The Civil Code of the People’s Republic of China (the “Civil Code”) was approved by the National People’s Congress of China on May 28, 2020 and took effect on Jan 1, 2021. In 2020, the draft versions of the Personal Information Protection Law (the “PIPL Draft”) and the Data Security Law (the “DSL Draft”) was also released for public comments. The two draft, once officially passed and implemented, will together with the Cyber Security Law of the People’s Republic of China (the “CSL”) become the three pillars in the realm of cyber security and data protection. Came into effect on 1 June 2017, the CSL forms the backbone of cybersecurity and data privacy protection. Since the CSL does not stipulate comprehensive rules, China’s data and privacy framework appears to be a patchwork with textures of various laws, measures, and sector-specific regulations, as well as national standards. From here, the three-dimensional structure of “Civil Code – Data protection & Cyber security laws – Respective regulations and standards” has been established.

The Civil Code stipulates privacy and personal information protection in the chapter on “Rights of Personality”. It does not distinguish between the data controller and data processor as defined under the European General Data Protection Regulations (the “GDPR”), and uniformly introduces obligations on information handlers when processing personal information.

Similar to the Civil Code, the PIPL Draft only specifies the personal information handler^[1] (“个人信息处理者”, to avoid misunderstanding, hereinafter refers to “personal information controller” since its definition is similar to that of data controller under the GDPR). The roles, such as the entrusted data processing party, are characterized by behaviors of parties concerned. It is noteworthy that both the PIPL Draft and the DSL Draft stipulate the extra-territorial application of the law under certain circumstances. The PIPL Draft applies to the activities carried outside the territory of the People’s Republic of China (“PRC”) for the purpose of providing services to, or analyzing and evaluating the behaviors of natural persons^[2]. The DSL Draft investigates the legal liability of data activities engaged outside the territory of PRC which harm the state security, public interests, or the legitimate rights and interests of citizens or organizations of the PRC^[3].

The CSL imposes different cybersecurity and data privacy obligations on network operators and critical information infrastructure operators (“CIIOs”). Network operators encompass virtually all companies involved in any kind of Internet-based services^[4]. Among them, CIIOs are the network operator of the critical information infrastructure in important industries that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people’s livelihood and public interests^[5].

The non-binding national standard of Information Security Technology – Personal Information Security Specification (the “PI Specification”), which became effective as of 1 October 2020, illustrates the obligations of privacy protection in detail. Drafted with reference to the GDPR, the PI Specification adopts some definitions in the GDPR, e.g., the definitions of personal information controller and personal information processor^[6] mirror the definitions of data controller and data processor under the GDPR. The PI Specification plays a key role in personal information protection and has been cited by courts and enforcement authority. An increasing number of companies in the market also tend to refer to the PI Specification as the standard when conducting self-auditing of their personal information protection.

For certain types of information in special sectors, the authorities have enacted special regulations or standards. Take the financial sector as an example, the People’s Bank of China, the central bank of China responsible for regulation of financial institutions in mainland China, has issued rules to protect personal financial information even prior to the legislation of the CSL, such as the Implementing Measures of the People’s Bank of China for the Protection of Financial Consumers’ Rights and Interests in 2020.

The enforcement authorities in this field at least include the Cyberspace Administration of China (“CAC”), the Ministry of Industry and Information Technology (“MIIT”), the Ministry of Public Security (“MPS”), State Administration for Market Regulation (“SAMR”) and industry regulators.

References

^[1] PIPL Draft. Art. 69(1). A personal information handler refers to any organization or individual that independently determines the purpose and method of processing and other personal information processing matters.

^[2] PIPL Draft. Art. 3.

^[3] DSL Draft. Art. 2.

^[4] CSL. Art. 76. A Network Operator (NO) refers to the owner or manager of a network or the provider of a network service.

^[5] CSL. Art. 31. CIIO refers to the network operator of the critical information infrastructure in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government, and other critical information infrastructure that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people’s livelihood and public interests.

^[6] The PI Specification does not specify the definition of personal information processor, but imposes obligations directly on the trustee where the personal information controller entrusts a third party to process personal information.

There is no binding law requiring data controller/processor to register privacy mechanism, while if they fall into the scope of Network Operator under the CSL, they shall comply with the Multi-Level Protection Scheme (“MLPS”) requirements.

The DSL Draft stipulates that operators providing specialized online data processing and other services shall obtain a business license or register in accordance with the law, and detailed measures will be formulated by competent telecommunications department such as MIIT^[1]. It also lays down penalties for operators engaging related businesses without permission or registration^[2].

References

^[1] DSL Draft. Art. 31.

^[2] DSL Draft. Art. 44.

Personal information under the CSL is defined as the information that is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person^[1]. Personal information under the Civil Code is essentially similar with that under the CSL, while the Civil Code only specifies the recognition of the natural person. The PIPL Draft and the PI Specification expands the definition of “personal information” to include the information that reflects a person’s activities^[2], which allows the possibility to broaden the scope of personal information.

Sensitive personal information is defined in the PI Specification^[3] and the PIPL Draft^[4] as information that, if leaked, illegally provided or used without authorization, will endanger human rights and property interest, or cause damages to reputation, physical and mental health, or lead to discriminatory treatment. The PIPL Draft also stipulates that the personal information controller shall have a specific purpose and sufficient necessity to process the sensitive personal information.

Another key concept is the “important data” that is defined as data closely related to national security, economic development, and social and public interests^[5].

References

^[1] Civil Code. Art. 1034; CSL. Art. 76.5.

^[2] PIPL Draft. Art. 4; PI Specification. 3.1.

^[3] PI Specification. 3.2

^[4] PIPL Draft. Art. 29.

^[5] Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft). Art. 17 (stipulating that specific scope of “important data” needs to refer to relevant national standards and important data identification guidelines for its specific scope. The official national standards and guidelines have not come out yet).

The Civil Code and the CSL stipulates that personal information controllers shall abide by the “lawful, justifiable and necessary” principles to collect and use personal information^[1].

