Privacy and data protection provisions within the Chinese legal framework are scattered across laws and regulations of different legislation levels. Data subjects’ rights to privacy and data protection are protected by the General Rules of the Civil Law (民法总则), the Criminal Law (刑法), the Tort Liability Law (侵权责任法), the Law on the Protection of Consumer Rights and Interests (Consumer Protection Law;消费者权益保护法), the e-commerce Law (电子商务法), and most importantly the Cybersecurity Law (CSL; 网络安全法). The CSL establishes the foundations of cybersecurity and data protection which are supplemented by regulations promulgated by the Cyberspace Administration of China (CAC), ministries including the Ministry of Industry and Information Technology (MIIT), the Ministry of Public Security (MPS) and national standards issued by the National Information Security Standardisation Technical Committee (TC260). Among all the national standards, GB/T 35273-2017 Information Security Techniques - Personal Information Security Specification (PI Specification; 个人信息安全规范) is the key standard that provides detailed guidance on management of the full life cycle of personal information although it is not mandatory. Throughout 2019, several drafts of the PI Specification were published for comments. The last version was released in October 2019 (PI Specification Draft).
Since data protection is a topic that impinges upon all industries, there are a wide range of law enforcement departments related to it and their duties and authorities intersect with each other. There is no centralised regulatory body. Among all the regulators, the three most important ones are CAC, MPS and MIIT.
According to Article 8 of the CSL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, the MPS, the Market Supervision and Administration, and industry regulators are in charge of law enforcement in the respective industries.
Under the CSL, network operators are obligated to co-operate with cyberspace administrators and any other regulators in their inspections and supervisions (Article 49). Law enforcement activities are triggered in different ways, including:
The competent authorities, when imposing administrative punishment and enforcing the CSL and relevant laws and regulations, shall abide by the Law on Administrative Penalty (行政处罚法). The competent authorities should conduct investigations to ascertain the facts of the alleged violating acts before imposing punishment on anyone (Article 36). The penalised parties should be given opportunities to state their case and defend themselves (Article 6). The penalised party is entitled to a hearing where the administrative punishment involves suspension of business, rescission of business permit or licence, or a large penalty (Article 42).
According to Article 6 of the Law on Administrative Penalty, where the penalised party refuses to accept the administrative punishment, he or she may first apply to the relevant administrative organ for reconsideration and, if refusing to accept the reconsideration decision, may initiate an action before the people's courts. Unless it is required by any relevant laws to exhaust administrative reconsideration before seeking judicial review, he or she may also initiate an action before the people's courts directly.
Additionally, public security departments shall abide by the special rules provided for them under the Regulations for Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定). For example, there shall be at least two police officers in the event of an on-site inspection. The law enforcement officers shall keep the personal and private information, that becomes known to them during the inspection, confidential.
So far, China has not become a member of the Cross-Border Privacy Rules System under the APEC Privacy Framework. Neither has China entered into any bilateral agreements on trans-border data flow.
The Personal Information Protection Task Force on Apps (App专项治理工作组) is a semi-governmental organisation founded in January 2019 by TC260, the China Consumers Association, the Internet Society of China and the Cybersecurity Association of China under the auspices of the CAC, the MIIT, the MPS and the Market Supervision and Administration. The Task Force is devoted to handling users' reports and publishing compliance guidelines for regulating the collection and use of personal information in apps.
The China Consumers Association is a social organisation established by Article 36 of the Consumer Protection Law to supervise the provision of goods and services for the purpose of protecting consumers’ legitimate rights. Among other duties, the Association shall:
The Cybersecurity Association of China (CSAC; 中国网络空间安全协会) is the first nationwide social organisation in the field of cybersecurity with a focus on guiding enterprises in various industries to perform their cybersecurity obligations and researching the development of trends and features of the cyberspace environment as well as of cybersecurity legislation.
The Internet Society of China (中国互联网协会) is a nationwide social organisation initially founded by network access carriers, internet service providers, facility manufacturers, research institutes and other market participants. The Internet Society of China is a leading power which links members of the internet industry community together and pushes forward industry self-regulation.
In addition to the registered social organisations, there are industry self-regulatory organisations such as the Nandu Personal Information Protection Research Centre organised by Nanfang Media Group and Research Alliance for Data Governance and Cyber Security (DGCS-Alliance). Such organisations arrange research projects and discussions on privacy and data protection and make efforts to enhance good practice in the industry.
Privacy and data protection provisions in China share the same goals as those of various other jurisdictions, which are to safeguard the rights of personal information subjects and to punish acts of infringement. There are many similarities between the CSL and the GDPR, particularly regarding the principles for processing personal information and most personal information subject rights.
The fundamental difference is that the CSL establishes the consent of personal data subjects as the legal basis of personal data collection, with several exceptions provided under the PI Specification (please refer to 2.1 Omnibus Laws and General Requirements for more information), while consent is only one of the six legal bases for lawful data processing in the GDPR. The different approach towards consent taken by the CSL lays the foundation of the data and privacy protection regime under the Chinese legal framework and leads to some major differences from GDPR and other national systems.
A noticeable difference is between the definition of personal sensitive information under the Chinese legal framework and the definition of special categories of personal data where the former covers a much wider range than under the GDPR. Personal sensitive information under the PI Specification refers to the personal information that may cause harm to personal or property security, is very likely to result in damage to an individual’s personal reputation or physical or mental health, or give rise to discriminatory treatment, once it is leaked, unlawfully provided or abused, while the types of special categories of personal data are exhausted under the GDPR. The requirements for processing personal sensitive information under the CSL regime follow the same framework as that for personal information where explicit consent is needed with more stringent restrictions, yet under the GDPR, the default rule is not to process special categories of personal data except for certain circumstances.
Another difference between the CSL and the GDPR is the rules regarding data localisation and cross-border transfer of data. The GDPR limits data flow to third-party countries and organisations by mechanisms such as Standard Contractual Clauses, while the CSL mainly stipulates the cross-border data flow requirements as the security assessment.
