Global Data Privacy Guide |
|
China |
|
| (Asia Pacific) Firm JunHe LLP Updated 01 Mar 2022 | |
| What is the key legislation? | China has enacted the Personal Information Protection Law (“PIPL”) as the first law comprehensively and specifically regulate personal information with the effective date of November 1, 2021. PIPL, together with the Cyber Security Law (“CSL”) and Data Security Law (“DSL”), take the leading role in the personal information and cybersecurity protection field. Provisions relating to the protection of personal information and privacy are also scattered in major civil and criminal laws and administrative regulations. The Decision on Strengthening the Network Information Protection (“NPC Decision”) was issued by the Standing Committee of the National People’s Congress in December 2012, addressing the protection of personal electronic information. The Regulation on the Protection of Personal Information of Telecommunication and Internet Users (“MIIT Regulation”), issued by the Ministry of Industry and Information Technology (“MIIT”) in June 2013, addressing to the collection and use of users’ personal information in the course of telecom and Internet information services. The Civil Code adopted on May 28, 2020, took effect on January 1, 2021, protects the right to personal information and privacy. The Consumer Rights and Interests Protection Law (2013 Revision) (“CPL”) includes provisions on the protection of consumers’ personal information. The Criminal Law (1997) criminalizes the illegal sale and provision of personal information and illegal acquisition of personal information. Information security technology — Personal information security specification (“PI Specification”) issued by the Standardization Administration of the PRC in December 2017 and updated in March 2020 is the non-mandatory national standard that provides detailed requirements for personal information protection. The Provisions on Protecting Children’s Personal Information in Cyberspace (“Children’s PI Provisions”) issued by the Cyberspace Administration of China (“CAC”) on August 23, 2019, came into effect as of October 1, 2019. The Children’s PI Provisions is the first regulation in China specifically regulating a child’s personal information. In addition, there are several laws and regulations addressing the protection of personal information in certain industries or sectors (e.g., telecom and financial banking), or personal information of a specific nature (e.g., personal credit information). |
| What data is protected? | In general, these laws and regulations protect personal information, which refers to a variety of information related to an identified or identifiable natural person that is recorded electronically or otherwise, excluding anonymized information under the PIPL. As stated above, PIPL is the first law in China to comprehensively and specifically regulate the protection of personal information. Besides, personal information falling into the scope of sectoral laws and regulations are also explicitly protected. For example, electronic personal information is protected by the NPC Decision, and consumer personal information is protected by the CPL. The CSL imposes a series of personal information protection obligations on network operators (whose scope is likely to include all companies in China), which mainly reiterates requirements under existing laws and regulations but also incorporates some new requirements. The Civil Code specifies that the personal information of a natural person should be protected, and a natural person is entitled to privacy. Personal information is also protected by the Civil Code and Criminal Law from the civil and criminal perspectives. |
| Who is subject to privacy obligations? | In general, such an entity and individual that collects and uses personal information is subject to the obligation of personal information protection.
|
| What are the principles applicable to personal data processing? | According to the aforesaid laws and regulations, network operators and other business operators shall collect and use personal information in accordance with the principle of lawfulness, appropriateness and necessity, publicize the rules for collection and use, inform the concerned individuals the purpose, method and scope of collection and use of personal information, and obtain their consent. Network operators shall prepare special rules and user agreements for the protection of children's personal information, inform the children's guardians in a prominent and clear manner, and obtain the consent of the children's guardians. According to the CSL, Civil Code, NPC Decision, MIIT Regulation and CPL, network operators and other business operators shall collect and use personal information in accordance with the principle of lawfulness, appropriateness and necessity, publicize the rules for collection and use, inform the concerned individuals the purpose, method and scope of the collection and use of personal information, and obtain their consent. According to PIPL, (i) the processing of personal information shall follow the principles of lawfulness, legitimacy, necessity and good faith, and it is not allowed to process personal information by misleading, fraud or coercion; (ii) the processing of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of processing and shall be conducted in a way that minimizes the impact on personal rights and interests; (iii) the collection of personal information shall be limited to the minimum scope for achieving the purpose of processing and it is not allowed to excessively collect personal information; (iv) the processing of personal information shall follow the principles of openness and transparency, make public the rules for processing personal information and expressly indicate the purpose, method and scope of such processing; (v) the quality of personal information shall be ensured in the processing of personal information to avoid the adverse impact on personal rights and interests caused by inaccurate or incomplete personal information; (vi) the personal information processor (which has similar meaning as the data controller under GDPR) shall be responsible for its processing of personal information and take necessary measures to ensure the security of the personal information processed. The Civil Code clearly stipulates for the first time three situations in which the protagonist does not bear civil liability for handling the personal information: (1) within the reasonable limits of the consent of the natural person or their guardian; (2) in a case whereby the reasonable handling of information has been made public or lawfully made public unless the natural person expressly refuses or the handling of such information infringes on their vital interests; and (3) other acts reasonably carried out in order to safeguard the public interests or the legitimate interests of the natural person. Detailed requirements are provided under national standards and practical guidelines released by the government, such as PI Specification and the Rules on Determination of Illegal Collection and Use of Personal Information by Apps released by CAC, MIIT, Ministry of Public Security (“MPS”) and State Administration for Market Regulation (“SAMR”) in December 2019. |