The PIPL Draft sets out following seven basic principles for personal information controllers to follow when carrying out personal information processing activities:

1. Personal information shall be processed in a lawful and proper manner and in accordance with the principle of good faith, and shall not be processed by fraud, misleading or other means^[2];
2. Personal information shall be for a definite and reasonable purpose instead of any purpose irrelevant to the purpose of processing^[3];
3. Processing of personal information shall be limited to the minimum scope for achieving the purpose of processing^[4];
4. Processing of personal information shall expressly indicate the rules for processing personal information^[5];
5. Personal information processed shall be updated in a timely manner^[6];
6. Personal information controllers shall be responsible for the personal information processing^[7];
7. Personal information controllers shall take necessary measures to ensure the security of the personal information processed^[8].

Compared with the PIPL Draft, the PI Specification additionally provides the principle of subject participation that the personal information controller shall provide the personal information subject with means to fulfil his/her rights^[9], but lacks the principle of accuracy.

References

^[1] Civil Code. Art. 1035; CSL. Art. 41.

^[2] PIPL Draft. Art. 5.

^[3] PIPL Draft. Art. 6.

^[4] PIPL Draft. Art. 6.

^[5] PIPL Draft. Art. 7.

^[6] PIPL Draft. Art. 8.

^[7] PIPL Draft. Art. 9.

^[8] PIPL Draft. Art. 9.

^[9] PI Specification. 4 g).

Overall, a noticeable difference from GDPR is that the legal basis under the CSL is entirely consent-based. The CSL requires the personal information controllers to expressly notify and obtain consent of the users if the products or services collect user information and comply with relevant laws and regulations governing personal information protection if personal information of users are involved^[1]. With a few exceptions^[2] discussed under Question 8, a personal information controller is required to inform the personal information subject of the purposes, means and scope of the collection and use of his or her personal information, and consent must be obtained prior to such collection^[3]. The legal bases under Chinese laws and regulations is also undergoing changes over time as the PIPL Draft breaks through the restrictions set by the CSL and takes a further step close to the GDPR (discussed under Question 8).

The PI Specification aims to guarantee the PI subject’s autonomy on personal information processing by requiring the controller to permit the subjects to make free choice when there’re multiple functions^[4]. Annex C of the PI Specification provides detailed means for realizing the autonomy of the personal information subjects. Particularly, before the extended business function is used for the first time, the personal information subject shall be informed of the extended business function and the circumstance of personal information collection via pop-ups, text descriptions, checking boxes, prompts, etc., and allow the personal information subject to select and give consent to the extended business function one by one^[5]. Any processing of personal information thereafter must be carried out within the scope of the consent. A renewed consent is required when the processing exceeds the original scope of consent^[6].

Besides, “separate consent” and “written consent” is the new requirement introduced by the PIPL Draft, which is not yet clearly defined and might raise the requirement on the form of consent needed^[7]. The situations requiring separate or written consent includes providing personal information to a third party^[8], publishing the personal information^[9], collecting personal images and personal identity characteristic information by devices in public places and providing to other persons or making public^[10], providing the personal information outside the territory of PRC^[11], processing sensitive personal information^[12], etc.

References

^[1] CSL. Art. 41.

^[2] The exceptions are listed in Art 1036 of the Civil Code and Art 5.6 of the PI Specification.

^[3] CSL. Art. 41.

^[4] PI Specification. 5.3

^[5] PI Specification. Annex C. 4 a).

^[6] PI Specification. 7.3 a).

^[7] PIPL Draft. Art. 30.

^[8] PIPL Draft. Art. 24.

^[9] PIPL Draft. Art. 26.

^[10] PIPL Draft. Art. 27.

^[11] PIPL Draft. Art. 39.

^[12] PIPL Draft. Art. 30.

Under the PI Specification, explicit consent from the personal information subject is required for processing sensitive personal information^[1]. “Explicit consent” is defined as express consent given in writing or orally or through other affirmative actions freely made by personal information subjects^[2]. A personal information controller is required to ensure that the explicit consent of the personal information subject is his/her autonomous, specific and clear willingness given after being fully informed^[3]. In addition, before collecting biometric information (discussed under Question 19), the personal information controller should separately inform the personal information subject of the purpose, method and scope of collecting and using personal biometric information, as well as the retention period and other rules, and obtain the explicit consent of the personal information subject^[4]. The PIPL Draft puts forward separate consent requirement for the processing which is subject to the individual’s consent and involves sensitive personal information^[5]. Besides, according to PIPL Draft, personal information controllers should assess the risk in advance before processing sensitive personal information^[6]. The Measures for the Supervision and Administration of the Online Trading prescribed that the dealers engaging in the online trading should obtain consent for each item when collecting sensitive personal information^[7].

There might be requirements on data which are prohibited from collection in special industry sectors. For example, credit investigation organizations shall be prohibited from collecting personal information pertaining to religion, gene, fingerprint, blood type, diseases and medical history and other personal information for which collection is prohibited by laws and administrative regulations^[8].

References

^[1] PI Specification. 5.4 b)

^[2] PI Specification. 3.6.

^[3] PI Specification. 5.4 b).

^[4] PI Specification. 5.4 c).

^[5] PIPL Draft. Art. 30.

^[6] PIPL Draft. Art. 54.

^[7] Measures for the Supervision and Administration of the Online Trading. Art. 13.

^[8] Administrative Regulations on Credit Investigation Industry. Art.14.

Personal information of person aged 14 or under are child’s personal information and is classified into sensitive personal information under PI Specification^[1]. Before collecting personal information of minors^[2] aged 14 or older, it shall seek explicit consent from the minors or their guardians; where the minors are aged under 14, it shall seek explicit consent from their guardians^[3]. Activities related to children’s personal information are also subject to the special protection of the Provisions on the Cyber Protection of Children’s Personal Information. The PIPL Draft also provides parental consent if the controller knows or should have known that it processes personal information of minors below the age of 14^[4].

References

^[1] PI Specification. 3.2.

^[2] Eighteen is the age of majority in China.

^[3] PI Specification. 5.4 d).

^[4] PIPL Draft. Art. 15.

I. Legislative tendency of legal bases

Unlike the current legal framework, where the CSL establishes the consent of personal information subjects as the only legal basis for personal information processing, the Civil Code provides legal basis provided by laws and administrative regulations. The PIPL Draft follows the rules in the Civil Code, breaking through the restrictions set by the CSL and prescribed other legal bases as follows:

i. When the processing is essential for:

1. Entering into or performing a contract; or
2. Performing statutory responsibilities or obligations; or
3. Responding to public health emergencies or for protecting the life, health or property safety of natural persons in emergency situations;

ii. Actions for public interests such as news reporting and public opinion supervision within the reasonable scope of processing;

iii. Other circumstances as stipulated by laws and administrative regulations.

