exhaustively defined. PI handlers need to adopt such measures to provide a level of security appropriate to the risk of processing personal information.

Accountability

PI handlers, defined as the organisations and individuals that independently determine the purpose and means of the processing of personal information, are responsible for their personal information processing activities.

The concept of ‘PI handler’ is the same as ‘controller’ under the GDPR. In practice, a PI handler should be able to demonstrate self-compliance with the PIPL, as well as other personal information protection rules when encountering regulatory challenges or data subject inquiries.

Similar to ‘processor’ under the GDPR, ‘entrusted party’ is the term that is used in the PIPL as the party entrusted by the PI handler to process personal information. There are two primary obligations on the entrusted party:

• to take necessary measures to safeguard personal information; and
• to assist PI handlers in discharging their obligations under the PIPL.

Specific processing requirements

Sharing and entrusted processing of personal information

As required by article 23 of the PIPL, before sharing personal information with another PI handler, separate consent must be obtained from the concerned individual provided that they have been provided with a privacy notice containing the name and contact information of the data recipient, the category of personal information to be transferred and the purpose and means of its processing activity in advance.

In terms of the provision of personal information to an entrusted party, although no additional notification, separate consent or legal basis is required, the PI handler should agree with the entrusted party on the details of the entrusted handling, as well as the rights and obligations of both parties under article 21 of the PIPL. A data processing agreement or appendix is usually used to meet the aforesaid requirements. The provision will also need to pass the data protection impact assessment (DPIA), as mentioned below.

DPIA

The PIPL requires a DPIA in certain high-risk scenarios, such as processing sensitive personal information, automated decision-making based on personal information, providing personal information to third parties and entrusted parties and cross-border transfer of personal information. The report of the DPIA must be retained for at least three years.

The following factors must be taken into consideration when conducting the DPIA:

• whether the purpose and means of the processing activity is lawful, legitimate and necessary;
• what is the impact on the individuals concerned and what are the security risks; and
• whether the security measures adopted are lawful and effective, and whether they are appropriate to the identified risks.

In specific processing activities, PI handlers in China may have to consider additional assessment factors. For instance, in the context of cross-border transfer of personal information, whether the foreign laws or regulations will affect the security of transferred data also needs to be assessed.

Cross-border data transfer

According to the PIPL, a PI handler is allowed to transfer personal information outside of China in any of the following circumstances where the cross-border data transfer is necessary for business purposes:

• where the CAC has given its approval after completing the security assessment;
• where the PI handler has been certified by a licensed agency, acting in accordance with the provisions of the CAC in respect of the protection of personal information;
• where the PI handler has concluded a contract with the foreign data recipient in the form of a CAC-prescribed template; or
• where other conditions are satisfied as prescribed by laws, regulations or CAC measures.

Under the Measures on the Security Assessment for Cross-border Data Transfer (the Security Assessment Measures), cross-border transfer of personal information by any of the following entities will be subject to the government-led security assessment: (1) the operators of critical information infrastructure; (2) the PI handlers processing over one million individuals’ personal information; or (3) those data handlers in China who intend to transfer important data abroad or the volume of personal information which it transferred overseas since January 1 of the preceding year has reached certain thresholds. Shortly before the entry into force of the Security Assessment Measures on 1 September 2022, the CAC released the Notification Guidelines for Security Assessment of Cross-border Data Transfer (v1.0), which further detail the information to be included in the application materials and require the self-assessment shall be completed within three months before the application for government-led security assessment. Failure to pass the security assessment or complete necessary rectifications upon the expiration of the six-month grace period that starts to run from 1 September 2022 (expiring on 28 February 2023) may lead to the suspension of the cross-border data transfer and other penalties.

The CAC also released the prescribed template for a cross-border data transfer agreement (the Draft China SCC) as part of the draft Provisions on the Prescribed Agreement on Cross-border Data Transfer, issued on 30 June 2022 for public consultation. In contrast with the EU SCC, the Draft China SCC is only applicable where the concerning cross-border data transfer does not trigger the aforesaid security assessment requirement. The PI handler must file its use of the prescribed agreement with the CAC’s provincial branch, along with a transfer impact assessment report, within 10 working days after the effective date of the prescribed agreement.

Automated decision-making

Under the PIPL, automatic decision-making is defined as the activities that automatically analyse and evaluate an individual’s behavioural habits, hobbies or economic, health or credit status through computer programmes and decision-making. Some examples of automatic decision-making are online behavioural advertising, based on user profiles, and credit monitoring.

Article 24 of the PIPL requires that PI handlers in China should ensure the transparency of the automatic decision-making, and the fairness and justice of the decision results. No unreasonable or discriminatory treatment may be applied to individuals with respect to transaction terms such as purchasing price and credit limits. Moreover, to serve users with personalised content or marketing through automated decision-making, service providers in China must provide data subjects with the option to either receive non-personalised content or entirely opt out of the direct marketing or personalised recommended content.