| How is the processing of personal data regulated? | According to the CSL, Civil Code, NPC Decision, MIIT Regulation and CPL, network operators and other business operators shall collect and use personal information in accordance with the principle of lawfulness, appropriateness and necessity, publicize the rules for collection and use, inform the concerned individuals the purpose, method and scope of the collection and use of personal information, and obtain their consent. Network operators and other business operators shall not use the personal information for a purpose other than the one agreed by the relevant individual and related to the services provided. The newly-adopted PIPL expands the legal basis for personal information processing other than mere individual consent. According to PIPL, only under any of the following circumstances may a personal information processor process personal information: (i) where the consent of the individual concerned is obtained; (ii) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law; (iii) where it is necessary for the performance of statutory duties or statutory obligations; (iv) where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person in an emergency; (v) where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope; (vi) where it is necessary to process the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of PIPL; and (vii) other circumstances prescribed by laws and administrative regulations. Where personal information is to be processed based on the consent of an individual, such consent shall be a voluntary and explicit indication of intent given by such an individual on a fully informed basis. Prior to the processing of the personal information of an individual, a personal information processor shall inform the individual of the specified matters in a conspicuous way and in clear and easy-to-understand language, except when such matters shall be kept confidential or are not required to be disclosed according to law or administrative regulations. The PIPL also provides for several new requirements for joint-processing, entrusted processing, sharing personal information with third parties, automated decision-making, processing of sensitive personal information and processing of personal information of minors under the age of 14. |
| How are storage, security and retention of personal data regulated? | The CSL, Civil Code, NPC Decision, MIIT regulation, and CPL all provide that network operators and other business operators shall take technical measures and other necessary measures to ensure information security and prevent personal information gathered in their business activities from being divulged, damaged or lost. PIPL requires the retention period of personal information shall be the minimum period necessary for achieving the purpose of processing, unless otherwise stipulated by laws and administrative regulations. There is no clear data retention requirement under existing PRC laws except for certain special types of data. To be more specific, the CSL requires network operators, subject to the requirements of Classified Cybersecurity Protection System, to take the following measures to protect networks from disturbance, damage or unauthorized access and prevent the network data from being divulged, stolen or tampered with: (i) formulating internal security management system and operating procedures, determining the persons in charge of network security and implementing responsibility for network security protection; (ii) adopting the technical measures for preventing computer virus and the activities endangering network security such as network attack and network intrusion; (iii) adopting the technical measures for monitoring and recording network operation status and the network security incidents and keeping relevant network logs for at least six months in accordance with relevant provisions; (iv) adopting the measures such as data classification as well as backup and encryption of important data; and (v) other obligations prescribed by laws and administrative regulations. The PIPL requires a personal data processor shall, according to the purposes and methods of personal data processing, the types of personal data, the impact on individuals’ rights and interests, possible security risks, etc., take the following measures to ensure that personal data processing activities are in compliance with laws and administrative regulations and to prevent unauthorized access and personal data from being leaked, tampered with or lost: (i) to formulate internal management rules and operating procedures; (ii) to carry out classified management of personal data; (iii) to adopt corresponding security technical measures such as encryption and de-identification; (iv) to reasonably determine the operating authority for personal data processing, and conduct regular security education and training for employees; (v) To formulate and organize the implementation of the emergency response plan for personal data security incidents; and (iv) to take other measures stipulated by laws and administrative regulations. The MIIT Regulation requires telecom and Internet service provider to take the following measures to prevent the divulgence, destruction, alteration or loss of users' personal information: (i) determining the security management responsibilities among various departments, posts and branches for users' personal information; (ii) establishing the workflows and security management systems for collection and use of users' personal information and other relevant activities; (iii) administering the authorities of staff members and agents, examining the channeling, reproduction and destruction of information, and taking anti-phishing measures; (iv) properly keeping the paper, optic, electromagnetic and other media that record users' personal information, and taking corresponding security storage measures; (v) reviewing the access to the information systems which store users' personal information, and taking anti-invasion, anti-virus and other measures; (vi) Recording the personnel operating users' personal information, and the time, places, matters and other information thereof; (vii) conducting the communication network security protection work in accordance with the provisions of telecommunications administrative organs; and (viii) other necessary measures as specified by telecommunications administrative organs. |