The PIPL Draft does not include the pursuit of legitimate interests as one of the legal bases to process personal information, considering the implementation difficulties in other countries and the current situation in China.

II. Exceptions to obtaining consent

The PI Specification elaborates detailed exceptions to obtaining consent of the personal information subject for the collection and use of personal information as follows^[1]:

1. those related to the fulfillment of personal information controllers’ obligations imposed by laws and regulations;
2. those directly related to national security and national defense;
3. those directly related to public safety, public health, and significant public interests;
4. those directly related to criminal investigation, prosecution, trial, and judgment enforcement, etc.;
5. when safeguarding the major lawful rights and interests such as life and property of personal information subjects or other persons, and it is difficult to obtain the authorized consent of the personal information subject;
6. when the personal information subject voluntarily opened the collected personal information to the general public;
7. when necessary to sign and perform a contract according to the personal information subject’s request (note however, the main function of the personal information protection policy is to disclose the scope and rules of the collection and use of personal information by the controller of personal information, which should not be treated as contract in this context);
8. when the personal information is collected from legitimate public information channels, such as the legitimate news reports and open government information;
9. when necessary to maintain the safe and stable operation of the provided products or services, such as to detect and handle product or service malfunctions;
10. when necessary for the personal information controller, as a news agency, to make legal news reports;
11. when necessary for the personal information controller, as an academic research institute, to conduct statistical or academic research in the public interest, which also has de-identified the personal information when providing academic research or results externally.

Exceptions of i-vi, and viii above also constitute the exceptions to the general rule of no sharing, transfer or public disclosure^[2]. Exceptions to the rights of personal information subjects are discussed under Question 27.

The Civil Code provides following circumstances where the infringer shall not bear the civil liability when processing personal information^[3]:

1. Acts performed reasonably within the scope agreed by the natural person or his or her guardian;
2. Reasonably processing the information made public by the natural person himself or herself or other information that has been legally made public;
3. Other reasonable acts performed to protect the public interests or the legitimate rights and interests of the natural persons.

References

^[1] PI Specification. 5.6.

^[2] PI Specification. 9.5.

^[3] Civil Code. Art. 1036.

No provision in current binding data and privacy laws has imposed any requirements of privacy by design/default, albeit they are helpful for fulfilling the obligations imposed by the CSL. A similar system is indicated in the PI Specification where personal information controllers are recommended to comply with national standards (including Information security technology – Guidelines for Personal Information Security Engineering (Draft)) and to consider personal information protection requirements when they design, develop, test and release the information system^[1].

References

^[1] PI Specification. 11.2.

Under the CSL, network operators are required to record network operation and cybersecurity events and maintain the cyber-related logs for no less than six months^[1]. Since the CSL is a binding law and the enforcement authorities have published sanctions on those who failed to maintain the logs, most business entities follow such requirement and keep log records for no less than six months.

Personal information controller is required to keep records in certain circumstances under the PI Specification. A personal information controller should correctly record and retain the arrangement for delegation of the personal information processing^[2]. In case of sharing and transferring personal information for reasons other than merger, acquisition and restructuring, it is required to correctly record and retain the circumstances of sharing and transfer of personal information, including the dates of sharing and transfer, the scale, the purposes, the basic information of the recipient, etc.^[3] In addition, internal records should be retained where it is truly necessary to allow specific personnel to exceed their privileges to process personal information^[4].

The PI Specification also recommends controllers to establish, maintain and update records of personal information processing activities. Such records of the collection and use of personal information processing activities may include the following^[5]:

1. the type, quantity and source of the personal information involved;
2. the processing purpose and usage scenario;
3. information systems, organizations or personnel related to all aspects of personal information processing activities.

The PIPL Draft only specifies the record obligation when conducting risk assessment before personal information processing (discussed under Question 12). The risk assessment report and processing record shall be kept for at least three years^[6].

References

^[1] CSL. Art. 21.3.

^[2] PI Specification. 9.1 e).

^[3] PI Specification. 9.2 e).

^[4] PI Specification. 7.1 d).

^[5] PI Specification 11.3.

^[6] PIPL Draft. Art. 54.

Current laws and regulations in China do not have prior consultation requirement like GDPR.

Under the CSL, a CIIO shall conduct security assessment where the personal information and important data generated from its operation in China need to be provided abroad for business reasons^[1]. A CIIO shall also by itself or entrust a cybersecurity service provider in conducting examination and assessment of its cybersecurity and potential risks at least once a year, and submit such results together with improvement measures to the competent authorities^[2].

Personal information controllers are advised by the PIPL Draft^[3] and the PI Specification^[4] to establish a personal information security impact assessment system to evaluate the security risk brought to personal information processing activities. According to the PIPL Draft, a risk assessment should be conducted before processing sensitive personal information, making use of personal information to make automatic decision, entrusting others to process personal information, providing third parties with personal information and publicizing personal information, providing personal information to overseas parties, etc. The PI Specification requires personal information controllers to carry out risk assessments in some specific scenarios, such as when ensuring that the delegated processor has sufficient data security capabilities and provide sufficient security safeguards^[5], when sharing and transferring personal information for reasons other than merger, acquisition and restructuring, where the personal information has to be publicly disclosed as authorized by the law or for reasonable cause^[6]. Prior to the release of a product or service, or when there are major changes in business functions, a personal information security impact assessment should also be performed^[7]. Additionally, when laws and regulations have new requirements, or when a major change occurs to the business model, information system, or operational environment, or when a major personal information security incident transpires, a new personal information security impact assessment should be conducted^[8].

The PIPL Draft also provides that the in-advance risk assessment should include whether the purpose and method of processing personal information are legitimate, justifiable and necessary, the impact on individuals and the degree of risks, and whether the security protection measures taken are legitimate, effective and appropriate to the degree of risks^[9].

