This country-specific Q&A provides an overview to Data Protection & Cyber Security laws and regulations that may occur in China.
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
Coming into effect on 1 June 2017, the Cyber Security Law of the People’s Republic of China (《中华人民共和国网络安全法》) (the “CSL”) forms the backbone of cybersecurity and data privacy protection. Since the CSL does not stipulate comprehensive rules, China’s data and privacy framework appears to be a patchwork with textures of various laws, measures, and sector-specific regulations, as well as national standards. The CSL imposes different the data privacy obligations on network operators (NOs) and critical information infrastructure operators (CIIOs). Network operators encompass virtually all companies involved in any kind of Internet-based services.1 Among them, CIIOs are the network operator of the critical information infrastructure in important industries that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people’s livelihood and public interests.2
The non-binding national standard of GB/T 35273-2017 Information Security Technology – Personal Information Security Specification (GB/T 35273-2017 《信息安全技术——个人信息安全规范》) (the “PI Specification”) illustrates the obligations of privacy protection in detail. Drafted with reference to the European General Data Protection Regulations (GDPR), the PI Specification adopts some definitions in the GDPR, e.g., the definitions of personal information controller and personal information processor mirror the definitions of data controller and data processor under the GDPR. The PI Specification plays a key role in personal information protection and has been cited by courts and enforcement authority. An increasing number of companies in the market also tend to refer to the PI Specification as the standard when conducting self-auditing of their personal information protection.
For certain types of information, the authorities have enacted special regulations or standards. Take the financial sector as an example, the People’s bank of China (中国人民银行), the central bank of China responsible for regulation of financial institutions in mainland China, has issued rules to protect personal financial information even prior to the legislation of the CSL, such as the Notice from the People’s Bank of China on Further Proper Protection of Personal Financial Information of Customers by Financial Institutions (《中国人民银行关于金融机构进一步做好客户个人金融信息保护工作的通知》) in 2011.
The enforcement authorities in this field at least include the Cyberspace Administration of China (国家互联网信息办公室), the Ministry of Industry and Information Technology (工业和信息化部), the Ministry of Public Security (公安部) and industry regulators.
1 – CSL. § 76.1 & 76.3. A Network Operator (NO) refers to the owner or manager of a network or the provider of a network service.
2 – CSL. § 31. CIIO refers to the network operator of the critical information infrastructure in important industries and sectors such as public communications, information service, energy, transport, water conservancy, finance, public service and e-government, and other critical information infrastructure that, once damaged, disabled or data disclosed, may severely threaten the national security, national economy, people’s livelihood and public interests.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
There is no binding law require data controller/processor to register privacy mechanism, while if they fall into the scope of Network Operator under the CSL, they shall comply with the MLPS requirements (Multi-Level Protection Scheme, “等级保护制度”) .3
3 – CSL. § 21.
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
Personal information under the CSL is defined as the information that is recorded in electronic or any other form and used alone or in combination with other information to recognize the identity of a natural person.4 The PI Specification expands the definition of “personal information” to include the information that reflects a person’s activities.5
Personal sensitive information is defined in the PI Specification as information that, if leaked, illegally provided or used without authorization, will endanger human rights and property interest, or cause damages to reputation, physical and mental health, or lead to discriminatory treatment.
Another key concept is the “important data” that is defined as data closely related to national security, economic development, and social and public interests.6
4 – CSL. § 76.5.
5 – PI Specification. 3.1.
6 – Measures for Security Assessment of Cross-border Transfer of Personal Information and Important Data (Draft) (《个人信息和重要数据出境安全评估办法》（草案）). § 17 (stipulating that specific scope of “important data” needs to refer to relevant national standards and important data identification guidelines for its specific scope. The official national standards and guidelines have not come out yet).
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
Overall, a noticeable difference from GDPR is that the legal basis under the CSL is entirely consent-based. The CSL requires the network operator to expressly notify and obtain consent of the users if the products or services collect user information and comply with relevant laws and regulations governing personal information protection if personal information of users are involved.8 With a few exceptions listed in the PI specification, a network operator is required to inform the personal information subject of the purposes, means and scope of the collection and use of his or her personal information, and consent must be obtained prior to such collection.9 Any processing of personal information thereafter must be carried out within the scope of the consent. A renewed consent is required when the processing exceeds the original scope of consent.
8 – CSL. §22.
9 – PI Specification. 5.3 (a).