The CAC passed the Measures on Algorithmic Recommendation in Internet Information Service, which were effective on 1 March 2022, to further regulate automatic decision-making and allow customers to choose, manage or delete their user profiles if the service provider uses any regulated recommendation algorithm in their online services.

Direct marketing

In China, any direct marketing activities (such as commercial text messaging or email direct marketing) must receive individual consent in advance.

The PRC Advertisement Law provides that the distribution of any advertisement to a person’s residential premises or vehicle, or any other distribution of electronic advertising information, is not permitted unless consented or requested by the relevant individuals. The same requirement can be found in the Measures for the Supervision and Administration of Online Transactions, as well as the PRC Customer Rights and Interest Protection Law, which regulate the distribution of marketing communications (including via email and SMS) in the absence of users’ consent.

Surveillance at a workplace

Companies are not prohibited from carrying out surveillance (such as installing CCTV at the workplace, setting identity-based access control for entrance to the premises or deploying tools for user behaviour monitoring on work devices) on their employees under Chinese legal regime, as long as the surveillance complies with the applicable personal information protection rules, in particular the principle of necessity, and is not recognised as intrusion of privacy.

In such cases, employers may rely on the necessity for the implementation of human resource management as a lawful basis, while consent would still be required if any processing purpose goes beyond that.

In any event, employee surveillance should be notified to employees in advance. In practice, this notification would be included in the privacy notice to employees.

Data subject rights under Chinese law

Data subjects are granted, among others, the following rights under Chinese data protection law:

• the right to access personal information;
• the right to request a copy of personal information;
• the right to amend or update personal information;
• the right to restrict or refuse processing of personal information;
• the right to transfer personal information to designated third parties;
• the right to request an explanation of the processing rules;
• the right to request an explanation of automatic decision-making that has a significant impact on the data subject’s rights and interests;
• the right to withdraw consent;
• the right to decline direct marketing; and
• the right to request erasure of personal information.

Personal information pertaining to deceased persons is also entitled to protection and rights, which can be exercised by their close relatives in law.

PI handlers are required to establish a mechanism that facilitates the handling of data subjects’ requests without unnecessary constraints. Refusal without justifiable grounds to meet requests by data subjects when exercising their rights may result in privacy litigation under article 50 of the PIPL.

Some grounds for refusal to respond to data subjects’ requests are set out in the PI Security Specification (which is non-binding), such as when the request is related to national security, the response to the request may infringe the trade secrets of the PI handler, or the data subject is acting with malicious intent or abusing their rights. Nevertheless, the PIPL does not explicitly recognise these grounds for refusal, except for the ground to meet the retention requirements under Chinese law.

Data protection officer

Although it is currently unclear which companies must appoint a data protection officer (DPO) under the PIPL, it is very likely to be those companies that process more than ‘one million individuals’ personal information’. Companies who are obliged to designate a DPO are further required to make public the DPO’s contact information and submit the DPO’s name and contact information to the competent authorities.^[2] In practice, staff located in China may better serve the DPO role under the PIPL because in-person and timely communication would better meet regulators’ expectation.

The PIPL itself sheds little light on the role and responsibility of DPOs in China, but the role of DPO under the PIPL seems to assume more substantial responsibilities for compliance and implementation than the advisory role of DPO under the GDPR. According to the PIPL, anyone appointed to be a DPO is expected to assume the following duties:

• act as the ‘go-to person’ when the company faces any enforcement on privacy and data protection issues;
• lead the preparation of internal policies, guidelines and instructions relevant to personal information protection;
• lead the drafting and updating of external documents relevant to privacy protection, such as privacy policies;
• assume responsibility for any government registrations and filings with respect to personal information protection;
• review and assess business scenarios involving cross-border transfer of personal information and support cross-border data transfer security assessments;
• conduct data protection impact assessments to identify high-risk activities and advise on remedial plans accordingly;
• manage and respond to requests from data subjects; and
• organise periodic internal training to raise awareness about personal information protection.

Furthermore, the PIPL also imposes individual liability upon the DPO for company’s violations against the PIPL. A DPO could be fined up to 1 million yuan for the company’s non-compliant behaviour, and could also be banned from acting in a senior management role or a DPO role for a period.

Data breach notification obligation

Upon the discovery of a data breach or other data security incidents,^[3] the PIPL requires (1) the data incident to be reported or filed with the competent government agencies; and (2) the notification to affected individuals whose legitimate interests may be impaired. Nevertheless, when the PI handlers have taken measures that can effectively mitigate the impairment caused by such an incident, the handlers may opt not to notify the individuals concerned, although competent authorities may request that individuals concerned are notified as they deem necessary.