| What are the data subjects' rights? | PIPL stipulates the following personal information rights: (i) right of access and has a copy of personal information; (ii) right of rectification; (iii) right of deletion; (iv) right of objection and restriction of personal information processing; (v) right to withdraw consent; (vi) right to ask for an explanation; (vii) right to object automated decision-making; (viii) right of portability. Besides, where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in PIPL, unless otherwise arranged by the deceased prior to his/her death. The personal information processor shall establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. If an individual's request for exercising his/her rights is rejected, the reasons shall be stated. Where the personal information processor refuses an individual's request for exercising his/her rights, the individual may file a lawsuit with a people's court in accordance with the law. |
| Are there restrictions on cross-border data transfers? | Yes, there are restrictions for certain types of data or in certain industries. Note: At present, certain types of personal information, such as personal credit information, personal financial information and population health information, and information that falls into the scope of state secrets, are restricted to be transferred abroad. Besides, the CSL sets restrictions on the export of personal information and important data collected and generated in the operation of critical information infrastructures operators (“CIIO”) within the territory of the PRC, which should be stored within the territory and be assessed for security purpose when it is necessary to export such information. PIPL further clarifies the rules for the cross-border transfer of personal information by personal information processors. At least one of the following conditions should be met before exporting personal information: (a) “it shall pass the security assessment organized by the CAC”; (b) “it shall have been certified by a specialized agency for the protection of personal information in accordance with the provisions of the CAC”; (c) “it shall enter into a contract with the overseas recipient under the standard contract formulated by the CAC, specifying the rights and obligations of both parties”, or (d) “it shall meet other conditions prescribed by laws, administrative regulations or the CAC”. Export of personal information is also subject to heightened notification obligations and separate consent requirements. CIIOs and processors that process personal information amounting to the threshold specified by the state cyberspace administration are specifically required to locally store the personal information they generate and collect within China, and if personal information is to be provided overseas, to pass the security assessment organized by the national cyberspace administration. The PIPL also imposes stricter requirements on “separate consent" for the cross-border transfer of personal information. In addition, the PIPL also stipulates the approval requirements of the competent authorities for providing personal information abroad due to international judicial assistance or administrative law enforcement assistance and the anti-discrimination requirements for countries and regions that have adopted discriminatory and unreasonable measures against China in terms of personal information protection. |
| Are there any notification requirements for data breaches? | Yes, there are some notification requirements under the current law. Note: According to the CSL, in case users' personal information under the custody of network operators is or may be divulged, destructed or lost, the operator should take remedial measures immediately, inform the users and report to relevant competent authorities in a timely manner. According to PIPL, where personal information has been or may be divulged, tampered with or lost, the personal information processor shall immediately take remedial measures and notify the authorities performing duties of personal information protection and the individuals concerned. The notice shall include the following matters: (i) the types, reasons and possible harm of the information that has been involved or may be involved in the divulgence, tampering with or loss of personal information; (ii) the remedial measures taken by the personal information processor and the measures that can be taken by the individuals to mitigate harm; and (iii) the contact information of the personal information processor. Where the personal information processor has taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information, the personal information processor may opt not to notify the individuals concerned; if the authorities performing duties of personal information protection believe that harm may be caused, they may require the personal information processor to notify the individuals concerned. There are also other national and local law requirements for specific types of personal information breaches. |
| Who is the privacy regulator? | There is no single privacy regulator. Some industrial regulators are responsible for the protection of personal information in the correspondent industrial sectors. Note: Examples are: The main regulator under the CSL and PIPL is the CAC, which will coordinate the work of authorities for certain industries. The collection and use of personal information by telecom and Internet service providers are regulated by MIIT. The collection and use of consumers' personal information (including in E-commerce operations) are generally regulated by the SAMR. The MPS is responsible for investigating and cracking down on crimes relevant to the internet. There are also other regulators in charge of specific types of personal information. |