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
Explicit consent from the personal information subject is required for processing sensitive personal information.10 “Explicit consent” is defined as express consent given in writing or through other unambiguous and affirmative actions freely made by personal information subjects.11 A personal information controller is required to ensure that the explicit consent of the personal information subject is freely given, specific, fully informed and unambiguous.12 Prior to the collection of sensitive personal information via voluntary provision or automatic collection, the personal information controller should: 1) inform the personal information subject of the core functions of the provided products or services and the personal sensitive information necessary to collect, and clearly disclose the impacts which may occur if the personal information subject refuses to provide it or refuses to consent. The personal information controller should allow the personal information subject to choose whether the provision or automatic collection [of the personal sensitive information] should be allowed. 2) where the products or services provide other additional functions and personal sensitive information needs to be collected, explain to the personal information subject prior to the data collection that what personal sensitive information is needed for which specific additional functions and allow the personal information subject to choose one by one whether the provision or automatic collection of the personal sensitive information will be allowed. When the personal information subject rejects, the related additional functions can be stopped, but this should not be a reason to stop providing core business functions, and the related service quality should be maintained.13
Network operators are prohibited by the CSL from collecting personal information that is not relevant to the services it provides.14 Collecting personal information expressly banned by laws and regulations is unlawful under the PI Specification.15 Some sectors may also prohibit the collection of certain types of information.
10 – PI Specification. 5.5.
11 – PI Specification. 3.6.
12 – PI Specification. 5.5 a).
13 – PI Specification. 5.5 b).
14 – CSL. § 41.
15 – PI Specification. 5.1 d).
How do the laws in your jurisdiction address children’s PII?
Personal information of person aged 14 or under are child’s personal information and is classified into personal sensitive information.16 Before collecting personal information of minors17 aged 14 or older, it shall seek explicit consent from the minors or their guardians; where the minors are aged under 14, it shall seek explicit consent from their guardians.18
16 – PI Specification. 3.2.
17 – Eighteen is the age of majority in China.
18 – PI Specification. 5.5 c).
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Under the CSL, network operators are required to record network operation and cybersecurity events and maintain the cyber-related logs for no less than six months.19 Since the CSL is a binding law and the enforcement authorities have published sanctions on those who failed to maintain the logs, most business entities follow such requirement and keep log records for no less than six months.
Personal information controller is required to keep records in certain circumstances under the PI Specification. For example, when it is truly necessary for work to allow specific personnel to exceed their privileges to process personal information, the personal responsible for personal information protection or the personal information protection work organization should conduct assessment and approval and make a record.20 A personal information controller should correctly record and retain the arrangement for delegation of the personal information processing.21 In case of sharing and transferring personal information for reasons other than merger, acquisition and restructuring, it is required to correctly record and retain the circumstances of sharing and transfer of personal information, including the dates of sharing and transfer, the scale, the purposes, the basic information of the recipient, etc.22
19 – CSL. § 21.3.
20 – PI Specification. 7.1 d).
21 – PI Specification. 8.1 e).
22 – PI Specification. 8.2 d).
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
Current laws and regulations in China do not have prior consultation requirement like GDPR.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
A CIIO shall conduct security assessment where the personal information and important data generated from its operation in China need to be provided abroad for business reasons.23 A CIIO shall also by itself or entrust a cybersecurity service provider in conducting examination and assessment of its cybersecurity and potential risks at least once a year, and submit such results together with improvement measures to the competent authorities.24
Personal information controllers are advised by the PI Specification to establish a personal information security impact assessment system and regularly (at least once a year) conduct a personal information security impact assessment.25 The PI Specification advises personal information controllers to carry out risk assessments in some specific scenarios, such as when ensuring that the delegated processor has sufficient data security capabilities and provide sufficient security safeguards, when sharing and transferring personal information for reasons other than merger, acquisition and restructuring, where the personal information has to be publicly disclosed as authorized by the law or for reasonable cause, or where personal information collected and produced during operation in the mainland territory of the People’s Republic of China is transferred abroad,.26 Additionally. when laws and regulations have new requirements, or when a major change occurs to the business model, information system, or operational environment, or when a major personal information security incident transpires, a new personal information security impact assessment should be conducted.27
Personal information security impact assessment mainly aims at evaluating whether processing activities obey the basic principles of personal information security and assess the impact of personal information processing on the lawful rights and interests of PI subject.28 In carrying out the assessment, business find it helpful to refer to the non-binding draft guide named Information Security Technology – Security Impact Assessment Guide of Personal Information (《信息安全技术 个人信息安全影响评估指南》) (the “PIA Guide”). The PIA Guide provides details to the assessment regarding who should initiate, how to prepare and what factors should be considered and how to balance the factors.29
23 – CSL. § 37.
24 – CSL. §38.
25 – PI Specification. 10.2 a).
26 – PI Specification. 8.1 b), 8.2 a), 8.7.
27 – PI Specification. 10.2 c).
28 – PI Specification. 10.2 v).
