Contributed By Zhong Lun Law Firm
Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations at different legislative levels. Data subjects’ rights to privacy and data protection are protected by the Civil Code (民法典), the Criminal Law (刑法), the Law on the Protection of Consumer Rights and Interests (Consumer Protection Law; 消费者权益保护法), the E-commerce Law (电子商务法), Several Issues Concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process Personal Information (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定), and most importantly, the “Three Fundamental Laws”: the Cybersecurity Law (CSL; 网络安全法), the Data Security Law (DSL; 数据安全法) and the Personal Information Protection Law (PIPL; 个人信息保护法). The Three Fundamental Laws have established the foundations of cybersecurity and data protection in China, which are supplemented by:
Since data protection is a topic that impinges upon all industries, there is a wide range of law enforcement departments related to it, many of which have intersecting duties and authorities. There is no centralised regulatory body. Among all these regulators, the three most important ones are the CAC, the MPS and the MIIT.
According to Article 8 of the CSL and Article 60 of the PIPL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the State Administration for Market Regulation (SAMR) and industry regulators are in charge of law enforcement in the respective industries. Moreover, it is noteworthy that the National Data Bureau, inaugurated in October 2023, is responsible for overseeing the integration, sharing and development of data resources, co-ordinating the construction of data infrastructure systems, and co-ordinating the planning and construction of digital China, the digital economy and digital society.
With regard to artificial intelligence, relevant regulators include the CAC (key regulator for AI security and data compliance), the MIIT (focusing on industry development), the Ministry of Science and Technology (focusing on technological ethics), as well as other sectoral regulators such as the MPS, press and publication administration, etc.
Network operators and data handlers are obliged to co-operate with cyberspace administrators and any other regulators in their inspections and supervisions (Article 49 of the CSL, also Article 63 of the PIPL). Law enforcement activities are triggered in different ways, including:
The Law on Administrative Penalty
The competent authorities, when imposing administrative punishment and enforcing the Three Fundamental Laws and other relevant laws and regulations (including for AI), must abide by the Law on Administrative Penalty. The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 36). The penalised parties should be given opportunities to state their case and defend themselves (Article 6). The penalised party is entitled to a hearing in cases where the administrative punishment involves suspension of business, rescission of a business permit or licence, or a large penalty (Article 42).
According to Article 6 of the Law on Administrative Penalty, where the penalised party refuses to accept the administrative punishment, they may first apply to the relevant administrative organ for reconsideration and, if they refuse to accept the reconsideration decision, they may initiate an action before the people’s courts. Unless required by any relevant laws to exhaust administrative reconsideration before seeking judicial review, they may also initiate an action before the people’s courts directly.
Other Applicable Rules
Additionally, public security departments must abide by the special rules provided for them under the Regulations for Internet Security Supervision and Inspection by Public Security Organs. For example, there must be at least two police officers in the event of an on-site inspection, and such law enforcement officers must keep any personal and private information that becomes known to them during an inspection, confidential.
To oversee the administrative action initiated by the CAC, the Provisions on Administrative Law Enforcement Procedures of Cyberspace Administration Departments, setting the rules on jurisdiction, evidence, enforcement, etc, came into effect in June 2023. In addition, the Provisions on Administrative Penalty Procedures for Industry and Information Technology Authorities, emphasising the transparency of enforcement activities and protection of the penalised/inspected parties’ lawful rights and interests, became effective in September 2023.
China signed the Regional Comprehensive Economic Partnership (RCEP) on 15 November 2020, which came into effect on 1 January 2022, and is one of 15 member countries. An emphasis on personal information (PI) protection is made under chapters on trade in services (financial services, Annex 8A) and electronic commerce (Chapter 12). In principle, the orderly cross-border transfer of information for the purpose of conducting business must be protected by the member countries. In the interim, RCEP member countries are allowed to regulate the cross-border data transfer to safeguard public interest and national security.
The National Computer Virus Emergency Response Centre (CVERC; 国家计算机病毒应急处理中心) is a public institution in charge of tackling computer viruses. During the special project “Clearing the Network 2023”, the CVERC conducted security checks on the internet and detected multiple apps that violated privacy protection regulations. Such apps are required to be removed from app stores.
The China Consumers Association is a social organisation established in accordance with Article 36 of the Consumer Protection Law to supervise the provision of goods and services for the purpose of protecting consumers’ legitimate rights.
With regard to AI security governance, on 12 October 2023 the Special Committee on Artificial Intelligence Security Governance of the Cyberspace Security Association of China was established in Beijing, with the aim of organising industry and academia in the AI field to carry out technological innovation, industrial collaboration and industry self-regulation.
Privacy and data protection provisions in China share the same goals as those of various other jurisdictions, which are to safeguard the rights of PI subjects and to punish acts of infringement. Compared with the CSL, there are far more similarities between the PIPL and the GDPR.
