China: New National Data Bureau steps up to oversee data-related infrastructure

Legal framework of personal information protection in China

The Personal Information Protection Law (PIPL), which became effective on 1 November 2021, is the first comprehensive and omnibus legislation in the People’s Republic of China (China).^[1] The PIPL regulates the collection, use, storage, transfer, provision, disclosure and deletion of personal information concerning individuals in China. In addition to the PIPL, the current data protection regime of China also includes various implementation regulations, measures and sectoral rules issued by various Chinese authorities.

The right to privacy of correspondence is a constitutional right under China’s Constitution, with interference with this right being subject to criminal investigations or national security-related investigations by the police or prosecutors in accordance with prescribed procedures.

In addition to the PIPL, China’s privacy and data protection legal framework consists of three suites of laws and regulations:

• civil law: the Civil Code, which confers and protects the legitimate rights and interests of individuals concerning their personal information, as well as allowing data subjects in China to bring claims against organisations and individuals who unlawfully collect or process their personal information;
• administrative law: aside from the PIPL, which imposes prescriptive requirements on personal information processing activities, key legislation includes the Cybersecurity Law (CSL), which requires network operators to adopt technical and managerial measures to protect the personal information contained in their IT systems, and the Data Security Law (DSL), which requires data processors to classify and grade their data (including personal information) and take security measures accordingly; and
• criminal law: the relevant pieces of legislation are article 253A of the Criminal Law (amended and effective on 1 March 2021) and the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues regarding Legal Application in Criminal Cases Infringing upon the Personal Information of Citizens, which criminalises certain activities that seriously infringe the right to personal information protection.

Various judicial interpretations and sectoral administrative rules on privacy and personal information protection in specific scenarios have also been developed and enforced, such as the following (in chronological order):

• the Measures for the Security Assessment for Cross-Border Data Transfer;
• the Measures for the Prescribed Agreement for Cross-Border Transfer of Personal Information;
• the Provisions on Relevant Issues on the Application of Laws in Hearing Civil Cases Related to the Application of Facial Recognition Technology in Processing Personal Information;
• the Provision for the Scope of Necessary Personal Information for Usual Types of Apps;
• the Rules for Determining Illegal and Non-Compliant Collection and Use of Personal Information on Apps;
• the Provisions on the Protection of Minor’s Online Personal Information; and
• the Provisions on the Protection of Personal Information Concerning Telecommunications and Internet Users.

Many recommended national standards have important reference value for compliance purposes as they reflect Chinese authorities’ expectations for best practices in privacy protection that companies should follow. From time to time, the authorities may incorporate part or all of a standard in sectoral administrative rules so that the incorporated portion becomes mandatory. Under the personal information protection regime, a number of those national standards are issued to clarify or specify the compliance requirements proposed by the formal legal sources. The critical national standards include (in chronological order):

• GB/T 42574-2023 Information Security Technology – Implementation Guidelines for Notices and Consent in Personal Information Processing (to be implemented on 1 December 2023);
• GB/T 41391-2022 Information Security Technology – Basic Requirements for Collection of Personal Information by Mobile Applications (implemented on 1 November 2022);
• GB/T 39335-2020 Information Security Technology – Guidance for Personal Information Security Impact Assessment (implemented on 1 June 2021);
• GB/T 35273-2020 Information Security Technology – Personal Information Security Specification (the PI Security Specification, implemented on 1 October 2020);
• GB/T 37964-2019 Information Security Technology – Guidelines for De- identification of Personal Information (implemented on 1 March 2020); and
• TC260–PG–20222A Practical Guidelines to Cybersecurity Standards – Specifications on Security Certification for Cross-Border Personal Information Processing Activities (issued on 16 December 2022).

China has also recognised certain international standards by transposing relevant rules into its national standards. For example, the requirements of ISO/IEC 27001 have been localised by the Chinese government as GB/T 22080- 2016.

Regulators of Chinese data protection regime

There is no omnibus data protection authority in China, and the government has reached internal consensus that no single regulator in China can address all data-related issues and concerns.

For now, the PIPL and other data protection-related legislations are primarily administered by the Cyberspace Administration of China (CAC), the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS) and the State Administration for Market Supervision (SAMR).