In carrying out the assessment, business find it helpful to refer to the non-binding draft guide named Information Security Technology – Security Impact Assessment Guide of Personal Information (the “PIA Guide”). The PIA Guide provides details to the assessment regarding who should initiate, how to prepare and what factors should be considered and how to balance the factors^[10]. After the assessment, the personal information controller is required to formulate a personal information security impact assessment report, and take measures to protect the personal information subject to reduce the risk to an acceptable level^[11]. The personal information controller is also required to retain the personal information security impact assessment report properly to ensure that it can be consulted by relevant parties and disclosed to the public in an appropriate form^[12].

References

^[1] CSL. Art. 37.

^[2] CSL. Art. 38.

^[3] PIPL Draft. Art. 54.

^[4] PI Specification. 10.2 a).

^[5] PI Specification. 9.1 b).

^[6] PI Specification. 9.2 a)

^[7] PI Specification. 11.4 c).

^[8] PI Specification. 11.4 d).

^[9] PIPL Draft. Art. 54.

^[10] PIA Guide. 4.4, 5.2, 5.4-5.6, 6.

^[11] PI Specification. 11.4 e).

^[12] PI Specification. 11.4 f).

The CSL requires network operators to appoint personnel responsible for cybersecurity^[1]. Provisions on the Cyber Protection of Children’s Personal Information also requires the network operator to designate persons to take charge of the protection of children’s personal information^[2].

Organizational measures in the PIPL Draft and the PI Specification also provide that the personal information controller shall appoint a head in charge of personal information protection and an agency in charge of personal information protection if the quantity of personal information processed reaches a certain level specified by the State Cyberspace Administration^[3]. According to the PI Specification, if an organization (1) has more than 200 personnel and its main business involves processing personal information; or (2) processes or is expected to process the personal information of more than 1 million people within 12 months; or (3) processes sensitive personal information of more than 100,000 people, it should establish a department with designated staff in charge of personal information security^[4]. Distinguished from the DPO under the GDPR, the person in charge of personal information protection is less independent as he or she would be directly responsible for personal information security^[5].

According to the PIPL Draft, personal information controller outside the territory of PRC who applies to the PIPL Draft shall establish a special agency or designate a representative within the territory of the PRC to be responsible for relevant matters of personal information protection^[6].

References

^[1] CSL. Art. 21.

^[2] Provisions on the Cyber Protection of Children’s Personal Information. Art.8

^[3] PIPL Draft. Art. 51; PI Specification. 11.1 b).

^[4] PI Specification. 11.1 c).

^[5] PI Specification. 11.1 d) 1).

^[6] PIPL Draft. Art. 52.

The Civil Code and the CSL stipulates that personal information controllers shall abide by the “lawful, justifiable and necessary” principles to collect and use personal information by announcing rules for collection and use, expressly notifying the purpose, methods and scope of such collection and use, and obtain the consent of the person whose personal information is to be collected^[1]. The PI specification requires personal information controllers to inform the personal information subject of the rules regarding the purpose, method and scope of collecting and using personal information and obtain the authorized consent of the personal information subject^[2]. According to PIPL Draft, personal information controller shall inform the individual of the following matters in an eye-catching manner and with clear and understandable language^[3]:

1. The identity and contact information of the personal information controller;
2. The purpose and method of processing personal information, and the type and retention period of the processed personal information;
3. The method and procedure for the individual to exercise the rights provided herein; and
4. other matters to be notified in accordance with the provisions of laws and administrative regulations.

Personal information protection policy (aka “privacy policy”) is the common form of privacy notice. The CSL, the Civil Code, the PIPL Draft and the PI Specification all require personal information controllers to establish personal information protection policy and disclose it publicly^[4]. The PI Specification specially provides that the privacy notice should be served to each and every personal information subject^[5]. Personal information controllers should promptly send notification to the information if the personal information protection policy is updated^[6]. In addition, the authorized enforcement agency (e.g. the CAC and the MIIT) issued a series of standards including the Guide to the Self-Assessment of Illegal Collection and Use of Personal Information by Apps, the Method for Identifying the Illegal Collection and Use of Personal Information by Apps, and put forward more detailed requirements towards the form of the privacy policy.

References

^[1] Civil Code. Art. 1035; CSL. Art. 41.

^[2] PI Specification. 5.4 a).

^[3] PIPL Draft. Art. 18.

^[4] CSL. Art. 41; Civil Code. Art. 1035; PIPL. Art. 18; PI Specification. 5.5 a).

^[5] PIPL. Art. 18; PI Specification. 5.5 e).

^[6] PI Specification. 5.5 f).

The Civil Code, the CSL and the PIPL Draft does not specify the distinction between the controllers and the processors. According to the PIPL Draft, the party entrusted by the personal information controller shall process personal information as agreed^[1] (discussed under Question 16).

However, obligations are place on controllers as well as processors yet with different weight by the PI Specification. Personal information controllers themselves face heavier burden in taking organizational measures and technical measures for delegated processing. The PI Specification also lays out a number of requirements for the processors to follow^[2]:

1. Process the personal information strictly in accordance with the instructions of the personal information controller. If the delegated processor cannot process the personal information according to the requirements of the personal information controller due to special reasons, the delegated processor shall promptly inform the personal information controller;
2. Obtain the authorization of the personal information controller in advance if the delegated processor needs to redelegate the processing;
3. Assist the personal information controller in responding to the requests from the personal information subject;
4. Promptly inform the personal information controller if the delegated processor cannot guarantee a sufficient level of data security protection or encounters a safety incident during the processing of personal information;
5. No longer retain the personal information once the delegation relationship terminates.

References

^[1] PIPL Draft. Art. 22.

^[2] PI Specification. 9.1 c).

According to the PIPL Draft, the personal information controller shall conclude contract with the entrusted party on the purpose, method, types of personal information, protection measures of processing, as well as the rights and obligations of both parties, etc. and supervise the personal information processing activities of the entrusted party^[1]. In addition, it shall be noted that the PIPL Draft requires separate consent when providing personal information to a third party^[2].

The PI Specification requires the personal information controller to supervise the processor in the manners including but not limited to establish the processor’s responsibilities and duties through contract and carry out an audit of the processor^[3]. It also requires the personal information controller to carry out a personal information security impact assessment, ensuring that the processor has met data security capabilities requirement and provides sufficient security safeguards^[4]. If the controller learns or finds that the processor has not handled the personal information in accordance with the instructions of the controller or failed to effectively fulfill the personal information security protection responsibility, the controller shall immediately request the processor to cease the relevant activity, and take or require the processor to remediate. Measures (such as changing passwords, revoking permissions, disconnecting network connections, etc.) should be adopted to control or eliminate security risks to personal information. If necessary, the controller of personal information shall terminate the business relationship with the processor and require the processor to delete the personal information obtained from the controller of the personal information in a timely manner^[5].