| What are the consequences of a privacy breach? | The breaching party may be subject to administrative punishment or face a tort infringement lawsuit or criminal liability. According to the CSL, network operators infringing the personal information protection obligations may be imposed on punishments including ordered to make corrections, suspension of business, suspension of business for rectification, website closure, revocation of a business permit or a fine of up to RMB 1,000,000. According to the CPL, business operators infringing the consumer’s right to personal information shall be ordered by SAIC and its local counterparts to make a correction. Their illegal income may be confiscated and they may be imposed a fine of not less than the illegal income but not more than ten times the illegal income or, if there is no illegal income, a fine of not more than RMB 500,000; and if the circumstances are serious, they may be ordered to suspend business operation and their business license may be revoked. According to PIPL, in the event that personal information is processed in violation of the provisions of PIPL, or that personal information is processed without performing the obligation of protecting personal information as stipulated in PIPL, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally processes personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than RMB 1 million shall be imposed on it concurrently; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge and other directly liable persons. For any illegal act specified in the above-mentioned with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time. The infringing party may also face a privacy lawsuit filed by the injuring party. Criminal liability may also be applicable for the illegal sale or acquisition of personal information that falls under the scope of criminal law. |
| How is electronic marketing regulated? | In general, no one may send commercial electronic information to individuals without the consent of or the request from the recipients. The Law on Advertising (2015 Revision) provides that no organization or individual may deliver advertisements (including electronic advertisements) to any persons without their consent or their request. When an advertisement is sent through an electronic message, the true identity and contact information of the sender shall be clearly indicated and those to whom the advertisement is sent shall be provided with the methods for refusing to continue to receive the advertisements. Further, sending advertisements via the internet shall not interrupt the normal use of the internet by the users and if the advertisement is sent via a pop-up, the pop-up shall have an obvious button for turning off to ensure that the users can turn off the pop-up with one click. According to PIPL, information pushing and commercial marketing to an individual through automated decision-making shall be accompanied by options that do not target the individual's personal characteristics, or convenient rejection ways shall be provided to the individual. There are also specific rules for sending advertisements by email or text message. |
| Are there any recent developments or expected reforms? | In general, the state is considering more comprehensive protection of personal information and stricter localization requirements for personal information and important data in draft laws such as the draft Regulations for the Administration of Network Data Security and draft Measures for the Security Assessment of Outbound Data released for public comment in 2021. The draft Regulations for the Administration of Network Data Security was based on the CSL, DSL and PIPL as the superordinate laws. It consists of 75 articles in nine chapters, addressing many key points in detail such as the safe cross-border transfer of data, the protection of personal information rights, the cybersecurity review standards for IPOs in foreign countries or Hong Kong, and the obligations of internet platform operators. This draft generally reiterates the prerequisites for the cross-border transfer of personal information stipulated in Article 38 of the PIPL and extends their application to all network data as follows: (i) the data processor has passed the data export security assessment organized by the national cyberspace administration; (ii) both the data processor and the data recipient have been certified for the protection of personal information by a professional institution accredited by the national cyberspace administration; and (iii) the data processor has entered into a contract with the data recipient outside the territory of China in accordance with the standard contract regulations established by the national cyberspace administration to set forth the rights and obligations of both parties. The draft Measures on Security Assessments of Data Exports set out the requirements for the "security assessment", which is an assessment that is required to be applied with the regulators, and the "risk self-assessment", which is an internal assessment carried out by data processors themselves. The draft Measures on Security Assessments of Data Exports would apply to both critical information infrastructure operators and general processors that process personal information and important data. In accordance with this draft, a data processor shall apply for a security assessment on a data export in one of the following scenarios: (i) where any personal information or important data collected and generated by a critical information infrastructure operator is transferred abroad; (ii) where the data transferred abroad contains important data; (iii) where a processor who processes the personal information of one million or more individuals transfers such personal information abroad; (iv) where the personal information of one hundred thousand or more individuals or the sensitive personal information of ten thousand or more individuals is transferred abroad; and (v) in any other circumstances under which a security assessment on a data export is required to be conducted, as required by the national cyberspace administration. |
Global Data Privacy Guide
China has enacted the Personal Information Protection Law (“PIPL”) as the first law comprehensively and specifically regulate personal information with the effective date of November 1, 2021. PIPL, together with the Cyber Security Law (“CSL”) and Data Security Law (“DSL”), take the leading role in the personal information and cybersecurity protection field. Provisions relating to the protection of personal information and privacy are also scattered in major civil and criminal laws and administrative regulations.
The Decision on Strengthening the Network Information Protection (“NPC Decision”) was issued by the Standing Committee of the National People’s Congress in December 2012, addressing the protection of personal electronic information.
The Regulation on the Protection of Personal Information of Telecommunication and Internet Users (“MIIT Regulation”), issued by the Ministry of Industry and Information Technology (“MIIT”) in June 2013, addressing to the collection and use of users’ personal information in the course of telecom and Internet information services.