29 – PIA Guide. 4.4, 5.2, 5.4-5.6, 6.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
The CSL requires network operators to appoint personnel responsible for cybersecurity.30 Organizational measures in the PI Specification also advise a personal information controller to appoint a head in charge of personal information protection and an agency in charge of personal information protection.31 If an organization has more than 200 personnel and its main business involves processing personal information, or if the organization is expected to handle the personal information of more than 500,000 people within 12 months, it should establish a department with designated staff in charge of personal information security.32 Distinguished from the DPO under the GDPR, the person in charge of personal information protection is less independent as he or she would be directly responsible for personal information security.33
30 – CSL. § 21.1.
31 – PI Specification. 10.1 b).
32 – PI Specification. 10.1 c).
33 – PI Specification. 10.1 d) 1).
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
34 – CSL. § 41.
35 – PI Specification. 5.6 a).
36 – PI Specification. 5.6 f).
37 – PI Specification. 6.4 b).
38 – PI Specification. 9.2 a).
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
Laws in China apply directly to service providers that process personal information. The CSL regulates network operators that are defined to include the owners, administrators and providers of network systems. Virtually, all companies involved in any kind of Internet-based services will be subject to the CSL and its accompanying law including service providers that involved in Internet-based services.
Although the PI Specification mainly regulates personal information controllers, it also lays out a number of requirements for the delegated processors to follow:39 (1) process the personal information strictly in accordance with the instructions of the personal information controller. If the delegated processor cannot process the personal information according to the requirements of the personal information controller due to special reasons, the delegated processor shall promptly inform the personal information controller; (2) obtain the authorization of the personal information controller in advance if the delegated processor needs to redelegate the processing; (3) assist the personal information controller in responding to the requests from the personal information subject; (4) promptly inform the personal information controller if the delegated processor cannot guarantee a sufficient level of data security protection or encounters a safety incident during the processing of personal information; (5) no longer retain the personal information once the delegation relationship terminates.40
39 – PI Specification. 8.1 c).
40 – PI Specification. 8.1 c).
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
The PI Specification requires the personal information controller to supervise the processor in the manners including but not limited to establish the processor’s responsibilities and duties through contract and carry out an audit of the processor.41 It also requires the personal information controller to carry out a personal information security impact assessment, ensuring that the delegatee has sufficient data security capabilities and provides sufficient security safeguards.42
41 PI Specification. 8.1 d).
42 PI Specification. 8.1 b).
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
According to Article 37 of the CSL, CIIOs shall store personal information and important data gathered and produced during operations within the territory of the People’s Republic of China. Where it is really necessary to provide such information and data to overseas parties due to business needs, a security assessment shall be conducted in accordance with the measures formulated by the national cyberspace administration authority in concert with the relevant departments under the State Council.
As for network operators, the authorities only released the draft versions of the applicable regulations related to cross-border data transfer. Under the applicable draft, when a network operator provides overseas parties with personal information and important data gathered and produced during operations within the territory of the People’s Republic of China, a security assessment shall be conducted43 and personal information subjects shall be notified regarding the purpose, scope, type and the country or region in which the recipient is located and shall consent to the transfer with limited exceptions.44 A growing number of entities have consulted, and some have started preparing for conducting the security assessment.
43 – Measures on Security Assessment for Cross-border Transfer of Personal Information and Important Data (Draft for Comments) (《个人信息和重要数据出境安全评估办法（征求意见稿）》). § 2.
44 – Measures on Security Assessment for Cross-border Transfer of Personal Information and Important Data (Draft for Comments). § 4.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
The CSL imposes security obligations on network operators that encompass owners, administrators and providers of network systems. Network operators shall keep the user information that they have collected in strict confidence and shall establish and improve their user information protection system.45 Network operators shall take technical and other necessary measures to ensure the security of personal information it collects, and to protect such information from disclosure, damage or loss.46
Under the PI Specification, personal information controllers should establish appropriate data security capabilities, implement necessary managerial and technical measures, and prevent personal information from leakage, damage and loss.47 Security measures such as encryption should be taken for transferring and storing sensitive personal information.48
Does your jurisdiction impose requirements of data protection by design or default?
No provision in current binding data and privacy laws has imposed any requirements of privacy by design/default, albeit helpful for fulfilling the obligations imposed by the CSL.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
“Cybersecurity incidents” is defined by the National Cybersecurity Incident Response Plan (《国家网络安全事件应急预案》), one of the corresponding regulations of the CSL, as the incidents that (1) are caused by man-made reasons, defects or malfunctions of hardware and software, or natural disasters, (2) cause damage to networks, information systems or the data involved therein, and (3) cause negative effects to the society.49 Cybersecurity incidents can be categorized into harmful program incidents, cyber-attack incidents, information or data breach incidents, information or content security incidents, device and equipment malfunctions, disaster incidents and other incidents. Cybersecurity incidents are divided into four levels, i.e., extraordinarily significant, significant, relatively significant and general. The factors deciding the level of a cybersecurity incident include (1) severity of the damage done to critical networks and information systems (e.g., if the damage paralyzes the systems or results in the loss of business processing capabilities); (2) severity of threats on national security and stability of society posed by the loss, theft or tampering with of national secrets, important and sensitive information, and critical data; and (3) severity of other impacts on national security, social order, economic development and public interests.50
49 – National Cybersecurity Incident Response Plan. § 1.3.