Besides, there might be stricter requirements in special sectors. Processing of personal financial information with higher sensitivity like user’s authentication information(C3) and supplementary information for authentication in C2, could not be delegated to third party^[6].

References

^[1] PIPL Draft. Art. 22.

^[2] PIPL Draft. Art. 24.

^[3] PI Specification. 9.1 d).

^[4] PI Specification. 9.1 b).

^[5] PI Specification. 9.1 f).

^[6] Personal Financial Information Protection Technical Specification. 6.1.4.4.

Under CSL regime, tracking technologies like cookies are not prohibited, while cookies are usually regarded as personal information and the collection of which shall comply with personal information requirements.

The PI Specification recommends limited personalized display^[1] and user profiling^[2]. It is “direct user profiling” when the personal information of a specific natural person is directly used to create a unique model of the natural person’s characteristics^[3]. Except for realizing the purpose authorized by the personal information subject, clear personal identity should be avoided when using personal information to avoid pinpointing specific individuals. For example, in order to accurately evaluate personal credit status, direct user profiling could be used, and indirect user portraits should be used for commercial advertising purposes^[4]. Where personalized display is used in the process of providing business functions to personal information subjects, the content of personalized display and non-personalized display shall be distinguished significantly^[5]. Where personalized display is used in the process of providing business functions to personal information subjects, it is advisable to establish an independent control mechanism of the personal information subject on the personal information (such as labels, image dimensions, etc.) on which the personalized display relies, to ensure that the personal information subject is able to adjust the relevancy of the personalized display^[6]. Where personalized display that provides search results of goods or services based on customers’ interests, preferences, consumption habits, etc.is adopted in the process of e-commerce services, options not based on his/her personal characteristics shall be provided at the same time^[7]. The PI Specification also provides detailed requirements on pushing news information services to personal information subjects^[8].

In the E-commerce context, when displaying search results of commodities or services to consumers according to their interests, preferences, consumption habits and other personal characteristics, an e-commerce operator shall also provide consumers with options irrelevant to their personal characteristics, and respect and equally safeguard the lawful rights and interests of consumers^[9].

References

^[1] PI Specification. 7.2.

^[2] PI Specification. 7.4.

^[2] PI Specification. 3.8.

^[3] PI Specification. 7.4 c).

^[4] PI Specification. 7.5 a).

^[5] PI Specification. 7.5 d).

^[6] PI Specification. 7.5 b); PIPL. Art. 25.

^[7] PI Specification. 7.5 c).

^[8] E-commerce Law. Art. 18.

The Advertising Law of the People’s Republic of China (the “Advertising Law”) and the E-commerce Law of the People’s Republic of China (the “E-commerce Law”) is the fundamental law that regulates advertising and e-marketing. Depending on the direct marketing means – email, telephone call, SMS, or pop-up ad on websites – statutes and regulations on particular means, such as the Interim Measures for Administration of Internet Advertising, Administrative Provisions on Short Message Services, may apply. In terms of email marketing, the sender shall obtain consent or request of the recipient and the sender shall also disclose its true identity, contact details and the opt-out method in such advertisements distributed via electronic means^[1]. Also, the direct marketing shall not affect users’ normal use of the Internet. If the advertisement published via pop-up or other forms, a close mark shall be conspicuously indicated^[2]. The PI Specification also requires the personal information controller to ensure that the personal information subject have the right to refuse to receive commercial advertisements based on his/her personal information^[3].

References

^[1] Advertising Law. Arts. 43.

^[2] Advertising Law. Art. 44.

^[3] PI Specification. 8.4 b).

Biometric information includes personal genes, fingerprints, voice prints, palm prints, auricles, iris, facial recognition features, etc. Biometric information falls into the category of sensitive personal information^[1] (special requirements for sensitive personal information discussed under Question 6). Before collecting biometric information, the personal information controller should separately inform the personal information subject of the purpose, method and scope of collecting and using personal biometric information, as well as the retention period and other rules, and obtain the explicit consent of the personal information subject^[2].

Generally, original biometric information (such as samples, images, etc.) should not be stored. Measures that can be taken include, but are not limited to: (1) Only summarized information of biometric information is stored. (2) Use biometric information directly in the collection terminal to implement functions such as identity recognition and authentication. (3) After using face recognition features, fingerprints, palm prints, iris, etc., to implement identity recognition, authentication and other functions, delete the original image that can extract biometric information^[3]. Where biometric information is necessary to be stored, it should be stored separately from personally identifiable information^[4].

Similarly, biometric information should not be shared or transferred in general. If it is necessary to share or transfer due to business needs, the individual information subject should be informed of the purpose, the type of personal biometric information involved, the specific identity of the recipient, and the data security capabilities, etc., and obtain the explicit consent of the personal information subject^[5].

In addition, the draft of the national standard for Biometric Information Protection^[6] also provides guidance for the processing of biometric information.

References

^[1] PIPL. Art. 29; PI Specification. Annex B.

^[2] PI Specification. 5.4 c).

^[3] PI Specification. 6.3 c).

^[4] PI Specification. 6.3 b).

^[5] PI Specification. 9.2 i).

^[6] Information technology – Security techniques – Biometric information protection (ISO/IEC 24745: 2011) puts forward technical requirements for biometric system and identity management system, etc.

Under the CSL, CIIOs shall store within the territory of PRC personal information and important data collected and generated during its operation within the territory of PRC. Where such information and data have to be provided abroad for business purpose, security assessment shall be conducted pursuant to the measures developed by the CAC together with competent departments of the State Council, unless otherwise provided for in laws and administrative regulations, in which such laws and administrative regulations shall prevail^[1].