Similarities Between the PIPL and the GDPR
Similar to the GDPR, the PIPL has an extraterritorial effect on overseas PI processing activities, when the processing is for the purpose of providing products or services to, or analysing individuals within, China.
Also similar to the GDPR, the PIPL provides for several legal bases including:
Another big similarity between the PIPL and GDPR is the restriction on PI cross-border transfer. Under the PIPL, while the PI handler intends to transfer PI collected within China to a recipient outside China due to business necessity, it has to meet certain conditions prescribed by the PIPL. Among the conditions, the certification and standard contractual clauses mechanism are quite like those under the GDPR. Other similarities include the principles for processing PI, PI subject rights, obligations of the PI handlers, restrictions on automated decisions, and restrictions on processing activities by government authorities.
Differences Between the PIPL and the GDPR
A noticeable difference is between the definition of sensitive PI under the PIPL and the definition of special categories of personal data under the GDPR, where the former covers a much wider range. Sensitive PI under the PIPL refers, broadly, to PI that may give rise to discriminatory treatment, or cause harm to personal or property security, once it is leaked or unlawfully provided, while the types of special categories of personal data are listed exhaustively under the GDPR. The requirements for processing sensitive PI under the PIPL follow the same framework as that for PI where separate consent is required, while under the GDPR, the default rule is not to process special categories of personal data except in certain circumstances.
“Separate consent” is a new requirement introduced by the PIPL, which is not yet clearly defined and might raise the requirement on the type of consent needed.
Other notable differences between the PIPL and the GDPR include: the PIPL has no lawful basis of legitimate interest; the PIPL has a post-mortem right for PI; the PIPL restricts personnel violating the PIPL from holding the position of high-level management or data protection officer (DPO); and there is no centralised regulatory body under the Chinese privacy protection regime. In China, the three most important regulators are the CAC, the MPS and the MIIT (see 1.2 Regulators).
Key Developments in Legislation in the Past 12 Months
Major Regulatory and Enforcement Activities in the Past 12 Months That Have Attracted Public Attention
In the next 12 months, it is expected that the following will take place.
The Three Fundamental Laws form the basic legal framework of China’s data protection and privacy framework. In addition, the following regulations and national standards are crucial to understanding the legal framework in China on data protection and privacy:
The following draft measures and national standards are important indicators of future legislation:
The CSL applies to network operators which cover virtually all companies involved in any kind of internet-based services. The PIPL applies to PI handlers, which refers to the person or entity that is in the position to decide the purpose and means of PI processing. The DSL applies to handlers conducting data-processing activities in mainland China. For most entities that process PI, the Three Fundamental Laws would apply.
Data Protection Officers (DPOs)
The CSL requires network operators to appoint personnel responsible for cybersecurity. When the amount of PI processed by an entity reaches a certain level, the entity must, according to the PIPL, appoint an officer in charge of PI protection. According to the PI Specification, if there are more than 200 personnel in an organisation and its main business involves processing PI, or if the organisation handles the PI of more than one million people (or the sensitive PI of more than 100,000 people), it should establish a department with designated full-time staff in charge of PI security.
The person in charge of PI protection is responsible for the overall planning and implementation of the internal PI protection system, stipulating and keeping the PI policy and process up to date, and organising internal training, etc.
Consent
Under the CSL, consent from the data subjects is required prior to the collection and processing of PI. According to the PIPL, there are other legal bases where no consent is needed (see 1.6 System Characteristics).
Privacy by Design or Default
Currently, there is no specific provision imposing any requirements of privacy by design/default, albeit they are helpful for fulfilling the obligations imposed by the CSL and PIPL. A similar system was indicated in the PI Specification where PI controllers are recommended to comply with national standards and to consider PI protection requirements when information systems are designed, developed, tested and released.
Privacy Impact Analysis
According to the PIPL, a risk assessment should be conducted before the following PI processing activities take place:
The GB/T 39335-2020 Guidelines for Personal Information Security Impact Assessment of Information Security Technologies would serve as guidelines for conducting such a risk assessment. For cross-border transfer of PI, the Outbound Measures would also provide reference for risk assessment.
Internal or External Privacy Policies
The CSL requires network operators to keep user information in strict confidence and to establish and improve the system for user information protection (Article 40). Network operators must adopt technical measures and other necessary measures to guarantee the security of the collected PI and protect the same from leakage, damage or loss (Article 42). In addition, the PIPL requires a management system that offers matching protection levels to data of different categories and of different levels of importance (Article 51).
External privacy policies that face PI subjects often serve as an approach for network operators to notify PI subjects as required under Article 41 of the CSL and Article 17 of the PIPL. The internal policies must be consistent with such external policies. What is promised to the users must be implemented by the internal management measures and technical measures. The PI Specification also recommends that a PI controller adopts a privacy policy, as well as internal management and technical measures, to safeguard PI.