• The CAC is authorised by the PIPL, the DSL and the CSL to take charge of regulation and supervision of cybersecurity, data security and personal information protection in both public and private sectors. The CAC is leading and coordinating with other ministries on rule-making and law enforcement actions related to personal information protection. For example, it is mandated to lead the government-led security assessment for cross-border transfer of data.
• The MIIT is responsible for regulating industrial and telecommunications licensing schemes, so the protection of personal information was part of its remit long before the passage of the CSL. The MIIT and its local branches have been some of the most active regulators, launching enforcement campaigns to identify privacy issues and data security issues in mobile apps with a focus on technical aspects.
• The MPS actively enforces data protection and criminal law against illegal collection and offering of personal information, regularly checks on network operators’ cybersecurity compliance in accordance with the CSL and administers the Multilevel Protection Scheme for information systems in China.
• The SAMR is responsible for consumer protection, which includes but is not limited to consumer personal information protection.

Various sectoral regulators may also make rules to address personal information protection issues within their sectors, as prescribed by applicable laws or regulations. For example, the People’s Bank of China and the China Banking and Insurance Regulatory Commission regulate banking and financial institutions; the China Securities Regulatory Commission regulates securities companies and listed companies, among others; and the National Health Commission regulates the healthcare and medical sector.

Further to the reform plan issued by the State Council in May 2023, a newly established National Data Bureau (NDB) will coordinate and promote the construction of data-related infrastructure; the integration, sharing, development and utilisation of data resources; and the planning and construction of the ‘Digital China’ strategy. It seems likely that the NDB will not alter previous regulatory efforts and government controls introduced by the CAC with respect to personal information protection.

Effect of local laws on foreign businesses

As with the EU General Data Protection Regulation (GDPR), the PIPL applies extraterritorially, to the processing of personal information of data subjects in China that takes place outside China, where the processing is:

• for the purpose of provision of goods or services to data subjects who are physically in China;
• for analysing or assessing the behaviour of data subjects who are physically in China; or
• in other circumstances as provided by Chinese laws and regulations.

It is not clear whether Chinese authorities will apply the ‘targeting criterion’ when interpreting the extraterritorial application of the PIPL. Foreign companies should assess any processing of personal information concerning individuals in China, whether intentionally or inadvertently, given the potential application of the PIPL.

Foreign personal information handlers (PI handlers) that are subject to extraterritorial effect of the PIPL are required to appoint a representative in China, responsible for data protection compliance and liaising with Chinese regulators. The representative can be an entity or an individual. A filing of relevant information about the local representative with relevant authorities is required; however, for the time being, there is no guidance on how to make the filing.

Data processing principles

The Civil Code, the DSL and the PIPL set forth several core principles and requirements for processing personal information, which PI handlers in China must abide by. Any personal information processing activity that violates the data protection principles will be a violation of the PIPL.

Lawfulness

PI handlers should have a legal basis for their specific processing of personal information. The PIPL allows companies to choose from several lawful bases other than ‘consent’, including where the processing:

• is necessary for the conclusion or performance of a contract to which the data subject is a party, or necessary for human resources management according to lawfully formulated employment-related company policies and collective agreements;
• is necessary for discharging legal responsibilities or obligations;
• is required for public health purposes or the protection of the life, health and property safety of people in emergencies;
• is reasonably in the public interest, for the purposes of, for example, news, journalism and public supervision;
• is related to personal information that has been made public either by the data subjects themselves or by other lawful means within the reasonable and permissible bounds; and
• is permitted by other circumstances provided by laws and regulations.

A separate consent, which is a higher standard of consent, from the data subjects is required in certain specific circumstances, such as the provision of personal information to third parties, the processing of sensitive personal information and the cross-border transfer of personal information. For example, pursuant to article 26 of the PIPL, if a PI handler collects people’s images or identification information in public spaces, the PI handler must first obtain an individual’s separate consent if it intends to use that personal data for any purpose other than maintaining public security. Separate consent usually requires a separate notice or checkbox seeking the data subject’s affirmative confirmation of the processing activities. In practice, this is not an easy exercise for many companies.

Nevertheless, where the processing relies on non-consent legal bases such as contractual necessity, the separate consent requirements that are scattered in various provisions of the PIPL arguably would not apply.

Transparency

Both the PIPL and the Civil Code require a privacy notice to be provided to relevant individuals before processing their personal information.