Last but not least, there is no centralised regulatory body under the CSL regime, as there is under the GDPR. In China, the three most important regulators are the CAC, the MPS and the MIIT.
Law enforcement activities are gradually getting both more frequent and more aggressive. Even though the penalties under the CSL are not as significant as those under the GDPR, it has been noted that the administrative punishments are becoming more severe.
Key developments in legislation in the past 12 months include:
Major regulatory and enforcement activities that drive public attention include:
In the next 12 months, it is expected that:
In addition to the CSL, the following regulations and national standards are crucial to understanding the legal framework in China on data protection and privacy:
The following draft measures and national standards are important indicators of future legislation:
The data and privacy regulations are applicable to network operators. According to Article 76 of the CSL, network operator refers to the owner of or manager of a network or the provider of a network service, which encompass virtually all companies involved in any kind of internet-based services.
Data Protection Officers (DPO)
The CSL requires network operators to appoint personnel responsible for cybersecurity. Management measures in the PI Specification also advise a personal information controller to appoint a head in charge of personal information protection and an agency in charge of personal information protection. If there are more than 200 personnel in an organisation and its main business involves processing personal information, or if the organisation is expected to handle the personal information of more than 500,000 people within 12 months, it should establish a department with designated staff in charge of personal information security. The person in charge of personal information protection is not as independent as the DPO under the GDPR, he or she would be dismissed or penalised for not performing their tasks well.
As a basic principle under the CSL, consent from the data subjects is required prior to the collection and processing of personal information. According to the PI Specification, no consent is needed where the collection and use are:
But since the PI Specification is not binding, the CSL will prevail in case of any conflict.
Privacy by Design or Default
No provision in current binding data and privacy laws has imposed any requirements of privacy by design/default, albeit they are helpful for fulfilling the obligations imposed by the CSL. A similar system is indicated in the PI Specification Draft where personal information controllers are recommended to comply with national standards (including Information security technology - Guidelines for Personal Information Security Engineering (Draft) (个人信息安全工程指南-征求意见稿) and to consider personal information protection requirements when they design, develop, test and release the information system. This clause on personal information security engineering has been newly added into the PI Specification Draft which shows that, in addition to the data processing activities, much more attention is being paid to the design of the information system as well.
Privacy Impact Analysis
According to the PI Specification, personal information security impact assessment should be conducted where there is a relatively high risk of a security event. In the event of delegated processing, it is necessary to conduct a personal information security impact assessment to make sure that the entrusted party has adequate data security capacity to offer sufficient protection to the delegated personal information. Prior to the sharing, transfer, public disclosure or aggregation of personal information and the adoption of an automated decision mechanism based on that collected personal information, it is necessary to conduct a personal information security impact assessment and to adopt adequate protection measures accordingly. The person and agency in charge of personal information protection shall be responsible for conducting the analysis in accordance with the Security Impact Assessment Guide of Personal Information (Draft).
Internal or External Privacy Policies
The CSL requires network operators to keep the user information that they have collected in strict confidence and to establish and improve the system for user information protection (Article 40). Network operators shall adopt technical measures and other necessary measures to guarantee the security of the collected personal information and prevent the same from leakage, damage or loss (Article 42).
Data Subject Rights
Article 43 of the CSL entitles individuals to require a network operator delete his or her personal information if he or she finds that collection and use of such information by such operator violates the laws, administrative regulations or the agreement by and between such an operator and him or her; and is entitled to require any network operator to make corrections if he or she finds errors in the information collected and stored by an operator. Operators shall take measures to delete the information or correct the error.
The PI Specification provides, and describes in detail, the personal information subjects’ rights of access, rectification, deletion, withdrawal of consent and account cancellation. In addition, personal information subjects are also entitled to obtain copies of their personal information, limitation on automated decision-making, etc.
An exception to the right to access is that when a personal information subject requests access to personal information that he or she did not voluntarily provide, personal information controllers can evaluate the request, taking into account the risk of harm to the subject’s lawful rights and interests that could arise from not responding to the request as well as that request's technical feasibility and cost.
As for the right to withdrawal, the withdrawal of consent does not affect the lawfulness of processing based on that consent before its withdrawal.
The right to PI copies under the Chinese data protection regime is not the same as the portability rights under the GDPR where the latter among others includes the right to request data transfer from one data controller to the other.
The right to deletion under the CSL regime is different from the right to be forgotten under the GDPR. The legal basis for exercising the right to deletion includes illegal acts or violation of the agreement. Yet the right to be forgotten provides for a wider range of legal bases for data subjects to demand deletion.
As the CSL regime doesn’t adopt the concept of legitimate interests, there is no data subject right comparable to the right to restriction of processing under the GDPR.
According to Article 42 of the CSL, there shall be no disclosure of personal information without the consent of the personal information subject unless such information has been processed to prevent that specific person from being identified and that information from being restored. Such methods to process information including anonymisation and de-identification of personal information which are stipulated under the PI Specification.
Specifically, anonymisation refers to the process whereby personal information is technologically processed to make personal information subjects unidentifiable, and the personal information cannot be restored to its previous state once processed. Once anonymised, the information is no longer considered as personal information.
On the other hand, de-identification refers to the process whereby personal information is technologically processed to make it impossible to identify personal information subjects without the aid of additional information. In other words, it is still possible to identify an individual with the help of de-identified information and other information. Thus, de-identified information is still considered as personal information. It is worth noticing that the PI Specification expressly categorises hash functions under de-identification instead of anonymisation which means the hash values of personal information are still considered as personal information.
The PI Specification recommends limited direct-user profiling. Direct user profiling is when the personal information of a specific natural person is directly used to create a unique model of the natural person’s characteristics. Personal information controllers engaging in direct profiling activities are required by the PI Specification to disclose the existence and the purposes of the direct profiling.
Automated decision making
Where automated decisions are made based on such profiling and have significant impact on the personal information subject’s rights and interests, personal information controllers should provide the means for the personal information subject to lodge a complaint.
Online monitoring or tracking
Under the CSL regime, tracking technologies like cookies are not prohibited, cookies are usually regarded as personal information, the collection of which shall comply with personal information requirements.