Data Subject Rights
Article 43 of the CSL entitles individuals to require a network operator to delete their PI if they find that any operator collects or uses such information in violation of the laws, administrative regulations or the agreement by and between that operator and them. PI subjects are also entitled to require any network operator to make corrections if they find errors in the information collected and stored by an operator. Operators must take measures to delete the information or correct the error.
The PIPL provides PI subjects with the right, in relation to their data, to know, decide, restrict, object to its processing, access, copy, make portable, rectify, delete, withdraw their consent and cancel their account. In addition, PI subjects are also provided with related rights on automated decision-making (Article 24).
The right to data portability states that where PI subjects request to transfer their PI to another designated PI handler, such request will be fulfilled by PI handlers when the conditions stipulated by the CAC are met.
As for the right to withdrawal, the withdrawal of consent does not affect the lawfulness of processing based on that consent before its withdrawal. The right to withdraw does not apply to PI processing activities based on a legal basis other than consent.
Anonymisation
According to Article 42 of the CSL, there will be no disclosure of PI without the consent of the PI subject, unless such information has been processed to prevent that specific person from being identified, and that information from being restored. Such methods to process information include anonymisation and de-identification of PI, which are stipulated under the PI Specification. A similar regulation can be found under Article 4 of the PIPL.
Specifically, anonymisation refers to the process whereby PI is technologically processed to make PI subjects unidentifiable, and such PI cannot be restored to its previous state once processed. Once anonymised, the information is no longer considered as PI.
On the other hand, de-identification refers to the process whereby PI is technologically processed to make it impossible to identify PI subjects without the aid of additional information. In other words, it is still possible to identify an individual with the help of de-identified information and other information. Thus, de-identified information is still considered as PI.
Big Data Analysis, AI, Algorithms, etc
Profiling
The PI Specification recommends limited direct-user profiling. Direct-user profiling is when the PI of a specific natural person is directly used to create a unique model of that natural person’s characteristics. PI controllers engaging in direct-profiling activities are required by the PI Specification to disclose the existence and purposes of the direct profiling.
Microtargeting
There are no laws or regulations directly regulating microtargeting in China. The effect of microtargeting is very similar to personalised recommendation (see “Automated decision-making” immediately below).
Automated decision-making
According to Article 24 of the PIPL, an automated decision should be transparent and fair. The PI subject is entitled to request an explanation and to refuse the decision if the automated decision has a significant impact on its rights and interests. In addition, when automated decision-making is used for commercial advertising or pushing notices, an option to receive a non-personalised message or a method to refuse such messages must be given to the PI subject.
Online monitoring or tracking
Under the CSL and PIPL regime, tracking technologies such as cookies are not prohibited; cookies are usually regarded as PI, the collection of which must comply with PI requirements.
Big data analysis
In the event of big data analysis, it is inevitable that data collected from various resources would be aggregated and used for a purpose that is normally different from the one that the data was originally collected for. Pursuant to the PI Specification, such data merging will be subject to the purpose that the data is collected for. In other words, the use of the aggregated or merged data in big data analysis must be consistent with the purpose consented to by the data subject prior to the use of the same. Furthermore, big data analysis may not be used to discriminate against customers.
Artificial intelligence
In 2023, the regulatory framework on AI was systematically built and implemented in China. The AIGC Measures expressly outline the regulatory framework for AI-generated content (AIGC) technology, encompassing various stages such as model training, application deployment, model optimisation and multiple subjects like AIGC developers, service providers, and users. In addition, the Measures for Review of Scientific and Technological Ethics (Trial) demonstrate China’s significant attention to technology development as well as ethical reviews of AI.
In addition to the above provisions, regarding the specific application of AI technology, as stipulated by the Administrative Provisions on Deep Synthesis in Internet-Based Information Services, contents generated by deep learning or other new technologies must be identified in a noticeable way.
Algorithms (explanations, logic, code)
Algorithm recommendation technologies have become the focus of the regulatory department. According to the Algorithm Provisions, “application of algorithm recommendation technologies” refers to the use of algorithmic technologies such as generation and synthesis, personalised push, sorting and selection, retrieval and filtering, scheduling decision-making, etc, to provide information to users. Algorithm recommendation service providers with public opinion attributes or social mobilisation ability must, within ten working days from the date of providing services, go through the filing procedures. In the past 12 months, the CAC has announced three batches of domestic deep-synthesis service algorithm filing information, including algorithms from technology companies such as Baidu, Alibaba, Tencent, etc.
Injury or Harm
In the event of an infringement of their privacy or legitimate rights, PI subjects may resort to the legal remedies provided by the Civil Code and the PIPL. In addition, injury or harm related to privacy and data rights could also lead to criminal liabilities where there is a serious circumstance of illegal sale or provision of PI.