The Civil Code adopted on May 28, 2020, took effect on January 1, 2021, protects the right to personal information and privacy.
The Consumer Rights and Interests Protection Law (2013 Revision) (“CPL”) includes provisions on the protection of consumers’ personal information.
The Criminal Law (1997) criminalizes the illegal sale and provision of personal information and illegal acquisition of personal information.
Information security technology — Personal information security specification (“PI Specification”) issued by the Standardization Administration of the PRC in December 2017 and updated in March 2020 is the non-mandatory national standard that provides detailed requirements for personal information protection.
The Provisions on Protecting Children’s Personal Information in Cyberspace (“Children’s PI Provisions”) issued by the Cyberspace Administration of China (“CAC”) on August 23, 2019, came into effect as of October 1, 2019. The Children’s PI Provisions is the first regulation in China specifically regulating a child’s personal information.
In addition, there are several laws and regulations addressing the protection of personal information in certain industries or sectors (e.g., telecom and financial banking), or personal information of a specific nature (e.g., personal credit information).
In general, these laws and regulations protect personal information, which refers to a variety of information related to an identified or identifiable natural person that is recorded electronically or otherwise, excluding anonymized information under the PIPL.
As stated above, PIPL is the first law in China to comprehensively and specifically regulate the protection of personal information. Besides, personal information falling into the scope of sectoral laws and regulations are also explicitly protected. For example, electronic personal information is protected by the NPC Decision, and consumer personal information is protected by the CPL. The CSL imposes a series of personal information protection obligations on network operators (whose scope is likely to include all companies in China), which mainly reiterates requirements under existing laws and regulations but also incorporates some new requirements. The Civil Code specifies that the personal information of a natural person should be protected, and a natural person is entitled to privacy.
Personal information is also protected by the Civil Code and Criminal Law from the civil and criminal perspectives.
In general, such an entity and individual that collects and uses personal information is subject to the obligation of personal information protection.
- The PIPL applies to all organizations and individuals as well as state organs,
- The CSL applies to network operators, defined as owners and managers of networks and the network service providers which is likely to include all companies in China.
- The Civil Code applies to all organizations and individuals.
- The NPC Decision applies to network service providers and other enterprises and entities.
- The MIIT Regulation applies to telecom and Internet service providers.
- The CPL applies to business operators.
- Certain institutions, such as banking financial institutions, medical institutions, credit report agencies undertake personal information protection obligations under the relevant sectoral regulations.
According to the aforesaid laws and regulations, network operators and other business operators shall collect and use personal information in accordance with the principle of lawfulness, appropriateness and necessity, publicize the rules for collection and use, inform the concerned individuals the purpose, method and scope of collection and use of personal information, and obtain their consent.
Network operators shall prepare special rules and user agreements for the protection of children's personal information, inform the children's guardians in a prominent and clear manner, and obtain the consent of the children's guardians.
According to the CSL, Civil Code, NPC Decision, MIIT Regulation and CPL, network operators and other business operators shall collect and use personal information in accordance with the principle of lawfulness, appropriateness and necessity, publicize the rules for collection and use, inform the concerned individuals the purpose, method and scope of the collection and use of personal information, and obtain their consent.
According to PIPL, (i) the processing of personal information shall follow the principles of lawfulness, legitimacy, necessity and good faith, and it is not allowed to process personal information by misleading, fraud or coercion; (ii) the processing of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of processing and shall be conducted in a way that minimizes the impact on personal rights and interests; (iii) the collection of personal information shall be limited to the minimum scope for achieving the purpose of processing and it is not allowed to excessively collect personal information; (iv) the processing of personal information shall follow the principles of openness and transparency, make public the rules for processing personal information and expressly indicate the purpose, method and scope of such processing; (v) the quality of personal information shall be ensured in the processing of personal information to avoid the adverse impact on personal rights and interests caused by inaccurate or incomplete personal information; (vi) the personal information processor (which has similar meaning as the data controller under GDPR) shall be responsible for its processing of personal information and take necessary measures to ensure the security of the personal information processed.
The Civil Code clearly stipulates for the first time three situations in which the protagonist does not bear civil liability for handling the personal information: (1) within the reasonable limits of the consent of the natural person or their guardian; (2) in a case whereby the reasonable handling of information has been made public or lawfully made public unless the natural person expressly refuses or the handling of such information infringes on their vital interests; and (3) other acts reasonably carried out in order to safeguard the public interests or the legitimate interests of the natural person.