Big data analysis
In the event of big data analysis, it is inevitable that data collected from various resources would be aggregated and used from a purpose that is normally different from the one that the data is originally collected for. In the PI Specification Draft, such data merging shall be subject to the purpose that the data is collected for. In other words, the use of the aggregated or merged data in big data analysis shall be consistent with the purpose that has been consented to by the data subject prior to the use of the same.
So far, there has been no law or regulation systematically regulating data and privacy protection when artificial intelligence is involved. Yet, there are regulations focusing on the specific application of AI technology. For example, audio and video that are generated by deep learning or other new technologies shall be identified in a noticeable way. In general, the government encourages the development of AI technology. In the “2018-2020 Three-Year Action Plan for Enhancing the Development of the AI Industry of the New Era” (促进新一代产业发展三年行动计划-2018-2020年) issued by the MIIT, the combination AI technology with manufacturing technology is encouraged.
Algorithms (explanations, logic, code)
It has been observed that – on some online platforms for car-hailing, flight tickets or accommodation booking – when being manipulated, the inherent bias of algorithms may discriminate against consumers who have shown more interest in certain products or have certain consumption habits by offering them higher prices. There is no law or regulation specifically targeting such misuse of algorithms. Consumers may appeal to the Consumer Protection Law or e-commerce Law to defend their legitimate right to a fair deal.
Injury or Harm
In the event of an infringement of privacy or their legitimate rights, personal information subjects may resort to the traditional legal remedies provided by the General Rules of the Civil Law and the Tort Law. The concept of injury or harm under the Chinese civil law systems refers to the infringement to personal and property rights, which include without limitation right to life, health, name, reputation, fame, portrait rights, privacy rights, marital autonomy, ownership, etc. In addition, injury or harm relevant to privacy and data rights could also lead to criminal liabilities where there is serious circumstance of illegal sale or provision of personal information.
A serious circumstance will have occurred where there is illegal sale or provision of 50 pieces or more of location information, communication information or property information; 500 pieces or more of accommodation information, health information or other information that may have an impact on citizens’ health or property security; or 5,000 pieces or more of other personal information (Article 5 of the Supreme People's Court and the Supreme People's Procuratorate Interpretations).
Data that is subject to special regulations under the Chinese legal framework includes, without limitation, personal information, important data, and business data from certain industry sectors.
The definition of personal sensitive information is discussed in 1.6 System Characteristics. Financial data, health data, communications data, voice telephony and text messaging, the content of electronic communications and a person's sexual orientation are categorised as personal sensitive information. More stringent restrictions and higher protection standards are applicable to personal sensitive information.
The personal information of children under 14 years old is also personal sensitive data and is subject to special protection under the Provisions on the Cyber Protection of Children's Personal Information. Student data is not necessarily personal sensitive data. It depends on which specific data type it is.
Employment-related data will not be deemed as personal sensitive information merely because it is employment related. But if it falls into the category of personal sensitive information; because, for example, it contains the identity card number or bank account number of an employee, relevant regulations on personal sensitive information would apply.
Union membership and political or philosophical beliefs are usually not deemed to be personal sensitive information under the CSL regime.
Internet, Streaming and Video Issues
Browsing data, viewing data, cookies, beacons and location data are all regarded as personal sensitive information. Tracking technology is not prohibited under Chinese law. Yet, if personal information is collected and used for behavioural advertising which has not been agreed upon by the data subjects, such collection and use of personal information would be deemed as illegal. There have been some discussions regarding privacy and data protection with major internet platforms such as WeChat or Tik Tok. Yet, there has been no significant law enforcement activity or administrative punishment imposed on those companies, as there has been on Google or Facebook.
According to the CSL and the Administrative Measures on Internet-based Information Services (互联网信息服务管理办法), the network service provider will be liable for any erroneous, illegal or prohibited information published on a website or other medium it provides, whether intentionally or negligently. If the provider immediately takes action to stop the wrongdoing or blocks access to such inaccurate information after receipt of notice from the affected party, its liability might be limited. Besides, the Regulations on Internet Information Content Ecological Governance(网络信息内容生态治理规定) – aiming at regulating illegal, defamatory, seditious, violent or obscene content on the internet – will come into effect in March 2020.
Please refer to 2.3 Online Marketing for discussion of behavioural advertising.
Please refer to 2.1 Omnibus Laws and General Requirements for discussion of data subject rights, the right to be forgotten, data access and portability and the right of rectification or correction.
The Advertising Law (广告法) is the fundamental law that regulates advertising. The Interim Measures for Administration of Internet Advertising (互联网广告管理暂行办法) apply to online marketing. The sender shall obtain from the recipients their consent to, or request for, advertising and the sender shall also disclose its true identity, contact details and the opt-out method for advertisements distributed via electronic means.
Since online marketing, particularly behavioural advertising, is normally based on analysis of personal information collected from the users. Regulations on personal information collection and use shall be observed. To begin with, personal information shall not be collected or used for behavioural advertising if the personal information subjects have not agreed upon that purpose. According to the PI Specification, it is recommended to use indirect user profiling which is generated from personal information that is not from particular persons instead of direct user profiling for online marketing. According to the PI Specification Draft, where a personalised display is used for online marketing, an option to turn the function off and to delete or anonymise the personal information used for such a personalised display should be provided to the users.
There is no special law or regulation regulating workplace privacy. It is governed by Employment Law (劳动法), Employment Contract Law (劳动合同法), the CSL and relevant laws and regulations governing personal information. The personal information of an employee is subject to the same personal information protection regime as that of a regular person.
Even though employees’ personal information is protected in the same way as regular personal information, it is a fact that the employment relationship between employees and employers has its own features making it inevitable that employers collect and use employees’ information in the course of employee management. It is commonly understood that employers shall duly notify their employees that activities in the workplace, during working hours, conducted with working facilities are supervised and monitored by the employers. Employment contracts or the employee handbook usually contain clauses in this regard. Normally, the voluntary provision of personal information by the employees under the employment contract would be deemed as giving authorisation to the employers to collect and use their information in accordance with the purpose of employee management.