A serious circumstance is deemed to have occurred where there is an illegal sale or provision of:
Data that is subject to special regulations under the Chinese legal framework includes, without limitation, sensitive PI, important data, national core data and business data from certain industry sectors.
The definition of sensitive PI is discussed in 1.6 System Characteristics. Financial data, health data, communications data, voice telephony and text messaging, the content of electronic communications and a person’s sexual orientation are categorised as sensitive PI. More stringent restrictions and higher protection standards are applicable to sensitive PI.
The PI of children under 14 years old is also sensitive PI and is subject to special protection under the Provisions on the Cyber Protection of Children’s PI. Student data is not necessarily sensitive PI. It depends on which specific data type it is.
Employment-related data will not be deemed as sensitive PI merely because it is employment related. But if it falls into the category of sensitive PI because, for example, it contains the identity card number or bank account number of an employee, relevant regulations on sensitive PI would apply.
Specific identity and political or philosophical beliefs are deemed to be sensitive PI under the PIPL regime.
With regard to AI data, AIGC service providers are legally required to take effective measures to ensure the authenticity, accuracy, objectivity, and diversity of the training data while conducting data training, and properly fulfil the data protection obligations. Moreover, AIGC service providers and users are legally required not to infringe on the privacy rights and PI rights of others. AIGC service providers must also perform their legal obligations as PI handlers, including but not limited to obtaining the necessary consent, processing individual requests to exercise their rights, etc.
Internet, Streaming and Video Issues
Browsing data, viewing data, cookies, beacons and location data are all regarded as sensitive PI. Tracking technology is not prohibited under Chinese law. However, if PI is collected and used for behavioural or targeted advertising which has not been agreed to by the data subjects (and no other legal basis exists), that collection and use of PI would be deemed illegal. There have been some discussions regarding privacy and data protection with major internet platforms such as WeChat and TikTok, but there has been no significant law enforcement activity or administrative punishment imposed on those companies, as there has been on Google and Facebook.
According to the CSL and the Administrative Measures on Internet-Based Information Services, the network service provider will be liable for any erroneous, illegal or prohibited information published on a website or other medium it provides, whether intentionally or negligently. If the provider immediately takes action to stop the wrongdoing or blocks access to such inaccurate information after receipt of notice from the affected party, its liability might be limited.
See 2.3 Online Marketing for discussion of behavioural or targeted advertising.
See 2.1 Omnibus Laws and General Requirements for a discussion of data subject rights, the right to be forgotten, data access and portability, the right of rectification or correction, rights to object to the sale of data and rights for automated decision-making.
The Advertising Law is the fundamental law that regulates advertising. The Measures for Administration of Internet Advertising apply to online marketing. The sender must obtain from the recipients their consent to, or request for, advertising and the sender must also disclose their true identity, contact details and the opt-out method for advertisements distributed via electronic means.
Since online marketing, particularly behavioural and targeted advertising, is normally based on the analysis of PI collected from users, regulations on PI collection and use must be observed. To begin with, PI may not be collected or used for behavioural advertising if the PI subjects have not agreed to this. Pursuant to Article 24 of the PIPL, if business marketing or push-based information delivery is conducted towards an individual by means of automated decision-making, an option not targeting the personal characteristics of the individual, or an easy way to refuse to receive this, must be provided to the individual. In addition, according to the PI Specification, the use of indirect user profiling which is generated from PI that is not from particular persons is recommended for online marketing, rather than direct user profiling. Also, where a personalised display is used for online marketing, an option to turn the function off and to delete or anonymise the PI used for such a personalised display should be provided to the users.
Special Laws
Currently, there is no special law or regulation regulating workplace privacy. This is governed by the Employment Law, the Employment Contract Law, the CSL, the PIPL, and relevant laws and regulations governing PI. The PI of an employee is subject to the same PI protection regime as that of any other regular person.
AI Issues and Requirements
At present, there is no specific regulation of China’s AI-related laws for workplace privacy. However, the application of AI technology in the workplace should adhere to the general legal requirements for AI, which include taking effective measures to prevent discrimination based on belief, gender, age, health, etc, and infringement of individuals’ privacy and other PI-related rights.
Workplace Communications
Although employees’ PI is protected in the same way as regular PI, it is a fact that the employment relationship between employees and employers has its own features. It is commonly understood that employers must duly notify their employees that activities in the workplace, during working hours, and conducted with working facilities, are supervised and monitored by the employers. Employment contracts or the employee handbook usually contain clauses in this regard. Normally, the voluntary provision of PI by employees under the employment contract would be deemed as giving authorisation to their employers to collect and use their information in accordance with the purpose of employee management.
Unions
In China, labour unions do not play the same role as those in Western countries. Where there is infringement of an employees’ PI rights, instead of appealing to a labour union, the employees may report this to the competent authorities in charge of cybersecurity and PI protection.