Pursuant to article 17 of the PIPL, individuals must be notified of the following information in a conspicuous manner and in clear and easy-to- understand language:

• the name and contact information of PI handler;
• the purpose and means of personal information processing, the categories of personal information to be processed and the retention period;
• methods and procedures for individuals to exercise the data subject’s rights; and
• other matters as required by the applicable laws and regulations.

In certain processing scenarios, such as the processing of sensitive personal information, the sharing of personal information to third parties and the cross-border transfer of personal information, additional information is required to be disclosed to the concerned individuals. For example, where a business activity involves sensitive personal information processing, the purpose necessitating such processing, as well as the impact on individual’s right and interest as a result of such processing, must also be disclosed in the privacy notice.

Data minimisation

Any collection, use, transfer, provision, disclosure, processing or retention of personal information must be limited to the minimum scope or the shortest time that is necessary to fulfil the purpose for which the personal information is collected.

The PIPL sets forth strict requirements on the retention period of personal information. In any of the following circumstances, PI handlers are required to proactively delete personal information:

• the purpose of processing has been fulfilled, cannot be fulfilled or the personal information is no longer necessary for fulfilling the purpose;
• the PI handlers have ceased providing products or services;
• the retention period has come to an end;
• the consent of the individual has been withdrawn;
• the processing of personal information by the handler is in breach of any laws, regulations or agreements; or
• where otherwise provided by laws and regulations.

Purpose limitation

The PIPL requires that personal information processing activities have a lawful, legitimate, necessary and clear processing purpose, in line with the principle of good faith. The processing purpose should be directly related to the purpose that has been disclosed to the data subjects and should have the least impact to personal rights and interests, and not be made through misleading, fraudulent, coercive or other means.

Completeness and accuracy

As required by the PIPL, the quality of personal information must be ensured when it is processed to avoid any adverse impact to personal rights and interests resulting from the inaccuracy or incompleteness of personal information.

Security protection

The PIPL lays down various security and organisational requirements that must be followed by PI handlers, such as requirements on compliance auditing, data classification, record maintenance for processing activities, personal information protection impact assessments (PIPIAs), data breach reporting and remedial measures that must be taken in case of data breaches, and appointment of a responsible data protection person.

The security measures under the PIPL are not exhaustively defined. PI handlers need to adopt such measures to provide a level of security appropriate to the risk of processing personal information.

Accountability

PI handlers, defined as the organisations and individuals that independently determine the purpose and means of the processing of personal information, are responsible for their personal information processing activities.

The concept of ‘PI handler’ is similar to ‘controller’ under the GDPR. In practice, a PI handler should be able to demonstrate self-compliance with the PIPL, as well as other personal information protection rules when encountering regulatory challenges or data subject inquiries.

Similar to ‘processor’ under the GDPR, ‘entrusted party’ is the term that is used in the PIPL as the party entrusted by the PI handler to process personal information. There are two primary obligations on the entrusted party:

• to take necessary measures to safeguard personal information; and
• to assist PI handlers in discharging their obligations under the PIPL.

Specific processing requirements

Sharing and entrusted processing of personal information

As required by article 23 of the PIPL, before sharing personal information with another PI handler, separate consent must be obtained from the concerned individual and they must have been provided with a privacy notice containing the name and contact information of the data recipient, the category of personal information to be transferred and the purpose and means of its processing activity in advance.

In terms of the provision of personal information to an entrusted party, although no additional notification, separate consent or legal basis is required, the PI handler should agree with the entrusted party on the details of the entrusted handling, as well as the rights and obligations of both parties under article 21 of the PIPL. A data processing agreement or appendix is usually used to meet the aforesaid requirements. The arrangements will also need to pass the PIPIA, as mentioned below.

PIPIA

The PIPL requires a PIPIA in certain high-risk scenarios, such as processing sensitive personal information, automated decision-making based on personal information, providing personal information to third parties and entrusted parties and cross-border transfer of personal information. The PIPIA report must be retained for at least three years.

The following factors must be taken into consideration when conducting the PIPIA:

• whether the purpose and means of the processing activity is lawful, legitimate and necessary;
• what is the impact on the individuals concerned and what are the security risks; and
• whether the security measures adopted are lawful and effective, and whether they are appropriate to the identified risks.