The PIPL Draft specifies the rules on cross-border provision of personal information on the level of law and will greatly promote the implementation of the cross-border provision of personal information rules when entering into force. According to PIPL Draft, CIIOs and personal information controllers whose processing of personal information reaches the number prescribed by the State Cyberspace Administration shall store the personal information collected and generated with the territory of PRC^[2]. If it is indeed necessary to provide such information overseas, the personal information controllers shall pass security assessment organized by the State Cyberspace Authorities. For other personal information controllers, at least one of the following conditions shall be met when transferring personal information overseas^[3]:

1. Having undertaken personal information protection certification conducted by professional agencies;
2. Having signed a contract with the overseas receiving parties;
3. Otherwise stipulated by laws, administrative regulations or the state cyberspace authorities.

So far, there has been no detailed measures regarding the security assessment and certification mentioned in the PIPL Draft.

References

^[1] CSL. Art. 37.

^[2] PIPL Draft. Art. 40.

^[3] PIPL Draft. Art. 38.

Under the CSL, China adopts the MLPS, under which network operators are required to perform obligations of security protection to ensure that the network is free from interference, disruption or unauthorized access, and prevent network data from being disclosed, stolen or tampered^[1] such as technological measures to prevent computer viruses, network attacks, network intrusions, measures to monitor and record the network operation status and cyber security incidents, data classification, back-up and encryption of important data, etc.

In particular, for personal information, personal information controllers shall keep the user information that they have collected in strict confidence and shall establish and improve their user information protection system^[2]. Personal information controllers shall take technical and other necessary measures to ensure the security of personal information it collects, and to protect such information from disclosure, damage or loss^[3].

Under the PIPL Draft, internal management measures are enacted to regulate personal information processing, including^[4]:

1. Formulating internal management system and operational procedures;
2. Managing personal information by hierarchical classification;
3. Taking corresponding technical security measures such as encryption and de-identification;
4. Reasonably determining the authority to process personal information and conduct security education and training for employees on a regular basis;
5. Formulating and organizing the implementation of emergency plans for personal information security incidents; and
6. Other measures as prescribed by laws and administrative regulations.

Under the PI Specification, personal information controllers should establish appropriate data security capabilities, implement necessary managerial and technical measures, and prevent personal information from leakage, damage and loss^[5]. Security measures such as encryption should be taken for transferring and storing sensitive personal information^[6].

References

^[1] CSL. Art. 21.

^[2] CSL. Art. 40.

^[3] CSL. Art. 42.

^[4] PIPL Draft. Art. 50.

^[5] PI Specification. 11.5.

^[6] PI Specification. 6.3 a).

“Cybersecurity incidents” is defined by the National Cybersecurity Incident Response Plan, one of the corresponding regulations of the CSL, as the incidents that (1) are caused by man-made reasons, defects or malfunctions of hardware and software, or natural disasters, (2) cause damage to networks, information systems or the data involved therein, and (3) cause negative effects to the society^[1]. Cybersecurity incidents can be categorized into harmful program incidents, cyber-attack incidents, information or data breach incidents, information or content security incidents, device and equipment malfunctions, disaster incidents and other incidents. Cybersecurity incidents are divided into four levels, i.e., extraordinarily significant, significant, relatively significant and general. The factors deciding the level of a cybersecurity incident include (1) severity of the damage done to critical networks and information systems (e.g., if the damage paralyzes the systems or results in the loss of business processing capabilities); (2) severity of threats on national security and stability of society posed by the loss, theft or tampering with of national secrets, important and sensitive information, and critical data; and (3) severity of other impacts on national security, social order, economic development and public interests^[2].

References

^[1] National Cybersecurity Incident Response Plan. Art. 1.3.

^[2] National Cybersecurity Incident Response Plan. Art. 1.4.

The CSL imposes higher obligations on CIIOs, and provides a special protection scheme in China on critical information infrastructure and the corresponding protection principles. However, no regulation on the identification standards, scopes or implementing rules of administration has been officially published yet. Information infrastructure – in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government – might fall within the scope of such regulation. A critical information infrastructure shall be developed with the capacity to support the steady and continuous business operation, and technical security measures shall be planned, established and put into use simultaneously^[1]. In addition to those security obligations imposed on network operators, CIIOs shall also fulfill stricter obligations of security protection^[2]>.

In certain special sectors, there are specific security requirements. For example, In the financial sector, the Administrative Regulations on Financial Information Services issued by the CAC regulate the financial information service^[3] providers and require them to take affirmative organizational measures^[4] and appropriate technical measures^[5]. In the telecom sector, the Provisions on Protecting the Personal Information of Telecommunications and Internet Users issued by MIIT contain one chapter regarding security measures. Telecommunications business operators and Internet information service providers are required to adopt security measures specified in Articles 13 to 15, covering both organizational and technical.^[6]

References

^[1] CSL. Art. 33.

^[2] CSL. Art. 34.

^[3] Financial information services were defined by the Regulations as the provision of information or data that may affect the financial market to users involved in financial analysis, financial trading and financial decision-making, or other financial activities.

^[4] Administrative Regulations on Financial Information Services. Arts. 5 & 7.

^[5] Administrative Regulations on Financial Information Services. Arts. 6 & 9.

^[6] Provisions on Protecting the Personal Information of Telecommunications and Internet Users. Arts. 13-15.

Network operators are required by the CSL to report the incident that threatens cybersecurity to competent authority in accordance with regulations and build up incident response plan^[1]. In case of disclosure, damage or loss of, or possible disclosure, damage or loss of personal information, the network operator shall take immediate remedies, notify the users in accordance with the relevant provisions, and report to competent authority^[2].

The PIPL Draft and the PI Specification further illustrates the circumstances and content of such reporting. After a personal information security incident occurs, the personal information controller should, among other things, report in a timely manner according to provisions in the National Cybersecurity Incident Response Plan and the Public Internet Network Security Incident Emergency Response Plan^[3]. The content of the report should include but not be limited to: type, quantity, content, and nature of PI subject; possible impact of the incident; measures that have been or will be adopted; and contact information of relevant personnel handling the incident^[4]. Where the personal information breach may cause serious harm to the legitimate rights and interests of the personal information subject, such as the leakage of sensitive personal information, the personal information controller should inform that personal information subject^[5]. The affected individuals should be informed of the incident in a timely manner by mail, letter, phone, push notification, etc. When it is difficult to inform the subjects of personal information one by one, a reasonable and effective way should be adopted to issue warning information related to the public^[6]. The content of the notification shall include, but is not limited to: 1) the content and impact of security incidents; 2) disposal measures taken or to be taken; 3) suggestions for the personal information subject to autonomously prevent and reduce risks; 4) remedial measures provided for personal information subjects; 5) contact information of the person in charge of personal information protection and the personal information protection agency^[7].