Under the PIPL, the following content must be included in a data breach notification to the affected individuals:

• the category of personal information leaked, tampered with or lost, or that may be leaked, tampered with or lost;
• the causes of the data breach incident and the possible damage to individuals;
• the remedial measures adopted by the PI handler;
• the suggested measures that individuals can take to reduce damage; and
• the contact information of the PI handler.

The PIPL does not specify to which governmental authority the PI handler needs to report in the event of a notifiable data breach. Normally, such personal information breach reporting needs to be considered in light of cybersecurity incident requirements that are scattered in various provincial regulations or ministry-level measures. In practice, the local branches of the CAC, the MIIT and the MPS, as well as ad hoc committees at provincial or municipal level, are the authorities to report to unless the government can designate one agency to centralise the notification.

Violations of Chinese data protection regulation

Violation of the PIPL may trigger civil litigation, administrative penalties or even criminal liabilities.

Where the processing of personal information infringes upon data subjects’ rights and interests and causes damage, the data subject is entitled to file a tort lawsuit against the relevant PI handler. According to article 69 of the PIPL, in such civil litigation, the burden of proof will shift to the PI handler to disprove infringement of personal information. This means the defending PI handler would now be deemed at fault unless it can demonstrate that it has acted in compliance with the relevant PIPL requirements. In addition, the People’s Procuratorate, consumer protection organisations and other organisations designated by the CAC could also claim against the company that has been found in serious violation of the PIPL.

In terms of administrative penalties, a PI handler violating the PIPL may be subject to a rectification order, warning, administrative fines, confiscation of illegal gains, suspension of business or revocation of business licences and permits, depending on the severity of the violation. Organisations found to be in serious breach of the PIPL could be fined up to 50 million yuan or up to 5 per cent of the preceding year’s revenues. Individuals in breach of the PIPL may be disqualified from being directors, supervisors, general managers or DPOs in China. The draft Regulation on the Administration of Network Data Security has a ‘tailor-made’ penalty amount corresponding to each type of violation that is typically less than 50 million yuan; this, however, remains in draft form.

In severe cases, infringement of the right to personal information protection may also lead to criminal liability, and the numeric threshold constituting the crime of infringing citizens’ personal information is fairly low under article 253A of the Criminal Law. For example, any illegal procurement, sale or provision of more than 50 pieces of sensitive personal information (eg, location, communication content, credit investigation personal information and property information) would reach the threshold of criminality.

Enforcement recap and forecast

Many companies in China plan their data compliance programme and strategy by observing the direction and priorities of law enforcement, especially when many draft laws and regulations, as well as the implementing regulations for the PIPL, have yet to be finalised or released.

The provisions under the Criminal Law against the infringement of citizen personal information and against cybercrimes have been actively enforced in China over the past five years, and such trend is expected to continue into 2022 and 2023. According to publicly available information,^[4] more than 9,800 criminal cases in relation to infringing citizen personal information were investigated in 2021.

The administrative enforcement action led by the CAC, MIIT, MPS and SAMR, aiming to address data protection issues in mobile applications, will continue as a routine broad sweeping law enforcement campaign, and this will extend to mini-apps on WeChat, Alipay and other platforms, and even public accounts that are frequently used to publish online content. This law enforcement campaign will continue over the next 12 months.

As the Security Assessment Measures have been in effect since 1 September 2022, the CAC and some local regulators, such as the Shanghai municipal government, have launched a dedicated enforcement campaign to survey companies with substantial outbound data transfer requests (particularly multinational companies) within the six-month grace period, to check on compliance.

Privacy litigation is on the rise in China. Before the passage of the PIPL, there were court cases where the courts shifted the burden of proof to defendant companies, despite the laws at the time requiring the plaintiff to bear the burden of proof on tort, negligence and causation. In Panglipeng v China Eastern Airlines & Qunar ((2017) Jing01Minzhong No. 509), the Primary People’s Court of Haidian District of Beijing Municipality ruled that the company that processed personal information had to show that it had adopted sufficient technical and managerial measures to maintain the security and confidentiality of data subjects’ personal information, otherwise it would be assumed to be at fault in processing personal information and be liable for the leakage of personal information accordingly. This court case was considered heavily by the PRC Supreme Court, which also contributed to articles of the PIPL that presume the PI handler to be at fault.

Failure to comply with personal information protection requirements can trigger both civil litigation and criminal investigation. For instance, the public interest civil litigation initiated by the Hangzhou Public Prosecutors’ Office of the People’s Procuratorate of Zhejiang indicated that the illegal collection and sale of a huge amount of a minor’s personal information can give rise to a civil litigation in the public interest by the prosecutors, even after the defendant has been accused of criminal liability.^[5]

^*With contributions from Huihui Li and Jianqi Yang.

Notes