In specific processing activities, PI handlers in China may have to consider additional assessment factors. For instance, in the context of cross-border transfer of personal information, whether the foreign laws or regulations will affect the security of transferred data also needs to be assessed.

Cross-border data transfer

According to the PIPL, a PI handler is allowed to transfer personal information outside of China in any of the following circumstances where the cross-border data transfer is necessary for business purposes, where:

• the CAC has given its approval after completing the security assessment;
• the PI handler has been certified by a licensed agency, acting in accordance with the provisions of the CAC in respect of the protection of personal information;
• the PI handler has concluded a contract with the foreign data recipient in the form of a CAC-prescribed template; or
• other conditions are satisfied as prescribed by laws, regulations or CAC measures.

Under the Measures on the Security Assessment for Cross-border Data Transfer (the Security Assessment Measures), cross-border transfer of personal information by any of the following entities will be subject to the government-led security assessment: (1) the operators of critical information infrastructure; (2) the PI handlers processing the personal information of over 1 million individuals; or (3) data handlers in China who intend to transfer important data abroad or the volume of personal information that it transferred overseas since 1 January of the preceding year has reached certain thresholds.

Shortly before the entry into force of the Security Assessment Measures on 1 September 2022, the CAC released the Notification Guidelines for Security Assessment of Cross-border Data Transfer (v1.0), which further detail the information to be included in the application materials and require that the self-assessment be completed within three months before the application for a government-led security assessment. Failure to pass the security assessment or complete necessary rectifications upon the expiration of the six-month grace period from 1 September 2022 to 28 February 2023 may lead to the suspension of the cross-border data transfer and other penalties.

The CAC also finalised the prescribed template for a cross-border data transfer agreement (the China SCC) as part of the Measures for the Prescribed Agreement for Cross-Border Transfer of Personal Information, effective from 1 June 2023 with a six-month grace period expiring on 30 November 2023. In contrast with the EU SCC, the China SCC is only applicable where the concerning cross-border data transfer does not trigger the security assessment requirement. The PI handler must file its use of the prescribed agreement with the CAC’s provincial branch, along with a PIPIA report prepared in accordance with the Filing Guidelines for the Prescribed Agreement for Cross-Border Transfer of Personal Information (v1.0), released on 30 May 2023, within 10 working days of the effective date of the prescribed agreement.

Automated decision-making

Under the PIPL, automatic decision-making is defined as the activities that automatically analyse and evaluate an individual’s behavioural habits, hobbies or economic, health or credit status through computer programmes and decision-making. Some examples of automatic decision-making are online behavioural advertising, based on user profiles, and credit monitoring.

Article 24 of the PIPL requires that PI handlers in China ensure the transparency of the automatic decision-making, and the fairness and justice of the decision results. No unreasonable or discriminatory treatment may be applied to individuals with respect to transaction terms such as purchasing price and credit limits. Moreover, to serve users with personalised content or marketing through automated decision-making, service providers in China must provide data subjects with the option to either receive non-personalised content or entirely opt out of the direct marketing or personalised recommended content.

The CAC passed the Measures on Algorithmic Recommendation in Internet Information Service, effective from 1 March 2022, to further regulate automatic decision-making and allow customers to choose, manage or delete their user profiles if the service provider uses any regulated recommendation algorithm in their online services.

Direct marketing

In China, any direct marketing activities (eg, commercial text messaging or email direct marketing) must receive individual consent in advance.

The Advertisement Law provides that the distribution of any advertisement to a person’s residential premises or vehicle, or any other distribution of electronic advertising information, is not permitted unless consented to or requested by the relevant individuals. The same requirement can be found in the Measures for the Supervision and Administration of Online Transactions, as well as the Customer Rights and Interest Protection Law, which regulate the distribution of marketing communications (including via email and SMS) in the absence of users’ consent.

Surveillance at a workplace

Companies are not prohibited from carrying out surveillance (eg, installing CCTV at the workplace, setting identity-based access control for entrance to the premises or deploying tools for user behaviour monitoring on work devices) on their employees under the Chinese legal regime, as long as the surveillance complies with the applicable personal information protection rules, in particular the principle of necessity, and is not recognised as an intrusion of privacy.