Besides, the PIPL Draft also specifies that personal information controllers who can take measures to effectively avoid damage caused by leakage of information may not be required to notify relevant individual thereof. However, if the competent authorities believe that the leakage may cause damage to relevant individual, they shall be entitled to require the controllers to notify the individual^[8].

References

^[1] CSL. Art.25.

^[2] CSL. Art.42; Civil Code. Art. 1038.

^[3] Public Internet Network Security Incident Emergency Response Plan prescribed in Art 3.4 and 4.2 that disclosing more than 100,000 Internet users’ information would fall into the scope of normal incidents and should be reported to the Bureau of Communications Administration.

^[4] PI Specification. 10.1 c) 3).

^[5] PI Specification. 10.1 c) 4).

^[6] PI Specification. 10.2 a).

^[7] PI Specification. 10.2 b).

^[8] PIPL Draft. Art. 55.

Under the CSL, the State shall take necessary measures to impose punishments on unlawful and criminal network activities according to the laws, and to maintain the security and order of cyberspace^[1]. The Criminal Law of the People’s Republic of China has criminalized the ‘rejection to perform security management obligations for information network’, the ‘unlawful use of information network’, the ‘assistance in criminal activities committed through information networks’ and the ‘fabrication and intentional spread of false information (including via the information networks)’.^[2] For the purpose of punishing crimes such as refusing to fulfill the obligation of managing the security of information networks, illegally using information networks and assisting in criminal activities committed through information networks and maintain the normal network order, the Supreme People’s Court and the Supreme People’s Procuratorate jointly issued the Interpretation of the Supreme People’s Court and the Supreme People’s Procuratorate on Several Issues Concerning the Application of Law in the Handling of Criminal Cases Involving Illegal Use of Information Networks and Assistance in Criminal Activities Committed through Information Networks.

References

^[1] CSL. Art. 5.

^[2] Criminal Law. Arts. 286.1, 287.1, 287.2, and 291.1.

The enforcement authorities in this field at least include the CAC, the MIIT, the MPS and industry regulators. According to Article 8 of the CSL, the CAC is in charge of overall planning with regard to data protection and privacy, and co-ordinates the competent authorities. The MIIT, MPS, SAMR, and industrial regulators are in charge of law enforcement in their respective sectors.

Laws and regulations in different sectors also contain provisions in protecting data subjects’ rights. The E-commerce Law requires E-commerce business operators to clearly state the methods and procedures for access, correction and deletion of user information as well as account cancellation^[1]. Article 26 of the Law on the Protection of Rights and Interests of Consumers (Revised in 2013) (the “Consumer Protection Law”) also provides that business operators shall not impose unfair and unreasonable provisions on consumers such as elimination or restriction of consumer rights.

The PIPL Draft provides and describes in detail the following personal information subjects’ rights:

1. Right to know and make decisions on the personal information processing^[2];
2. Right to restrict or refuse other to process his/her personal information^[3];
3. Right to consult or copy his/her personal information^[4];
4. Right to request for corrections or supplements^[5];
5. Right to delete: personal information shall be deleted where the agreed storage period has expired or the purpose of personal information processing has been achieved, the personal information controller stops providing products or services or withdraws his/her consent, and other circumstance as prescribed by laws and regulations^[6];
6. Right to explain the rules on personal information processing^[7];
7. Rights related to automated decision-making: individuals have the right to require controllers to give an explanation and refuse to make decisions only by means of automated decision-making, when they consider that an automated decision-making has a material impact on their rights and interests, and the controllers shall simultaneously provide the option to not target personal characteristics of an individual on direct marketing and information notification by automated decision-making^[8];
8. Right to withdraw his/her consent to the processing of personal information based on his/her consent^[9].

In addition, the personal information controller shall establish a mechanism for accepting and processing applications for exercising personal rights by individuals, and provide reasons for rejection^[10].

Rights under the PI Specification are similar with those under the PIPL Draft as the rights of access, rectification, deletion, withdrawal of consent, obtaining copies of personal information, etc.^[11] The PI Specification additionally prescribes the right of de-registration that personal information controller that provides products or services through registered accounts should provide the method for de-registration^[12].  After accepting the request to cancel the account, if manual processing is required, the verification and processing shall be completed within the promised time limit (not exceeding 15 working days)^[13]. A note to the right to access is that when a personal information subject requests access to personal information that he or she did not voluntarily provided, personal information controllers can evaluate the request, taking into account the risk or harm to the subject’s lawful rights and interests that could arise from not responding to the request, technical feasibility, cost, and other factors in carrying out the request^[14]. As for the right to withdraw, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal^[15].

The PI Specification provides exceptions that the personal information controller may not respond to the rights of personal subjects include^[16]:

1. those related to the fulfillment of personal information controllers’ obligations imposed by laws and regulations;
2. those directly related national security and national defense;
3. those directly related to public safety, public health, and significant public interests;
4. those directly related to criminal investigation, prosecution, trial, and judgment enforcement, etc.;
5. where the personal information controller has sufficient evidence to show that the personal information subject is subjectively malicious or abuses his/her rights;
6. when safeguarding the major lawful rights and interests such as life and property of personal information subjects or other persons, and it is difficult to obtain the authorized consent of the personal information subject;
7. where responding to the request of the personal information subject will cause serious damage to the legitimate rights and interests of the personal information subject or other individuals and organizations;
8. where trade secrets are involved.

Even under such exceptions, however, the personal information controller should inform the personal information subject of the reason for the decision and provide the personal information subject with a channel for making complaints^[17].

References

^[1] E-commerce Law. Art. 24.

^[2] PIPL Draft. Art. 44.

^[3] PIPL Draft. Art. 44.

^[4] PIPL Draft. Art. 45.

^[5] PIPL Draft. Art. 46.

^[6] PIPL Draft. Art. 47.

^[7] PIPL Draft. Art. 48.

^[8] PIPL Draft. Art. 25.

^[9] PIPL Draft. Art. 16.

^[10] PIPL Draft. Art. 49.

^[11] PI Specification. 8.1-8.4, 8.6.

^[12] PI Specification. 8.5.