In China, labour unions do not play the same role as those in the western world. Where there is infringement of an employees’ personal information rights, instead of appealing to a labour union, the employees may report this to the competent authorities in charge of cybersecurity and personal information protection.
Normally corporations would adopt internal supervisory and reporting mechanism including whistle-blower hotlines and anonymous reporting channels. It is always an option to report malfeasance to the competent government authorities. There is no unified standard rule. It varies between corporations and industries.
e-discovery shall follow relevant litigation and arbitration rules. Access to employees’ personal information for the purpose of e-discovery would be deemed as used in direct relation to a court trial, and thus no consent is required for the collection and use of such information. Yet, there might be situations where it is not necessarily directly related to court trials. Thus, it is advisable to plan ahead by establishing an archive system and incorporating clauses on access to an employee’s personal information for the purposes of e-discovery and other reasons into the employment contract or employee handbook.
Network operators are required to implement technical measures and other necessary measures to guarantee the security of the collected personal information and prevent the same from leakage, damage or loss. This may include the use of digital loss prevention technologies. There is no law or regulation prohibiting employers from blocking websites to secure the productivity of their employees and it is advisable to publish such measures in the employment contract, employee handbook or relevant company policies.
Legal Standards for Regulators
For law enforcement departments, the CSL and Consumer Protection Law are the two most fundamental standards for them to regulate and punish violations of privacy or data protection laws. The PI Specification serves as a key reference as well. For law enforcement against violations by mobile applications, the Standards for Determining Unlawful Collection of Person Information by Apps (App违法违规收集使用个人信息行为认定方法) were released in November 2019. These Standards are summaries of specific violations observed in business practice and will be used as tools for App operators to conduct self-inspection as well as for law enforcement department to determine unlawful acts.
Potential Enforcement Penalties
Depending on the violation, different sanctions and penalties can be imposed by the CSL. For instance, non-compliance with the personal-information-protection-related provisions in the CSL may, according to Article 64 of the CSL, result in orders to take rectification measures, warning, confiscation of illegal earnings, fines, or a combination thereof. The fine should be more than the illegal earnings but less than ten times of the same. In the event that there is no illegal earning, the fine shall not be more than RMB1 million. The directly responsible person may face a fine ranging from RMB10,000–100,000. In the case of a severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of website, and the revocation of the business licence of the operator or provider.
Where there is a severe violation that could lead to criminal prosecution, the prosecution standards are stipulated by the Supreme People's Court and the Supreme People's Procuratorate Interpretations (see the discussion in 2.1 Omnibus Laws and General Requirements).
Leading Enforcement Cases
By the end of October 2019, public security departments across the country had detected 45,743 cyberspace-related cases, including 2,868 cases on infringement of personal information. Inspections of more than 170,000 enterprises had been conducted and more than 600,000 internet accounts had been cancelled. Administrative punishment had been imposed on more than 91,000 enterprises.
In general, most cases or proceedings take the form of administrative investigation and punishment initiated and imposed by government authorities. Legal bases for an individual to initiate private litigation include the General Rules of the Civil Law, Tort Liability Law, Consumer Protection Law, the CSL and the PI Specification.
A joint action under the Civil Procedure Law (民事诉讼法) is often seen in securities litigations. So far there has been no joint action against a violation of privacy laws.
For the purpose of criminal prosecution, the People’s Courts, the People’s Procuratorate and pubic security bureaus are empowered by the Criminal Procedure Law (刑事诉讼法) to collect or obtain evidence from the entities and individuals concerned. Relevant parties are obliged to co-operate and provide truthful evidence (Article 54). Evidence involving any state secret, trade secret, or private personal information shall be kept confidential (Article 152). Collection of evidence by judges, prosecutors, and investigators from public security bureaus shall follow legal procedure. When a search is to be conducted, a search warrant must be presented to the person to be searched (Article 138). A search warrant could be issued by the People’s Procuratorate and pubic security bureaus. Any staff members of cyberspace administrators and any authority concerned who neglects their duty, abuses their authority or commits malpractice for personal gain, without those actions constituting a crime, shall be subject to disciplinary action pursuant to the laws (Article 73 of the CSL).
The Constitution Law (宪法) provides for the fundamental protection of privacy. The state respects and protects human rights (Article 33). The personal dignity of citizens of the People's Republic of China is inviolable (Article 38). The freedom and privacy of correspondence of citizens of the People’s Republic of China are protected by law (Article 40). According to Article 77 of the National Security Law (国家安全法), citizens and organisations are under the general obligation to provide support and assistance for work relating to national security. According to the Counterespionage Law (反间谍法), a national security authority may, as needed for counterespionage work, legally inspect the electronic communication tools and instruments and other equipment or facility of a relevant organisation or individual. If the national security authority discovers any circumstances compromising national security during inspection, it shall order the organisation or individual to make rectification; and may take seizure or impoundment measures if the organisation or individual in question refuses to make rectification or still fails to satisfy the relevant requirements after rectification (Article 13). The power of the national security authorities is not unrestricted. According to Article 37 of the Counterespionage Law, where any staff member of a national security authority divulges any state secret, trade secret or piece of private individual information, in violation of the relevant provisions, among others, which constitutes a crime, the staff member will be subject to criminal liability in accordance with the law. The procedural requirement and protection provided by the Criminal Procedure Law as mentioned above is also applicable here.
Organisations in China may not invoke foreign government access requests as a legitimate basis to collect and transfer personal data. China does not participate in a Cloud Act agreement with the USA.
Industry leaders, such as Huawei and ZTE, were accused of being manipulated by the Chinese government and secretly providing personal data to the government. There are some media voices alleging that the Counterespionage Law authorises the government to take or confiscate any property that might endanger national security. Yet, as discussed in 3.2 Laws and Standards for Access to Data for National Security Purposes, the laws and regulations do not grant the government to access to personal data under any circumstance. Only for specific purposes such as criminal investigation, investigation of activities compromising national security and counterespionage work shall the government conduct investigation that may involve access to personal data. During the course of investigations, authorities must abide by strict procedures prescribed under relevant. Besides, infringement of individual privacy by government authorities is regulated by both the Counterespionage Law and the Criminal Procedure Law.