Detailed requirements are provided under national standards and practical guidelines released by the government, such as PI Specification and the Rules on Determination of Illegal Collection and Use of Personal Information by Apps released by CAC, MIIT, Ministry of Public Security (“MPS”) and State Administration for Market Regulation (“SAMR”) in December 2019.
According to the CSL, Civil Code, NPC Decision, MIIT Regulation and CPL, network operators and other business operators shall collect and use personal information in accordance with the principle of lawfulness, appropriateness and necessity, publicize the rules for collection and use, inform the concerned individuals the purpose, method and scope of the collection and use of personal information, and obtain their consent. Network operators and other business operators shall not use the personal information for a purpose other than the one agreed by the relevant individual and related to the services provided.
The newly-adopted PIPL expands the legal basis for personal information processing other than mere individual consent. According to PIPL, only under any of the following circumstances may a personal information processor process personal information: (i) where the consent of the individual concerned is obtained; (ii) where it is necessary for the conclusion or performance of a contract to which the individual concerned is a party, or for the implementation of human resources management in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract concluded in accordance with the law; (iii) where it is necessary for the performance of statutory duties or statutory obligations; (iv) where it is necessary for the response to a public health emergency or for the protection of the life, health and property safety of a natural person in an emergency; (v) where such acts as news reporting and supervision by public opinions are carried out for the public interest, and the processing of personal information is within a reasonable scope; (vi) where it is necessary to process the personal information disclosed by the individual concerned or other personal information that has been legally disclosed within a reasonable scope in accordance with the provisions of PIPL; and (vii) other circumstances prescribed by laws and administrative regulations.
Where personal information is to be processed based on the consent of an individual, such consent shall be a voluntary and explicit indication of intent given by such an individual on a fully informed basis. Prior to the processing of the personal information of an individual, a personal information processor shall inform the individual of the specified matters in a conspicuous way and in clear and easy-to-understand language, except when such matters shall be kept confidential or are not required to be disclosed according to law or administrative regulations.
The PIPL also provides for several new requirements for joint-processing, entrusted processing, sharing personal information with third parties, automated decision-making, processing of sensitive personal information and processing of personal information of minors under the age of 14.
The CSL, Civil Code, NPC Decision, MIIT regulation, and CPL all provide that network operators and other business operators shall take technical measures and other necessary measures to ensure information security and prevent personal information gathered in their business activities from being divulged, damaged or lost.
PIPL requires the retention period of personal information shall be the minimum period necessary for achieving the purpose of processing, unless otherwise stipulated by laws and administrative regulations. There is no clear data retention requirement under existing PRC laws except for certain special types of data.
To be more specific, the CSL requires network operators, subject to the requirements of Classified Cybersecurity Protection System, to take the following measures to protect networks from disturbance, damage or unauthorized access and prevent the network data from being divulged, stolen or tampered with: (i) formulating internal security management system and operating procedures, determining the persons in charge of network security and implementing responsibility for network security protection; (ii) adopting the technical measures for preventing computer virus and the activities endangering network security such as network attack and network intrusion; (iii) adopting the technical measures for monitoring and recording network operation status and the network security incidents and keeping relevant network logs for at least six months in accordance with relevant provisions; (iv) adopting the measures such as data classification as well as backup and encryption of important data; and (v) other obligations prescribed by laws and administrative regulations.
The PIPL requires a personal data processor shall, according to the purposes and methods of personal data processing, the types of personal data, the impact on individuals’ rights and interests, possible security risks, etc., take the following measures to ensure that personal data processing activities are in compliance with laws and administrative regulations and to prevent unauthorized access and personal data from being leaked, tampered with or lost: (i) to formulate internal management rules and operating procedures; (ii) to carry out classified management of personal data; (iii) to adopt corresponding security technical measures such as encryption and de-identification; (iv) to reasonably determine the operating authority for personal data processing, and conduct regular security education and training for employees; (v) To formulate and organize the implementation of the emergency response plan for personal data security incidents; and (iv) to take other measures stipulated by laws and administrative regulations.
The MIIT Regulation requires telecom and Internet service provider to take the following measures to prevent the divulgence, destruction, alteration or loss of users' personal information: (i) determining the security management responsibilities among various departments, posts and branches for users' personal information; (ii) establishing the workflows and security management systems for collection and use of users' personal information and other relevant activities; (iii) administering the authorities of staff members and agents, examining the channeling, reproduction and destruction of information, and taking anti-phishing measures; (iv) properly keeping the paper, optic, electromagnetic and other media that record users' personal information, and taking corresponding security storage measures; (v) reviewing the access to the information systems which store users' personal information, and taking anti-invasion, anti-virus and other measures; (vi) Recording the personnel operating users' personal information, and the time, places, matters and other information thereof; (vii) conducting the communication network security protection work in accordance with the provisions of telecommunications administrative organs; and (viii) other necessary measures as specified by telecommunications administrative organs.