50 – National Cybersecurity Incident Response Plan. §1.4.
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
Depending on the violation, different sanctions and penalties may be imposed by the CSL.59 For example, none-compliance with the personal information protection related provisions in the CSL may result in order to take rectification measures, warning, confiscation of illegal earnings, fines, or a combination thereof. The fine is more than the illegal earnings but less than ten times of the illegal earnings. In the event that there are no illegal earnings, the fine is no more than 1 million Chinese Yuan. The directly responsible person may face a fine ranging from 10,000 to 100,000 Chinese Yuan. In case of severe violation, the competent authority may order suspension of related business, winding up for rectification, shutdown of website, and revocation of business license of such operator or provider.60 A citizen, a legal person or any other organization may first apply to the relevant administrative organ for reconsideration and, if refusing to accept the reconsideration decision, may initiate an action to the people’s court. Unless it is required by any relevant laws to exhaust administrative reconsideration before seeking judicial review, it/he may also initiate an action to the people’s court directly.61
59 – CSL. § 64.
60- Administrative Procedure Law of the People’s Republic of China (Amended in 2017) (《中华人民共和国行政诉讼法（2017修正）》). § 45.
61 – Administrative Procedure Law of the People’s Republic of China (Amended in 2017) (《中华人民共和国行政诉讼法（2017修正）》). § 45.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
The PI Specification elaborates following exceptions to obtaining consent of the personal information subject for the collection and use of personal information:62
i. those directly related national security and national defense;
ii. those directly related to public safety, public health, and significant public interests;
iii. those directly related to criminal investigation, prosecution, trial, and judgment enforcement, etc.;
iv. when safeguarding the major lawful rights and interests such as life and property of personal information subjects or other persons, and it is difficult to obtain the consent of the personal information subject;
v. when the personal information subject voluntarily opened the collected personal information to the general public;
vi. when the personal information is collected from legitimate public information channels, such as the legitimate news reports and open government information;
vii. when necessary to sign and perform a contract according to the personal information subject’s request;
viii. when necessary to maintain the safe and stable operation of the provided products or services, such as to detect and handle product or service malfunctions;
ix. when necessary for the personal information controller, as a news agency, to make legal news reports;
x. when necessary for the personal information controller, as an academic research institute, to conduct statistical or academic research in the public interest, which also has de-identified the personal information when providing academic research or results externally;
xi. when other situations specified by laws and regulations.
But since these exceptions are given by the non-binding PI Specification instead of the CSL, the CSL prevails in case of any conflict.
62 – PI Specification. 7.3 a).
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
Under CSL regime, tracking technologies like cookies are not prohibited, while cookies are usually regarded as personal information and the collection of which shall comply with personal information requirements. Besides, regarding other profiling terms, the PI Specification recommends limited direct user profiling.63 It is “direct user profiling” when the personal information of a specific natural person is directly used to create a unique model of the natural person’s characteristics.64 Personal information controllers engaging in direct profiling activities are required by the PI Specification to disclose the existence and the purposes of the direct profiling.65 Where automated decisions are made based on such profiling and have significant impact on the personal information subject’s rights and interests, personal information controllers should provide means for the personal information subject to lodge a complaint.66
In the E-commerce context, when displaying search results of commodities or services to consumers according to their interests, preferences, consumption habits and other personal characteristics, an e-commerce operator shall also provide consumers with options irrelevant to their personal characteristics, and respect and equally safeguard the lawful rights and interests of consumers.67
63 – PI Specification. 7.3 a).
64 – PI Specification. 3.7.
65 – PI Specification. 5.6 a) 2).
66 – PI Specification. 7.10.
67 – E-commerce Law. § 18.
Please describe any laws addressing email communication or direct marketing?
The Advertising Law of the People’s Republic of China (《中华人民共和国广告法》) (the “Advertising Law”) is the fundamental law that regulates advertising. Depending on the direct marketing means – email, telephone call, SMS, or pop-up ad on websites – statutes and regulations on particular means, such as the Interim Measures for Administration of Internet Advertising (《互联网广告管理暂行办法》), Administrative Provisions on Short Message Services (《通信短信息服务管理规定》), may apply. In terms of email marketing, the sender shall obtain consent or request of the recipient and the sender shall also disclose its true identity, contact details and the opt-out method in such advertisements distributed via electronic means.68