According to the CSL, personal information collected by CII operators (CIIO) during their operation in China shall be stored within Chinese territory. Where there is a need to transfer such information overseas, a security assessment shall be conducted. The 2019 Cross-Border PI Transfer Draft expands the obligation to all network operators. In addition, it requires the network operators to apply to provincial cyberspace administrators for security assessment prior to the cross-border transfer of personal information.
For the application, network operators that intend to transfer personal information overseas shall submit an application letter, a contract with the recipient, and an analysis of the risks and security measures (Article 4 of the 2019 Cross-Border PI Transfer Draft). Network operators are obliged to keep the records of cross-border personal information transfer for at least five years (Article 8). Additionally, consent from the personal information subjects is required by the basic principles set out under the CSL. The requirement for a contract between the network operators and the recipients is to some extent similar to the Standard Contractual Clauses (SCC) under the GDPR. Specifically, the contract required under the measures shall:
Cross-border transfer of personal information and important data is regulated under the CSL regime. CIIOs are required by the CSL to conduct security assessment prior to the cross-border transfer of personal information and important data (please refer to the discussion in 5.6 Other Significant Issues on the definition of important data).
For other network operators, procedures and required approvals are stipulated in the 2019 Cross-Border PI Transfer Draft and the Data Security Measures Draft. As mentioned above, network operators transferring personal information internationally shall apply to competent cyberspace administrators for a security assessment. With respect to the important data, network operators are required by the Data Security Measures Draft to apply to the competent regulatory department of the industry for approval. It is worth noticing that regulations imposing such requirements are still drafts for comment. Market participants would be well advised to keep an eye on developments.
The first and foremost data localisation requirement is that national secrets are not allowed to be transferred overseas. Secondly, personal information and important data collected by CIIO in the course of their operations in China are required to be stored locally and a security assessment is required for cross-border data transfer. Additionally, there are localisation requirements for special business data, including, without limitation: (i) credit investigation data; (ii) personal financial information; (iii) map data; (iv) essential tech equipment required for online publication services; (v) data & information related to car hailing services; (vi) health information of the population; and (vii) insurance data and fiscal data.
In principle, such data shall be stored within the Chinese territory and may not be freely transferred overseas. Where it is necessary to transfer data overseas, special requirements on each type of information shall be applied.
There is no law or regulation requiring technical details, such as software code or algorithms, to be shared with the government. The cybersecurity examination that online products and services relevant to national security are subject to prior to being purchased by CIIOs (Article 35 of the CSL) does not aim at acquiring technical details. To begin with, according to the Measures for Cybersecurity Censorship (Draft) (网络安全审查办法（征求意见稿）), the entities that are subject to such examination are CIIOs. Secondly, the purpose of this examination is to evaluate whether there will be a risk of massive data leakage, loss or cross-border movement; interruption of services or a risk of CIIO being controlled by foreign entities. The purpose of the examination is not to acquire code or algorithms from market participants, sharing technical details should be a voluntary decision on the part of the relevant entities.
According to Article 277 of the Civil Procedure Law, no foreign discovery shall be conducted within Chinese territory without the approval of the Chinese authorities in charge, except through diplomatic channels or channels provided by international treaties. According to Article 4 of the International Criminal Judicial Assistance Law (国际刑事司法协助法), foreign entities shall not conduct discovery or initiate other criminal proceedings in China without the approval of Chinese authorities. Neither shall Chinese entities or individuals provide evidence or other assistance to foreign entities. In 2000, China and the USA signed the Agreement on Mutual Legal Assistance in Criminal Matters. Thus, the collection and transfer of personal information by an organisation to respond to a foreign government's data request or foreign litigation proceedings shall be in accordance with the legal framework mentioned above. With respect to internal investigations, the restrictions on data collection and cross-border data transfer mentioned above shall apply.
There is no blocking statue in the Chinese legal framework, as there is in Europe, to deal with the exterritorial jurisdiction of US laws. Yet, China does have laws and regulations on restricting criminal and civil discovery activities conducted within Chinese territory (please refer to 4.6 Limitations and Considerations).
When it comes to emerging digital and technology issues, it is hard to ignore the fact that the inherent biases of algorithms may lead to infringement of individual rights and discrimination. Until the technologies are mature, and the error rates manageable, network operators will continue to take a cautious attitude towards the application of such technologies.
For a discussion of big data analytics, automated decision-making, profiling and artificial intelligence (including machine learning), please refer to 2.1 Omnibus Laws and General Requirements.
Network operators in the business of the internet of things (IoT) and bid data analytics shall pay special attention to implementing the MLPS. According to the national standards constituting MLPS 2.0, IoT and big data applications are expressly included in the protected objects of the MLPS. Specific security requirements can be found in the corresponding national standards. Network operators of IoT and big data applications are advised to commence the grading and classification at their earliest convenience.
For the purpose of autonomous decision-making, a vast amount of data will be collected and aggregated. Taking autonomous vehicles as an example, the vehicles would be continuously collecting all location data of the users which would be used to, among other things, generate direct user profiles. So far there have been no regulations that particularly deal with the privacy and data protection in the business of autonomous vehicles. The CSL, PI Specification and relevant national standards would apply to the collection and processing of personal information, including automated decision-making, as well as the protection of data security.
The application of biometric data, including facial recognition, is increasing. Biometric data is highly sensitive personal data. It is unique to individuals and it is impossible to change one’s biometric data. Processing of biometric data shall be conducted with much higher and more stringent standards. Requirements for collecting and processing personal sensitive information are found under the PI Specification and Guidelines for Internet Personal Information Security Protection (互联网个人信息安全保护指南). Additionally, the draft of the national standard for Biometric Information Protection also provides guidance for the processing of such data.
Geolocation data is personal sensitive information, the collection and processing of which shall be in consistence with the applicable rules as discussed in 2.2 Sectoral and Special Issues.