PIPL stipulates the following personal information rights: (i) right of access and has a copy of personal information; (ii) right of rectification; (iii) right of deletion; (iv) right of objection and restriction of personal information processing; (v) right to withdraw consent; (vi) right to ask for an explanation; (vii) right to object automated decision-making; (viii) right of portability. Besides, where a natural person dies, his/her close relatives may, for the purpose of their own lawful and legitimate interests, exercise such rights as consulting, copying, correcting and deleting the relevant personal information of the deceased as prescribed in PIPL, unless otherwise arranged by the deceased prior to his/her death. The personal information processor shall establish a convenient mechanism for accepting and handling applications from individuals to exercise their rights. If an individual's request for exercising his/her rights is rejected, the reasons shall be stated. Where the personal information processor refuses an individual's request for exercising his/her rights, the individual may file a lawsuit with a people's court in accordance with the law.
Yes, there are restrictions for certain types of data or in certain industries.
Note:
At present, certain types of personal information, such as personal credit information, personal financial information and population health information, and information that falls into the scope of state secrets, are restricted to be transferred abroad. Besides, the CSL sets restrictions on the export of personal information and important data collected and generated in the operation of critical information infrastructures operators (“CIIO”) within the territory of the PRC, which should be stored within the territory and be assessed for security purpose when it is necessary to export such information.
PIPL further clarifies the rules for the cross-border transfer of personal information by personal information processors. At least one of the following conditions should be met before exporting personal information: (a) “it shall pass the security assessment organized by the CAC”; (b) “it shall have been certified by a specialized agency for the protection of personal information in accordance with the provisions of the CAC”; (c) “it shall enter into a contract with the overseas recipient under the standard contract formulated by the CAC, specifying the rights and obligations of both parties”, or (d) “it shall meet other conditions prescribed by laws, administrative regulations or the CAC”. Export of personal information is also subject to heightened notification obligations and separate consent requirements. CIIOs and processors that process personal information amounting to the threshold specified by the state cyberspace administration are specifically required to locally store the personal information they generate and collect within China, and if personal information is to be provided overseas, to pass the security assessment organized by the national cyberspace administration. The PIPL also imposes stricter requirements on “separate consent" for the cross-border transfer of personal information.
In addition, the PIPL also stipulates the approval requirements of the competent authorities for providing personal information abroad due to international judicial assistance or administrative law enforcement assistance and the anti-discrimination requirements for countries and regions that have adopted discriminatory and unreasonable measures against China in terms of personal information protection.
Yes, there are some notification requirements under the current law.
Note: According to the CSL, in case users' personal information under the custody of network operators is or may be divulged, destructed or lost, the operator should take remedial measures immediately, inform the users and report to relevant competent authorities in a timely manner.
According to PIPL, where personal information has been or may be divulged, tampered with or lost, the personal information processor shall immediately take remedial measures and notify the authorities performing duties of personal information protection and the individuals concerned. The notice shall include the following matters: (i) the types, reasons and possible harm of the information that has been involved or may be involved in the divulgence, tampering with or loss of personal information; (ii) the remedial measures taken by the personal information processor and the measures that can be taken by the individuals to mitigate harm; and (iii) the contact information of the personal information processor. Where the personal information processor has taken measures to effectively avoid harm caused by divulgence, tampering with or loss of information, the personal information processor may opt not to notify the individuals concerned; if the authorities performing duties of personal information protection believe that harm may be caused, they may require the personal information processor to notify the individuals concerned.
There are also other national and local law requirements for specific types of personal information breaches.
There is no single privacy regulator. Some industrial regulators are responsible for the protection of personal information in the correspondent industrial sectors.
Note: Examples are: The main regulator under the CSL and PIPL is the CAC, which will coordinate the work of authorities for certain industries. The collection and use of personal information by telecom and Internet service providers are regulated by MIIT. The collection and use of consumers' personal information (including in E-commerce operations) are generally regulated by the SAMR. The MPS is responsible for investigating and cracking down on crimes relevant to the internet. There are also other regulators in charge of specific types of personal information.
The breaching party may be subject to administrative punishment or face a tort infringement lawsuit or criminal liability.
According to the CSL, network operators infringing the personal information protection obligations may be imposed on punishments including ordered to make corrections, suspension of business, suspension of business for rectification, website closure, revocation of a business permit or a fine of up to RMB 1,000,000.