In those cases, employers may rely on the necessity for the implementation of human resource management as a lawful basis, while consent would still be required if any processing purpose goes beyond that.

In any event, employee surveillance should be notified to employees in advance. In practice, this notification would be included in the privacy notice to employees.

Generative AI specific rules

The CAC finalised the Administrative Measures for Generative AI Services on 10 July 2023, which entered into force on 15 August 2023. Among other things, the Measures specifically require that relevant service providers shall not illegally retain user input information and user history that can identify users, nor can they illegally provide third parties with user input information and user history.

Data subject rights under Chinese law

Data subjects are granted, among other things, the following rights under Chinese data protection law:

• the right to access personal information;
• the right to request a copy of personal information;
• the right to amend or update personal information;
• the right to restrict or refuse processing of personal information;
• the right to transfer personal information to designated third parties;
• the right to request an explanation of the processing rules;
• the right to request an explanation of automatic decision-making that has a significant impact on the data subject’s rights and interests;
• the right to withdraw consent;
• the right to decline direct marketing; and
• the right to request erasure of personal information.

Personal information pertaining to deceased persons is also entitled to protection and rights, which can be exercised by their close relatives in law.

PI handlers are required to establish a mechanism that facilitates the handling of data subjects’ requests without unnecessary constraints. Refusal without justifiable grounds to meet requests by data subjects when exercising their rights may result in privacy litigation under article 50 of the PIPL.

Some grounds for refusal to respond to data subjects’ requests are set out in the PI Security Specification (which is non-binding), such as when the request is related to national security, when the response to the request may infringe the trade secrets of the PI handler, or when the data subject is acting with malicious intent or abusing their rights. Nevertheless, the PIPL does not explicitly recognise these grounds for refusal except in cases where there is a requirement to meet a longer mandatory retention period under Chinese law.

DPO

Although it is currently unclear which companies must appoint a data protection officer (DPO) under the PIPL, it is very likely to be those companies that process the personal information of over 1 million individuals. Companies that are obliged to designate a DPO are further required to make public the DPO’s contact information and submit the DPO’s name and contact information to the competent authorities.^[2] In practice, staff located in China may better serve the DPO role under the PIPL because in-person and timely communication would better meet regulators’ expectations.

The PIPL itself sheds little light on the role and responsibility of DPOs in China, but the role of DPOs under the PIPL seems to assume more substantial responsibilities for compliance and implementation than the advisory role of DPOs under the GDPR. According to the PIPL, anyone appointed to be a DPO is expected to assume the following duties:

• act as the ‘go-to person’ when the company faces any enforcement on privacy and data protection issues;
• lead the preparation of internal policies, guidelines and instructions relevant to personal information protection;
• lead the drafting and updating of external documents relevant to privacy protection, such as privacy policies;
• assume responsibility for any government registrations and filings with respect to personal information protection;
• review and assess business scenarios involving cross-border transfer of personal information and support cross-border data transfer security assessments;
• conduct PIPIAs to identify high-risk activities and advise on remedial plans accordingly;
• manage and respond to requests from data subjects; and
• organise periodic internal training to raise awareness about personal information protection.

The PIPL also imposes individual liability on the DPO for the company’s violations against the PIPL. A DPO could be fined up to 1 million yuan for the company’s non-compliant behaviour and could also be banned from acting in a senior management role or a DPO role for a period.

Data breach notification obligation

Upon the discovery of a data breach or other data security incidents,^[3] the PIPL requires (1) the data incident to be reported or filed with the competent government agencies; and (2) notification to affected individuals whose legitimate interests may be impaired. Nevertheless, when the PI handlers have taken measures that can effectively mitigate the impairment caused by the incident, the handlers may opt not to notify the individuals concerned, although competent authorities may request that individuals concerned be notified as they deem necessary.

Under the PIPL, the following content must be included in a data breach notification to the affected individuals:

• the category of personal information leaked, tampered with or lost, or that may be leaked, tampered with or lost;
• the causes of the data breach incident and the possible damage to individuals;
• the remedial measures adopted by the PI handler;
• the suggested measures that individuals can take to reduce damage; and
• the contact information of the PI handler.