Drones, which are being used for recreational purposes as well as for law enforcement, are getting smaller and cheaper while the images a drone can get are clearer and more accurate than ever. So far, only general rules on privacy and data protection are applicable to the use of drones. To deal with this new technology, the MIIT launched field research in October 2019 for drafting mandatory national standards to address relevant security issues.
To address the problems and concerns brought by emerging technologies, TC260 is actively conducting research and releasing industry study reports and, most importantly, recommended national standards to guide the application of various cutting-edge technologies. For example, TC260 working together with Tsinghua University, Baidu, Huawei, Alibaba and other entities issued, in October 2019, the 2019 White Book on Security Standards for Artificial Intelligence, which addressed the potential security risks concerning algorithm models, data security and privacy protection as well as the potential risks of the abuse of this technology.
There are lots of special enforcement projects, such as “Clearing the Network 2019” (净网2019), launched by the MPS and implemented by provincial public security departments across the country throughout the year. This is a comprehensive investigation into violations in internet-related industries. The CSL has been the major legal basis for investigations and punishment. (Please refer to 2.5 Enforcement and Litigationfor more details.) So far, there has been no administrative punishment involving significant penalties, as there has been in Europe, however, the usual punishment method following those enforcement activities, being criticised by the authority in public or the suspension of related business, would cause inestimable damage to the company. Most cases and legal proceedings are administrative and criminal cases. There has been no civil case with a large settlement or joint action with respect to privacy and data protection. (Please refer to 2.5 Enforcement and Litigation for discussion of a remarkable civil case.)
Due diligence on privacy and data protection in corporate transactions would normally start with interviews to gain an understanding of the existing situation in terms of cybersecurity protection measures and data processing at the relevant company. Then a gap analysis would be conducted to evaluate the deviation between compliance requirements and the actual situation. The last step would be offering compliance suggestions. The focus of the due diligence would be usually be on the following aspects: (i) management systems of the network operation security; (ii) information on the network products and services purchased by the company; (iii) collection and processing of data; (iv) data storage and internal management; (v) data output; and (vi) cross-border data transfer.
According to the disclosure requirements for listed companies; investigations, criminal punishment or major administrative punishment must be disclosed.
The terms of important data and critical information infrastructure are unique concepts under the CSL regime.
Important data refers to the kind of data that, if divulged, may directly affect national security, economic security, social stability and public health and security, such as unpublished government information, large-scale population, genetic health, geographical or mineral resources data. So far, no regulation on implementing methods of important data identification and its scope has been officially published. Yet, according to the Data Security Measures Draft, important data shall usually not include information related to the production, operation and internal management of enterprises or personal information. Even though these administrative measures have not entered into effect, they have indicated to some extent the expected modification of legislation on important data and the law enforcement trends in the same area. Cross-border transfer of important data is subject to special procedures which are discussed in detail in 4.3 Government Notifications and Approvals.
Critical Information Structure
The CSL provides for a special protection scheme in China on critical information infrastructure and the corresponding protection principles. So far, no regulation on the identification standards, scopes or implementing rules of administration has been officially published. Information infrastructure – in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government – might fall within the scope of such regulation. The purpose of offering extra protection for critical information infrastructure is to protect national security, the national economy, people's livelihoods and the public interest.
Chinese legislation regarding data compliance and personal information protection has three defining characteristics.
Comprehensiveness – it covers both network operation security and cyber information security, while providing data protection and safeguarding citizens’ lawful rights via various instruments.
Creativeness – taking China’s fundamental realities into consideration, the legislative bodies adopted the concepts of the Multi-Level Protection Scheme (MLPS) and Critical Information Infrastructure (CII), which collectively build a Chinese-style data protection regime.
Hierarchy – from a general overview to specified provisions, the legislative bodies have published laws, administrative regulations, departmental rules, and national standards that jointly regulate the obligations of data controllers as well as data subjects’ lawful rights and which constitute the current systematic legal framework.
With the aforementioned characteristics very much in evidence, 2019 witnessed a number of changes to both data security and privacy protection regulatory mechanisms in China. These changes improved regulatory efficiency, yet left room for further regulatory enhancement in the future. While several regulations and national standards were promulgated or released and became effective, some other draft administrative regulations and national standards were only circulated for public comment and have not yet come into force. Chinese governmental authorities are stepping up the pace in data compliance and personal information protection, shifting their focus from legislation to enforcement.
We predict that China will see two drafts of specific laws in this area in 2020, the Personal Information Protection Law of the People’s Republic of China (Personal Information Protection Law) and the Data Security Law of the People’s Republic of China (Data Security Law). These two laws, together with the Cybersecurity Law of the People’s Republic of China (Cybersecurity Law), will constitute the cornerstones both of China’s legislative system and its enforcement programme in this area. The year 2020 is very likely to be another landmark one for data compliance and personal information protection in China.
This article analyses the past and forecasts the future. The general suggestion is that businesses should at least pay close attention to these new developments and prepare any adjustments that will need to be made in the new era. We hope that this article is helpful in providing guidance to foreign and domestic businesses that have compliance needs in this area within China.
Changes and Developments in 2019
In 2019, rules regarding the security of data and personal information were dispersed in laws and regulations. Based on the classification of regulated subjects (the normal network operators and Critical Information Infrastructure Operators (CIIO)) and the categories of protected data (personal information, important data, CII, and other data), several important draft regulations and national standards were circulated for public comment. The regulatory authorities are taking stricter enforcement measures, which shows the government’s willingness to enforce high standards in data compliance and personal information protection.
Old laws revised
Firstly, 2019 witnessed three draft revisions to the national standard Information Security Technology – Personal Information Security Specification, which became effective on 1 May 2018. This national standard provides the measures and mechanism that companies are recommended to use in order to ensure personal information protection compliance. For the purpose of addressing the latest developments in information technology, three drafts of this standard were released separately in February, June, and October 2019. These drafts presented more practical guidance for regulation, including but not limited to, the techniques of Software Development Kit (SDK), personalised display for individuals, and rules regulating the collection and use of data.