Whistle-Blowers
Corporations usually adopt internal supervisory and reporting mechanisms, including whistle-blower hotlines and anonymous reporting channels. It is always an option, however, to report malfeasance to the competent government authorities. There is no unified standard rule and reporting mechanisms vary between corporations and industries.
E-discovery
E-discovery follows relevant litigation and arbitration rules. Access to employees’ PI for the purpose of e-discovery would be deemed as use in direct relation to a court trial, and thus no consent is required for the collection and use of such information. However, there might be situations where e-discovery is not necessarily directly related to court trials. Thus, it is advisable to plan ahead by establishing an archive system and incorporating clauses on access to an employee’s PI for the purposes of e-discovery and other reasons into the employment contract or employee handbook.
Other Issues
Network operators are required to implement technical measures and other necessary measures to guarantee the security of the collected PI and protect it from leakage, damage or loss. This may include the use of digital loss-prevention technologies. There is no law or regulation prohibiting employers from blocking websites to secure the productivity of their employees and it is advisable to publish such measures in the employment contract, employee handbook or relevant company policies.
Legal Standards for Regulators
The CSL, the DSL, the PIPL and the Consumer Protection Law are the four most fundamental standards used by law enforcement to regulate and punish violations of privacy or data protection laws. The PI Specification is heavily relied on as well. For data-processing activities that may endanger national security, the Cybersecurity Review Measures will also be referred to. For enforcement of AIGC violations, the CSL, the DSL, the PIPL, the Scientific and Technological Progress Law, etc, will be referred to. The Standards for Determining Unlawful Collection of Person Information by Apps set the rules for law enforcement against violations by mobile applications.
Potential Enforcement Penalties
Under the PIPL, the penalties for violations may include order of rectification, warning, confiscation of illegal earnings, suspension or termination of apps or services. For severe violations, the violator may be fined up to CNY50 million or 5% of its turnover of the previous year at the company level and the person directly in charge will be fined up to CNY1 million, company business licenses and permits may also be revoked.
Depending on the violation, different sanctions and penalties may be imposed by the CSL. For instance, non-compliance with the PI-protection-related provisions in the CSL may result in orders to take rectification measures, warning, confiscation of illegal earnings, fines, or a combination of these. The fine should be more than the illegal earnings, but less than ten times the same. In the event that there is no illegal earning, the fine may not be more than CNY1 million. The directly responsible person may face a fine ranging from CNY10,000–100,000. In the case of a severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of a website, and the revocation of the business licence of the operator or provider.
It is worth noting that the Draft Revised CSL has increased the amount of fines to the same level as the PIPL. For severe violation, the amount of the fine may be up to CNY50 million or 5% of the violator’s turnover in the previous year. The person directly in charge may be fined up to CNY1 million.
Where there is a severe violation that could lead to criminal prosecution, the prosecution standards are stipulated by the Supreme People’s Court and the Supreme People’s Procuratorate Interpretations (see the discussion in 2.1 Omnibus Laws and General Requirements).
Leading Enforcement Cases
Among the law enforcement activities pursued in 2023, violations punished by the administrative authorities include failure to obtain data subjects’ consent before PI collection, failure to implement a cybersecurity or PI protection system, and failure to detect a security vulnerability in network services. In the past 12 months, the CAC has conducted cybersecurity reviews on several enterprises to protect national data security, public interests, and the rights and interests of PI subjects.
Private Litigation
In general, most cases or proceedings take the form of administrative investigation and punishment initiated and imposed by government authorities. The legal bases for an individual to initiate private litigation mainly include the Civil Code, the Consumer Protection Law, the CSL and the PIPL.
There have been many public interest lawsuits initiated from the Civil Code. It is expected that there will be more private litigation on PI protection in the coming year.
With regard to the field of AI, one civil case worth noting involved an individual suing an app after discovering that his voice had been AI-enabled and was being sold on the app. Therefore, the individual filed a lawsuit against the company that operated the app, claiming that it had infringed on his right of voice. This case is still under further trial. Another notable civil case in the Beijing Internet Court in November 2023, heard on a case-by-case basis, made a judgment that the images generated by the AI model in question possess originality and the copyright thereof shall be enjoyed by the AIGC user. This is the first case in China to affirm the copyright of AI-generated images. It is expected that there will be more AI-related litigations in 2024.
For the purpose of criminal prosecution, the people’s courts, the people’s procuratorates and public security bureaus are empowered by the Criminal Procedure Law to collect or obtain evidence from the entities and individuals concerned. Relevant parties are obliged to co-operate and provide truthful evidence (Article 54). Evidence involving any state secret, trade secret or private PI must be kept confidential (Article 152). Collection of evidence by judges, prosecutors and investigators from public security bureaus must follow legal procedure. When a search is to be conducted, a search warrant must be presented to the person to be searched (Article 138). A search warrant could be issued by the people’s procuratorates and public security bureaus. Any staff members of the authorities performing PI protection duties who neglect their duty, abuse their authority or commit malpractice for personal gain, without those actions constituting a crime, will be subject to disciplinary action pursuant to the laws (Article 68 of the PIPL).