The PIPL does not specify to which government authority the PI handler needs to report in the event of a notifiable data breach. Normally, such personal information breach reporting needs to be considered in light of cybersecurity incident requirements that are scattered in various provincial regulations or ministry-level measures. In practice, the local branches of the CAC, the MIIT and the MPS, as well as ad hoc committees at the provincial or municipal level, are the authorities to report to unless the government can designate one agency to centralise the notification.

Violations of Chinese data protection regulation

Violation of the PIPL may trigger civil litigation, administrative penalties or even criminal liabilities.

Where the processing of personal information infringes on data subjects’ rights and interests and causes damage, the data subject is entitled to file a tort lawsuit against the relevant PI handler. According to article 69 of the PIPL, in such civil litigation, the burden of proof will shift to the PI handler to disprove infringement of personal information. This means the defending PI handler would now be deemed at fault unless it can demonstrate that it has acted in compliance with the relevant PIPL requirements. In addition, the people’s procuratorates, consumer protection organisations and other organisations designated by the CAC could also claim against the company that has been found in serious violation of the PIPL.

In terms of administrative penalties, a PI handler violating the PIPL may be subject to a rectification order, warning, administrative fines, confiscation of illegal gains, suspension of business or revocation of business licences and permits, depending on the severity of the violation. Organisations found to be in serious breach of the PIPL could be fined up to 50 million yuan or up to 5 per cent of the preceding year’s revenues. Individuals in breach of the PIPL may be disqualified from being directors, supervisors, general managers or DPOs in China. The draft Regulation on the Administration of Network Data Security has a ‘tailor-made’ penalty amount corresponding to each type of violation, which is typically less than 50 million yuan; this, however, remains in draft form.

In severe cases, infringement of the right to personal information protection may also lead to criminal liability, and the numeric threshold constituting the crime of infringing citizens’ personal information is fairly low under article 253A of the Criminal Law. For example, any illegal procurement, sale or provision of more than 50 pieces of sensitive personal information (eg, location, communication content, credit investigation personal information and property information) would reach the threshold of criminality.

Enforcement recap and forecast

Many companies in China plan their data compliance programmes and strategies by observing the direction and priorities of law enforcement, especially when many draft laws and regulations, as well as the implementing regulations for the PIPL, have yet to be finalised or released.

The provisions under the Criminal Law against the infringement of the citizens’ personal information and against cybercrimes have been actively enforced in China over the past few years, and that trend continues. According to publicly available information, more than 16,000 criminal cases in relation to infringing citizens’ personal information were investigated by public security authorities in 2022.^[4]

The administrative enforcement action led by the CAC, the MIIT, the MPS and the SAMR, aiming to address data protection issues in mobile applications, will continue as a routine broad sweeping law enforcement campaign, and this will extend to mini-apps on WeChat, Alipay and third-party SDKs deployed in mobile applications.

The CAC is now more willing to use cybersecurity review as a regulatory tool to probe China-based companies’ overseas listings, foreign investors’ investments, acquisitions of Chinese companies and cybersecurity risks in the supply chain (eg, the case of Micron^[5]). Since 2020, cybersecurity has become increasingly intertwined with national security.

Many companies are going through filings or security assessments for their cross-border data transfer activities. It is expected that the CAC will launch reviews and inspections to further prompt compliance with the PIPL’s cross-border data transfer requirements. It is also expected that the CAC will provide some regulatory guidance for PI handlers on cross-border transfers requirements and launch dedicated campaigns focusing on enforcement of the cross-border transfer obligations between 2023 and 2024.

Privacy litigation is on the rise in China. Regarding fault, the courts have shifted the burden of proof to defendant companies pursuant to article 69 of the PIPL in civil cases related to personal information protection. In Xuexiangfei v Taobao,^[6] the Hangzhou Internet Court applied article 69 and required Taobao to show that it had adopted sufficient technical and managerial measures to maintain the security and confidentiality of data subjects’ personal information. This rule was also adopted in Panglipeng v China Eastern Airline & Qunar,^[7] even before the promulgation of the PIPL.

Failure to comply with personal information protection requirements can trigger both civil litigation and criminal investigation. For instance, the People’s Procuratorate of Shanghai Fengxian District initiated a public interest civil litigation against the illegal collection and sharing of personal information of over 81 million individuals, even after the defendant had been accused of criminal liability.^[8]

^* With contributions from Huihui Li and Jianqi Yang.

Notes