Secondly, the new national standards of China’s MLPS for networks became effective on 1 December 2019, including: (i) GB/T 22239-2019 Information Security Technology – Baseline for Multi-level Protection of Cyber Security; (ii) GB/T 25070-2019 Information Security Technology – Technical Requirements of Security Design for Multi-level Protection of Cyber Security; and (iii) GB/T 28448-2019 Information Security Technology – Evaluation Requirement for Multi-level Protection of Cyber Security (collectively New MLPS National Standards). The New MLPS National Standards overall maintained five levels for security protection specified in the MLPS. In addition, recognising the fact that emerging technologies (eg, cloud computing and AI) create new cybersecurity concerns, the New MLPS National Standards address these new concerns by setting forth special requirements. In the transition from “Multi-level protection over information security” (commonly referred to as MLPS 1.0) to Multi-level protection over cybersecurity (commonly referred to as MLPS 2.0), the New MLPS National Standards present the recommended technical best practice under MLPS 2.0.
New laws (or their drafts) promulgated
The Cyberspace Administration of the People’s Republic of China (CAC) released two eye-catching regulations in 2019, the Administrative Measures on Data Security (draft for public comments), in May, and the Measures on Assessing the Security of Cross-border Transfer of Personal Information (draft for public comments), in June. Compared to the Information Security Technology – Guidelines on Assessing the Security of Cross-border Data Transfer (draft for public comments) and the Measures on Assessing the Security of Cross-border Transfer of Personal Information and Important Data (draft for public comments) circulated in 2017 from the China National Information Technology Standardisation Committee, the new draft regulations indicate that the agency is changing its legislative and regulatory methodology to differentiate “personal information data” and “important data”.
On 1 October 2019, the Provisions on the Cyber Protection of Children's Personal Information took effect. This is the first regulation focusing on the protection of children’s personal information. While specifying detailed requirements for the protection of children’s personal information, it prohibits any organisation or individual from producing, releasing, or disseminating information, without the consent of the children's guardians, which may infringe those children’s personal information security. It also sets forth the regulatory powers of the CAC and its local counterparts, and the other related governmental authorities.
Lastly, 2019 also saw a set of enforcement actions taken by the CAC, the Ministry of Information Industry Technology, the Ministry of Public Security, and the State Administration for Market Regulation (collectively, the Four Ministries) against app operators whose apps had illegally collected and used personal information. The Four Ministries established the special work group on app governance and jointly published the Announcement on Special Governance of the Illegal Collection and Use of Personal Information by Apps, specifying, among others, the app operators’ security obligations and regulatory penalties. In these regulatory actions, the Four Ministries investigated millions of apps and released official warnings or even ordered app store operators to take certain apps offline due to their non-compliant behaviours in collecting and using personal information. In order to address the compliance issues identified in the investigation, the Four Ministries, together with the special work group on app governance, enacted new regulatory rules such as: (i) the Self-evaluation Guidelines on Avoiding Collecting and Using Personal Information Illegally; (ii) the Information Security Technology – Basic Specification on Collecting and Using Personal Information by Mobile Internet Applications; and (iii) the Measures on Determining Illegal Collection and Use of Personal Information by apps. The above rules not only provide guidance on the substance of the privacy guidance documents published to the general public, but also shed light on the compliance faults affecting privacy by design and by default of apps, which secure users’ right to know and right to choose. For example, the app’s privacy policies are required to exhaustively list all the personal information that it will collect and to be easily accessible by users. Where apps collect personal information without limitation and damage user privacy, these regulatory rules and law enforcement actions will step in and investigate.
Trends in 2020
As of the date of this article, China has over 40 laws and 230 regulations and legislative documents covering the areas of data compliance and personal information protection. This creates difficulties in maintaining consistent law enforcement in practice. Regulatory enforcement may be duplicative or miss a loophole; and the discretion exercised in enforcement over the same issue may be inconsistent, which will result in inefficiency in law enforcement and confusion for businesses.
However, the complexity and confusion in the legal system are changing and improving. According to an official news report, two laws concerning data and privacy are listed in the legislation plan of 2020: the Personal Information Protection Law and the Data Security Law. Once promulgated, they will contribute to the building of a comprehensive and complete legal system of data compliance and personal information protection and guide the relevant law enforcement actions in a more unified, co-ordinated, and efficient manner. In brief, we expect the following changes in the areas of data compliance and personal information protection in 2020.
More legal support on specific issues
As mentioned above, national-level legislation on privacy compliance and personal information protection is missing in the current legal system. Relevant national-level legislation can only be found in some general provisions of the Cybersecurity Law and the Consumer Rights Protection Law, which is inadequate for individuals to protect their privacy and insufficient for law enforcement.
With the release of the above two laws, we expect that the government may simultaneously release certain technical regulations and standards, aiming to substantiate the compliance obligation of businesses and to provide practical guidance on the fulfilment of those obligations while facilitating the public's ability to safeguard the rights of personal information protection.
Multiple dimensions in regulation
The coming year may bring legislation regarding different cybersecurity subjects. Taking CIIO as an example, pursuant to the Cybersecurity Law, CIIO must undertake stricter obligations than other non-CIIO organisations. There are a set of draft regulations and national standards regarding CIIO. If released in 2020, these would provide more specific guidance to define a CIIO and its obligations.
Additionally, the Information Security Technology – Personal Information Security Specification, which had three draft revisions in 2019, is likely to be finalised. The new national standards would regulate data compliance comprehensively throughout the data’s whole life cycle: from its collection, use, storage and transmission, to its deletion. Once issued, it will serve as a detailed standard to provide enforcement guidance for the forthcoming Personal Information Protection Law.
Furthermore, with the regulation of cross-border data transfer remaining unsettled, the development of draft legislations concerning cross-border data transfer in 2020 is an important aspect for businesses at home and abroad. Such draft regulations include Measures on Assessing the Security of Cross-border Transfer of the Personal Information and Important Data (draft for public comments), Information Security Technology – Guidelines on Assessing the Security of Cross-border Data Transfer (draft for public comments) and Measures on Assessing the Security of Cross-border Transfer of Personal Information (draft for public comments).