The Constitution Law provides for the fundamental protection of privacy. The state respects and protects human rights (Article 33). The personal dignity of citizens of the People’s Republic of China is inviolable (Article 38). The freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law (Article 40). According to Article 77 of the National Security Law, citizens and organisations are under a general obligation to provide support and assistance for work relating to national security.
Pursuant to the newly revised Counterespionage Law, activities such as cyberattack, intrusion, interference, control or destruction, among others, against a state organ, state secret involved entity or critical information infrastructure (CII), etc, committed by an espionage organisation or its agent or by any other person as instigated or funded by the aforesaid organisation or individual, or any domestic institution, organisation or individual in collusion with the aforesaid organisation or individual, are defined as espionage (Article 4). A national security authority may, as needed for counterespionage work, legally inspect the electronic equipment, facilities, relevant apps and tools of a relevant organisation or individual. If the national security authority discovers any circumstances compromising national security during inspection, it will order the organisation or individual to make rectification; and may take seizure or impoundment measures if the organisation or individual in question refuses to rectify the situation or still fails to satisfy the relevant requirements after rectification (Article 25).
China is not a signatory to the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities (14 December 2022). However, the power of the national security authorities is not unrestricted. According to Article 37 of the Counterespionage Law, where any staff member of a national security authority divulges any state secret, trade secret or piece of private individual information, in violation of the relevant provisions, which constitutes a crime, the staff member will be subject to criminal liability in accordance with the law. In addition, according to Article 35 of the DSL, where a public security organ or state security organ needs to retrieve data for the purpose of safeguarding national security or investigating crimes, it will go through strict approval formalities in accordance with relevant provisions. The procedural requirement and protection provided by the Criminal Procedure Law, as mentioned in 3.1 Laws and Standards for Access to Data for Serious Crimes, is also applicable here.
Organisations in China cannot invoke foreign government access requests as a legitimate basis to collect and transfer PI. On the contrary, according to Article 36 of the DSL, organisations may not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority.
Industry leaders, such as Huawei and ZTE, were accused of being manipulated by the Chinese government and secretly providing PI to the government. Some media voices also allege that the Counterespionage Law authorises the government to take or confiscate any property that might endanger national security. Yet, as discussed in 3.2 Laws and Standards for Access to Data for National Security Purposes, the laws and regulations only allow the government to access PI under special circumstances. Only for specific purposes such as criminal investigation, investigation of activities compromising national security and counterespionage work may the government conduct investigations that involve access to PI. During the course of investigations, the authorities must abide by strict procedures prescribed under relevant legislation. In addition, infringement of individual privacy by government authorities is regulated by both the Counterespionage Law and the Criminal Procedure Law. The PIPL also stipulates restrictions on the PI processing activities of government authorities for law enforcement or national security purposes.
According to the CSL, PI collected by CIIOs during their operations in China must be stored within Chinese territory. Where there is a need to transfer such information overseas, a security assessment will be conducted. The PIPL expands the obligation to a certain extent to CIIOs and entities that process PI. A security assessment must be passed before PI can be transferred overseas. So far, the importing of data from overseas to China has not been the focus of the administration.
The PIPL provides three routes for cross-border data transfer compliance: (i) a security assessment organised by the authority; (ii) certification by the approved agencies; and (iii) standard contracts signed with the receiving party.
According to the Outbound Measures, the security assessment mainly covers the legality, legitimacy and necessity of the purpose, scope and method of transmitting the data abroad, impact analysis of the policies and regulations on data security and the network security environment of the country or region where the overseas recipient is located, data protection level of the overseas recipient, quantity, scope, type and sensitivity of the data, risk of leakage, tampering, loss, damage, etc, protection of data security and the rights and interests of PI subjects, legal documents between the data handler and the overseas recipient, etc.
The certification mechanism mentioned in the PIPL is finalised by the Certification Specification.
As to the standard contractual clauses, the Chinese SCCs came into effect on 1 June 2023.
As to derogations, Article 38 of the PIPL allows the provision of PI according to international treaties or agreements concluded or acceded to by China. Further, the CBDT Provisions provide for the following scenarios that are exempt from the cross-border data transfer application procedures:
The cross-border transfer of PI and important data is regulated under the Three Fundamental Laws. CIIOs are required by the CSL to conduct a security assessment prior to the cross-border transfer of PI and important data (see the discussion in 5.7 Other Significant Issues on the definition of important data). For non-CIIOs transferring PI, refer to 4.2 Mechanisms or Derogations That Apply to International Data Transfers.