^[13] PI Specification. 8.5. The Measures for the Determination of the Collection and Use of Personal Information by Apps in Violation of Laws and Regulations also provides the time limit of 15 working days for response.

^[14] PI Specification. 8.1.

^[15] PI Specification. 8.4.

^[16] PI Specification. 8.7 e).

^[17] PI Specification. 8.7 f).

Besides enforced by a regulator, the affected individuals may also bring tort claims before courts. According to the Notice of the Supreme People’s Court on Issuing the Decision on Amending the Provisions on the Cause of Action on Civil Cases issued on Dec 30^th, 2020, “dispute relating to personal information protection” has been added as an independent cause of action. Legal bases for an individual to initiate private litigation include the General Rules of the Civil Law, Tort Liability Law, Consumer Protection Law, the CSL and the PI Specification. At the same time, individuals could make complaints to the authorities, which might initiate an investigation against the business.

One civil case worth noting involved an individual suing Hangzhou Safari Park for denying his contractual right as a consumer to enter into the park without registration for facial recognition. Unlike most cases, which end in settlement, the court ruled in favor of the plaintiff and required Hangzhou Safari Park to compensate the plaintiff for the contractual loss. Yet, the legal bases invoked by the court were mainly contract laws and consumer protection laws. Little analysis referring directly to the privacy protection regulations was conducted by the court.

Since the Civil Code came into effect on 1 January 2021, there has already been a civil litigation where an individual was sued for illegal trade in personal information in a public interest lawsuit. It is expected that there will be more private litigations on personal information protection in the coming year.

In general, the violations of laws relating to personal information protection would usually be prosecuted by public authorities, but according to the Interpretations of the Supreme People’s Court on the Application of the Criminal Procedure Law of the People’s Republic of China (the “Interpretations”) which came into force on March 1^st 2021, minor criminal cases of private prosecution which the procuratorate has initiated no public prosecution but the victim has the evidence to prove so would be directly accepted by the people’s courts^[1]. Cases which the defendant may be given a punishment not severe than an imprisonment of three years would fall into the scope of private right of action, such as persons selling or providing personal information of citizens to others in violation of relevant national provisions.

Reference

^[1] Interpretations. Art. 1(2).

Since it is a tort claim, the rules of actual damages and injury of feelings in the Civil Code[1] may apply^[2].

References

^[1] Civil Code. Art. 111. The personal information of a natural person shall be protected by the law. Any organization or individual shall legally obtain the personal information of others when necessary and ensure the safety of such personal information, and shall not illegally collect, use, process or transmit the personal information of others, or illegally buy or sell, provide or make public the personal information of others.

^[2] As the CSL has been implemented since 1 June 2017, it is hard to ascertain the awarded damages from limited private civil lawsuits.

China witnessed tightening law enforcement in privacy and data protection in recent years. In general, most cases or proceedings in privacy and data protection field are administrative investigation and punishment initiated and imposed by government authorities. Meanwhile, the CSL and the Consumer Protection Law are the two fundamental legal basis the authorities refer to in regulating and issuing punishment. The PI Specification serves as a key reference as well. In the future, the PIPL Draft will also be one of the legal bases.

Mobile Applications, the most popular way for business to collect personal information, has been put spotlight on by the enforcement authorities throughout these years. In January 2019, the Office of CAC, MIIT, MPS, and SAMR jointly issued the Announcement of Launching Special Crackdown Against Illegal Collection and Use of Personal Information by Apps, and the project continued in 2020. Among all 31 categories of the apps that had been reported for infringement of personal information rights, the top three categories were audio-visual entertainment, financial loan and online shopping. To implement the Announcement, a series of standards have been issued, including the Self-assessment Guide for Illegal Collection and Use of Personal Information through Apps, Notice on Promulgation of the Method for Identifying the Illegal Collection and Use of Personal Information by Apps which was released in 2019 and revised in July 2020. These guidance and methods have been used as tools for App operators to conduct self-inspection as well as for law enforcement department to determine unlawful privacy and data protection activities. Besides, the criminal enforcement has been tightened up as well. Major regulatory and enforcement activities that drive public attention include the project “Clearing the Network 2020” targeting illegal acts including infringement of personal information launched by the MPS, the project “Brightening the Network 2020” targeting illegal content in the cyberspace launched by the CAC, and the MIIT publicly criticizing apps that infringed customers’ rights and interests and requiring removal of such apps from app stores.

Depending on the violation, different sanctions and penalties may be imposed by the CSL^[1]. For example, none-compliance with the personal information protection related provisions in the CSL may result in order to take rectification measures, warning, confiscation of illegal earnings, fines, or a combination thereof. The fine is more than the illegal earnings but less than ten times of the illegal earnings. In the event that there are no illegal earnings, the fine is no more than 1 million Chinese Yuan. The directly responsible person may face a fine ranging from 10,000 to 100,000 Chinese Yuan. In case of severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of website, and revocation of business license of such operator or provider^[2].

Administrative penalties under the PIPL Draft may be up to CNY50 million or 5% of the annual revenue of the violator from the previous year^[3]. Any directly liable person-in-charge or any other directly liable individual shall be fined between CNY100,000 and CNY1 million, and any unlawful act shall be entered into credit files and be disclosed to the public^[4].

As for the criminal liability, the basic requirement is that, when persons sell or provide personal information of citizens to others in violation of relevant national provisions, and the circumstances are serious, the sentence can be fixed-term imprisonment of no more than 3 years or criminal detention, in combination of fines, or the sentence can be fines alone; if the circumstances are particularly serious, the sentence shall be fixed-term imprisonment from 3 to 7 years, in combination of fines^[5].

References

^[1] CSL. Arts. 59-75.

^[2] CSL. Art. 64.

^[3] PIPL Draft. Art. 62.

^[4] PIPL Draft. Art. 63.

^[5] Criminal Law. Art. 253.

A citizen, a legal person or any other organization may first apply to the relevant administrative organ for reconsideration and, if refusing to accept the reconsideration decision, may initiate an action to the people’s court. Unless it is required by any relevant laws to exhaust administrative reconsideration before seeking judicial review, it/he may also initiate an action to the people’s court directly^[1].

Reference

^[1] Administrative Procedure Law of the People’s Republic of China (Amended in 2017). Art. 44.