According to the CPL, business operators infringing the consumer’s right to personal information shall be ordered by SAIC and its local counterparts to make a correction. Their illegal income may be confiscated and they may be imposed a fine of not less than the illegal income but not more than ten times the illegal income or, if there is no illegal income, a fine of not more than RMB 500,000; and if the circumstances are serious, they may be ordered to suspend business operation and their business license may be revoked.
According to PIPL, in the event that personal information is processed in violation of the provisions of PIPL, or that personal information is processed without performing the obligation of protecting personal information as stipulated in PIPL, the authorities performing duties of personal information protection shall order the party concerned to make corrections, give a warning to it and confiscate its illegal gains. Any application that illegally processes personal information shall be ordered to suspend or terminate the provision of services; if it refuses to make corrections, a fine of not more than RMB 1 million shall be imposed on it concurrently; and a fine of not less than RMB 10,000 but not more than RMB 100,000 shall be imposed on the person directly in charge and other directly liable persons. For any illegal act specified in the above-mentioned with serious circumstances, the authorities performing duties of personal information protection at or above the provincial level shall order the party concerned to make corrections, confiscate its illegal gains, and impose a fine of not more than RMB 50 million or not more than 5% of its turnover of the previous year on it, and may also order it to suspend relevant business or suspend business for rectification, and inform the relevant competent authorities to revoke the relevant business permit or business license; a fine of not less than RMB 100,000 but not more than RMB 1 million shall be imposed on the person directly in charge and other directly liable persons, and a decision may be made to prohibit the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises within a certain period of time.
The infringing party may also face a privacy lawsuit filed by the injuring party.
Criminal liability may also be applicable for the illegal sale or acquisition of personal information that falls under the scope of criminal law.
In general, no one may send commercial electronic information to individuals without the consent of or the request from the recipients.
The Law on Advertising (2015 Revision) provides that no organization or individual may deliver advertisements (including electronic advertisements) to any persons without their consent or their request.
When an advertisement is sent through an electronic message, the true identity and contact information of the sender shall be clearly indicated and those to whom the advertisement is sent shall be provided with the methods for refusing to continue to receive the advertisements.
Further, sending advertisements via the internet shall not interrupt the normal use of the internet by the users and if the advertisement is sent via a pop-up, the pop-up shall have an obvious button for turning off to ensure that the users can turn off the pop-up with one click.
According to PIPL, information pushing and commercial marketing to an individual through automated decision-making shall be accompanied by options that do not target the individual's personal characteristics, or convenient rejection ways shall be provided to the individual.
There are also specific rules for sending advertisements by email or text message.
In general, the state is considering more comprehensive protection of personal information and stricter localization requirements for personal information and important data in draft laws such as the draft Regulations for the Administration of Network Data Security and draft Measures for the Security Assessment of Outbound Data released for public comment in 2021.
The draft Regulations for the Administration of Network Data Security was based on the CSL, DSL and PIPL as the superordinate laws. It consists of 75 articles in nine chapters, addressing many key points in detail such as the safe cross-border transfer of data, the protection of personal information rights, the cybersecurity review standards for IPOs in foreign countries or Hong Kong, and the obligations of internet platform operators. This draft generally reiterates the prerequisites for the cross-border transfer of personal information stipulated in Article 38 of the PIPL and extends their application to all network data as follows: (i) the data processor has passed the data export security assessment organized by the national cyberspace administration; (ii) both the data processor and the data recipient have been certified for the protection of personal information by a professional institution accredited by the national cyberspace administration; and (iii) the data processor has entered into a contract with the data recipient outside the territory of China in accordance with the standard contract regulations established by the national cyberspace administration to set forth the rights and obligations of both parties.
The draft Measures on Security Assessments of Data Exports set out the requirements for the "security assessment", which is an assessment that is required to be applied with the regulators, and the "risk self-assessment", which is an internal assessment carried out by data processors themselves. The draft Measures on Security Assessments of Data Exports would apply to both critical information infrastructure operators and general processors that process personal information and important data. In accordance with this draft, a data processor shall apply for a security assessment on a data export in one of the following scenarios: (i) where any personal information or important data collected and generated by a critical information infrastructure operator is transferred abroad; (ii) where the data transferred abroad contains important data; (iii) where a processor who processes the personal information of one million or more individuals transfers such personal information abroad; (iv) where the personal information of one hundred thousand or more individuals or the sensitive personal information of ten thousand or more individuals is transferred abroad; and (v) in any other circumstances under which a security assessment on a data export is required to be conducted, as required by the national cyberspace administration.