With respect to important data, data handlers are required by the DSL to abide by the regulations or measures issued by a certain authority, which refers to the Outbound Measures.
The first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, PI and important data collected by CIIOs in the course of their operations in China are required to be stored domestically and a security assessment is required for cross-border data transfer. For data handlers that are not CIIOs, but who process PI that reaches a certain volume threshold or collect important data, a security assessment is also required. Additionally, there are localisation requirements for special business data, including, without limitation:
In principle, such data must be stored within Chinese territory (excluding the Hong Kong, Macau and Taiwan regions) and may not be freely transferred overseas. Where it is necessary to transfer such data overseas, special requirements for each type of information will be applied.
There is no law or regulation requiring technical details, such as software code or encryption, to be shared with the government. For algorithms, the algorithm recommendation service providers are required to provide an assessment report of the algorithm mechanism and model during the filing procedures, the purpose of which is to ensure that the algorithm recommendation service providers are not setting up an algorithm model in violation of any laws, regulations or ethics.
Network operators are obliged to provide the necessary technical support and assistance to public security authorities and national security authorities for the purpose of safeguarding national security and investigating crimes according to the law (Article 28 of the CSL). The cybersecurity examination of online products and services that may affect national security is not aimed at acquiring technical details (Article 35 of the CSL); rather, the purpose of this examination is to evaluate whether there is a risk of massive data leakage, loss or cross-border movement; a risk of interruption of services; or a risk of a CIIO being controlled by foreign entities. Sharing technical details should be a voluntary decision on the part of the relevant entities.
According to Article 36 of the DSL, organisations may not provide any foreign judicial or law enforcement body with any data stored within the territory of China without the approval of the competent authority. With respect to internal investigations, the restrictions on data collection and cross-border data transfer mentioned above will apply.
In addition to Article 36 of the DSL, discussed in 4.6 Limitations and Considerations, the Rules on Counteracting Unjustified Extra-Territorial Application of Foreign Legislation and Other Measures of the People’s Republic of China (“the Rules”) were released by the Ministry of Commerce of the People’s Republic of China (MOFCOM) on 9 January 2021, with immediate effect. According to Article 36 of the DSL, companies or individuals may not provide data stored within the territory of China to foreign judicial or law enforcement agencies as requested, unless approved by the competent authorities. The Rules are considered to be China’s blocking statute and have set up a relatively comprehensive anti-economic sanctions system to deal with the long-arm jurisdictions of certain countries and regions.
Big Data
When it comes to emerging digital and technology issues, it is hard to ignore the fact that the inherent biases of algorithms may lead to the infringement of individual rights and discrimination. Until the technologies are mature, and the error rates manageable, network operators and data handlers will continue to take a cautious attitude towards the application of such technologies.
For a discussion of big data analytics, automated decision-making, profiling and artificial intelligence (including machine learning), see 2.1 Omnibus Laws and General Requirements.
Network operators in the business of the internet of things (IoT) and big data analytics must pay special attention to implementing the MLPS. According to the national standards constituting the MLPS 2.0, IoT and big data applications are expressly included in the protected objects of the MLPS. Specific security requirements can be found in the corresponding national standards. Network operators of IoT and big data applications are advised to commence the grading and classification at their earliest convenience.
Automated Decision-Making
For the purpose of automated decision-making, a vast amount of data will be collected and aggregated. Taking autonomous vehicles as an example, the vehicles will be continuously collecting all location data of the users, which will be used, among other things, to generate direct user profiles. The MIIT issued some regulations regarding intelligent connected vehicles and provided requirements for collecting and processing data. The CSL, the PIPL, the PI Specification and relevant national standards would apply to the collection and processing of PI, including automated decision-making.
Biometric Data
The application of biometric data, including facial recognition, is increasing. Biometric data is highly sensitive PI. It is unique to each individual and it is impossible to change one’s biometric data. Processing of biometric data must be conducted with much higher and more stringent standards. Requirements for collecting and processing sensitive PI are found under Section 2, Chapter 2 of the PIPL. Additionally, the GB/T 40660-2021 Information Security Technology – Basic Requirements of Biometric Data also provides guidance for the processing of such data.
Other Areas
Geolocation data is sensitive PI, the collection and processing of which must be in accordance with the applicable rules as discussed in 2.2 Sectoral and Special Issues.
Drones, which are being used for recreational purposes as well as for law enforcement, are getting smaller and cheaper while the images a drone can produce are clearer and more accurate than ever. So far, only general rules on privacy and data protection are applicable to the use of drones.
Disinformation, deepfakes, and other illegal content such as inflammatory speech or erroneous content on the internet are regulated by the ecological governance of internet information content (see the discussion under 2.2 Sectoral and Special Issues). Should an individual suffer online harm, they can resort to the Civil Code and other applicable regulations and claim damages against the wrongdoer and or platform operator (if applicable).