Lastly, measures and national standards on data processing and internal compliance operations are still in draft status – eg, Information Security Technology – Guidelines on Deidentification of Personal Information (draft for public comments), Information Security Technology – Guidelines on Personal Information Security Assessment (draft for public comments) and Information Security Technology – Guidelines on Informed Consents of Personal Information (draft for public comments). We may see these draft standards put into practice after finalisation in 2020.
Construction of the data law
We expect the future legal mechanism of data protection to be based on three basic laws: the Cybersecurity Law; the forthcoming Personal Information Protection Law; and the expected Data Security Law. Each of them represents a separate dimension of cyberspace regulation.
The Cybersecurity Law regulates general security issues of cyberspace – including the construction, operation, maintenance and use of the network – and sets forth the rules regarding the operational security of critical information infrastructure and regulatory authorities’ responsibilities.
The forthcoming Personal Information Protection Law will likely regulate the security issues during the life cycle of personal information, including the security obligations of data controllers and data processors and the lawful rights of data subjects. The forthcoming Data Security Law will likely regulate the security issues during the life cycle of important data and non-personal information, with an emphasis on big data, and set forth obligations for data controllers. The draft Administrative Measures on Data Security (draft for public comments), promulgated in 2019, is expected to be a regulation to implement the Data Security Law.
The comprehensive structuring of data legislation provides a clear roadmap for enterprises to follow and to carry out internal compliance management systematically and efficiently.
Stricter regulation in key industries
In the general background of more strict regulations, the competent authority for each industry, especially key industries, is expected to develop detailed rules on the implementation and enforcement of data compliance and personal information protection as well as the penalties. Such detailed rules will likely be enacted pursuant to the above-referenced basic laws and tailored to fit specific industries. The key industries in this paragraph include: (i) under the Cybersecurity Law, the seven important industries that have critical information infrastructures, which are public communication and information services, energy, transportation, water conservancy, finance, public services, and e-government; and (ii) other industries that have a critical influence on basic livelihood and public security.
Challenges for Businesses
The coming year will be a challenging one as regards compliance for businesses at home and abroad. As China is improving its legislation regarding cybersecurity and personal information protection, the compliance requirements for enterprises are becoming more challenging. Some of the major challenges are set out below.
Management requirements for construction, operation, maintenance and use of an enterprise's network
The forthcoming Data Security Law (draft for comments), Administrative Measures on Data Security, and other relevant regulations and standards for critical information infrastructure are expected to be promulgated in 2020. These laws and regulations will set forth detailed cybersecurity obligations for network operators, especially those classified as CIIOs. Enterprises subject to those laws and regulations should internally review their network architecture in accordance with the available regulations and specifications, in order to prepare for the forthcoming compliance work.
Cross-border transfer of data
China does not have a unified mandatory requirement for data localisation; instead, based on the data categories and operators’ different roles, it has promulgated regulations separately. The Cybersecurity Law requires CIIOs to locally store the personal information and important data collected and produced during their operation within China, with certain exceptions. The Administrative Regulations on Credit Investigation Industry requires, generally, that credit investigation information should be stored within China. As a rule, personal information relevant to national secrets and state affairs, national health, maps, online car-hailing services, and so on are prohibited from being transferred abroad. Measures on Evaluating the Security of Cross-border Transfer of the Personal Information and Important Data (draft for public comments) expands the restricted subjects, CIIOs under the Cybersecurity Law, to “network operators” more broadly and requires them to obtain the consent of the personal information data subject and not to endanger national security and societal interests, nor to transfer the data cross-border without the approval of the designated authorities.
Pursuant to the drafts of the Administrative Measures on Data Security and the Measures on Security Assessment for Cross-border Transfer of Personal Information promulgated in 2019, the cross-border transfer of important data and personal information requires not only the approval of competent government agencies but also the prior risk assessment of such cross-border security by the network operator. In addition, network operators are required to enter into contracts with the recipients of personal information before the cross-border transfer, and such contracts should disclose the recipient and its security obligations, the purpose of transfer, etc. Furthermore, network operators are obligated to annually report the cross-border transfer of personal information within the preceding year to the designated government authority, and to keep a record of the transfer for at least five years following such transfer.
Whether the above requirements will evolve in 2020, and to what extent such requirements can be implemented, are going to profoundly affect the data compliance work of businesses. Businesses should keep one eye on developments in this area in 2020.
Regulatory landscape of the government
The core value of data compliance and personal information protection is to protect the lawful rights of data subjects and to maintain cybersecurity. In 2019, violations were found in tens of thousands of apps during investigations jointly carried out by the Four Ministries. The businesses operating the apps that failed to meet the compliance requirements were subject to administrative penalties (such as taking the app offline), administrative questioning, fines, and even criminal investigations in some extreme cases. In late 2019, several companies working in big data analysis for financial credit ratings were investigated for their illegal collection and sale of personal information using web crawler technology.
Each business should carefully review its own data compliance issues and adjust its risk control policy in time to comply with this new trend in law so as not to have its reputation impaired or incur other losses. Multinational companies should constantly review their global policies regarding data compliance based on worldwide legislative changes and particularly focus on their policy implementation in China while being mindful to process their data and personal information in accordance with the development of relevant regulations and standards.
In conclusion, in 2019, the competent authorities’ administration and management focused mainly on regulating the illegal collection and misappropriation of personal information, while their administrative surveillance is moderate on the storage and cross-border transfer of personal information. The forthcoming Personal Information Protection Law and Data Security Law, if enacted in 2020, are expected to greatly strengthen their regulatory powers and increase penalties during the data life cycle. Businesses, both domestic and international, should proactively review their current data compliance policies and compare their compliance measures with the requirements set forth in the drafts of the foregoing laws. By doing so, they can have sufficient time to fill in the potential compliance loopholes and better prepare for the forthcoming legislative updates in China’s data compliance and personal information protection regime.