“Dark patterns” and other online manipulation are regulated under the Consumer Protection Law and the PIPL. According to Article 8 of the Consumer Protection Law, consumers are entitled to autonomous selection of goods or services, and have the right to make comparisons, identification and selection. Pursuant to Article 5 of the PIPL, it is forbidden to process PI through deception, fraud and coercion.
Fiduciary duties for privacy or data protection have not been expressly defined under the current legal framework. Similar obligations might be the duties of the DPOs (see the discussion under 2.1 Omnibus Laws and General Requirements).
To address the problems and concerns brought about by emerging technologies, TC260 is actively conducting research and has released industry study reports and, most importantly, recommended national standards to guide the application of various cutting-edge technologies. For example, TC260 published the Practice Guide to Cybersecurity Standards – Guidelines on the Code of Ethics for Artificial Intelligence in January 2021 to address ethics topics regarding artificial intelligence. The Measures for Review of Scientific and Technological Ethics (Trial) require that relevant organisations whose research content involves sensitive areas of ethics of science and technology should set up an Ethics of Science and Technology (review) Committee to carry out ethical review.
There are plenty of special enforcement projects, such as Clearing the Network 2023 (净网2023), launched by the MPS and implemented by provincial public security departments throughout the year. The CSL and the PIPL have been the major legal basis for investigations and punishment (refer to 2.5 Enforcement and Litigation for more details). There has been no civil case with a large settlement or joint action with respect to privacy and data protection (including AI). However, refer to 2.5 Enforcement and Litigation for discussion of two remarkable civil cases.
Due diligence on privacy and data protection in corporate transactions would normally start with interviews to gain an understanding of the existing situation in terms of cybersecurity protection measures and data processing at the relevant company. A gap analysis would then be conducted to evaluate the deviation between compliance requirements and the actual situation. The last step would be offering compliance suggestions. The focus of the due diligence would usually be on the following aspects:
According to the disclosure requirements for listed companies, investigations, criminal punishment or major administrative punishment must be disclosed.
Unlike the legislation moves in the EU, there is no national-level single law or regulation to regulate tech companies and digital technology, such as the Digital Markets Act, the Digital Services Act, the Data Act, or the UK Digital Regulatory Co-operation Forum. However, just as the above laws focus on promoting fairness and competition in the digital sector and better protection of individuals’ fundamental rights, there are several provisions scattered in laws or regulations at different legislative levels in China.
For the facilitation of fairer competition, the Draft Revised Anti-unfair Competition Law of the People’s Republic of China was published for comments in 2022.
For the governing of large online platforms, Article 58 of the PIPL requires the important internet platform service providers to establish a sound PI protection compliance system and accept supervision from the public. To ensure fair service to individuals, the Anti-monopoly Guidelines of the Anti-monopoly Commission of the State Council on Platform Economy became effective in 2021. In addition, the Cybersecurity Review Measures aim to protect the platforms that process large amounts of PI from endangering national security.
For the protection of individuals from false information, the Administrative Provisions on Deep Synthesis in Internet-Based Information Services and the AIGC Measures already became effective in 2023. In addition, regulations in the financial sector may impose certain obligations.
The terms of important data and CII are unique concepts under the CSL, the PIPL and the DSL regime.
Important Data
According to the Important Data Identification Guidelines (Draft), “important data” refers to the kind of data which, if tampered with, damaged, divulged, or illegally obtained or utilised, may affect national security and public interest. So far, no regulation on implementing methods of important data identification and their scope have been officially published. However, according to the Important Data Identification Guidelines (Draft), important data does not usually include state secrets or PI, but rather, statistical data and derived data based on massive amounts of PI. Even though such guidelines have not come into force, there have been indications that the modification of legislation regarding important data, and law enforcement trends in the same area, are to be expected. The cross-border transfer of important data is subject to special procedures which are discussed in detail in 4.3 Government Notifications and Approvals.
Critical Information Infrastructure (CII)
The CSL, PIPL and DSL provide for a special protection scheme in China on CII and the corresponding protection principles. The Security Protection Regulations for Critical Information Infrastructure came into effect in September 2021. Other regulations and national standards on CII are currently at the stage of soliciting opinions. Information infrastructure in important industries and sectors – such as public communications, information services, energy, transport, water conservancy, finance, public service, e-government and the national defence science and technology industry – might fall within the scope of such regulation. The purpose of offering extra protection for CII is to protect national security, the national economy, people’s livelihoods and the public interest.
22-31/F, South Tower of CP Centre
20 Jin He East Avenue
Chaoyang District
Beijing 100020
PRC
+86 010 5957 2003
+86 010 6568 1022
chenjihong@zhonglun.com www.zhonglun.com