Global Data Protection Law Guide  China  

JunHe LLP

 

What law(s) specifically govern personal data / information?

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) which came effective on November 1, 2021 is the first comprehensive law that specifically addresses protection of personal information.

In addition, provisions governing personal information protection are also provided in other laws. For example, the Cybersecurity Law of the PRC (“CSL”) which came effective on June 1, 2017 provides the rules for personal information protection in Chapter IV; the Data Security Law of the PRC (“DSL”) which came effective on September 1, 2021 requires that the data processors should fulfill the duties of data security protection in Chapter IV; the Civil Code of the People’s Republic of China which came effective on January 1, 2021 expressly provides the right of privacy and personal information protection in Chapter VI of Part IV Personality Rights; the Ninth Amendment to the Criminal Law (promulgated on August 29, 2015) provides that all parties who sell or provide personal information to a third party, in violation of the law, are subject to criminal liability, and that parties who sell or provide personal information obtained during the performance of their duties and provision of services, in violation of the law, are subject to a heavier punishment. Some standards or guidelines issued by National Information Security Standardization Technical Committee (“TC260”) such as Information Security Technology - Personal Information Security Specification also constitute the recommended guidelines for enterprise data compliance, while they may be not mandatory in practice.

Apart from the above laws and guidelines, some laws and regulations in force recently or still in the pending process of legislation are also worthy of attention as they regulate the processing of personal information in specific scenarios. For example, the Measures for Security Assessment of Data Export and the draft Regulations on Standard Contract for Personal Information Export further clarifies the main routes for cross-border data transfer based on the general requirement of the PIPL; the Provisions on the Administration of Algorithm-generated Recommendations for Internet Information Services which came effective on March 1, 2022 provides specific rules on personal information protection in the context of algorithm-generated recommendations.

 

What are the key data protection principles in this jurisdiction?:

Articles 5 to 9 of the PIPL stipulates six principles for personal information protection. These principles serve as general guidelines throughout personal information processing activities, including:

• Lawfulness, Justification, Necessity and Good Faith. Personal information shall be processed in accordance with the principles of lawfulness, justification, necessity, and good faith, and not in any manner that is misleading, fraudulent, or coercive. This principle, as the primary principle stipulated by the PIPL, is a prerequisite for the implementation of the processing activities by personal information processors.
• Specification and Relevancy. Processing must be conducted for a specified and reasonable purpose and for a purpose directly relevant to the purpose of processing. This principle sets forth the criteria to evaluate the purpose of processing to control the processing activities to the extent that they are “directly relevant to the purpose of processing”.
• Minimum Extent. Firstly, processing activities shall have the least impact on the rights and interests of individuals; secondly, the collection of personal information must be limited to the minimum scope necessary for achieving the purpose of processing and must not be excessive.
• Openness and Transparency. Processing must be conducted in accordance with the principles of openness and transparency by disclosing the rules of personal information processing and the purposes, methods, and scope of processing. The principle of openness and transparency protects the right of personal information subjects to be informed and to give consent, and is a prerequisite for personal information processors to fulfill the obligation of informed consent.
• Completeness and Accuracy. Personal information processors must ensure the quality of personal information processed, to avoid any negative impact on personal rights and interests due to the inaccuracy or incompleteness of the personal information processed.
• Security Protection. Personal information processors shall be directly responsible for their personal information processing activities, and shall take necessary measures to ensure the security of the personal information processed.

In addition to personal information, the PRC laws also provides processing requirements on general data, among which protection of important data is enhanced. Accordingly, CSL and the DSL have provided general principles for data protection. According to Article 8 of the DSL, data processors shall observe laws and regulations, respect social morality and ethics, observe business and professional ethics, uphold honesty and trustworthiness, fulfill data security protection obligations, and undertake social responsibilities; and shall not endanger national security and public interests, nor harm the lawful rights and interests of individuals and organizations.

 

What is the supervisory authority / regulator in charge of data protection?

There is no single specific authority or regulator in China that has responsibility for the supervision of compliance with data protection related laws. In the field of personal information protection, Chapter VI of the PIPL specifies the competent authorities performing personal information protection duties and builds a regulatory structure to govern personal information protection as follows: (1) the national cyberspace department coordinates and arranges the personal information protection; (2) the competent authorities under the State Council govern, supervise and administer the personal information protection within the scope of their duties respectively; and (3) the competent authorities under the local people’s government above county level shall perform the duties to govern, supervise and administer the personal information protection as determined in accordance with the applicable laws and regulations. The foregoing authorities are collectively referred to as “departments with personal information protection duties”.

In practice, apart from the departments with personal information protection duties, the public security authorities and the market regulation authorities are also in charge of practical enforcement and administrative penalties relating to infringement of personal information. The public security authorities also have the authority to investigate criminal offenses relating to infringement of personal information.

Specific industrial regulators will be responsible for the relevant compliance supervision work for the relevant industry. According to Article 6 of the DSL, the competent departments of the industry, telecommunications, transportation, finance, natural resources, health, education, science and technology and other relevant competent departments shall assume the responsibilities of supervising and regulating data security in their respective sectors.

 

Is there a requirement to register with a supervisory authority / regulator?

There is no specific requirement for a personal information processor to register with the supervisory authority. However, it is worth noting that the PIPL provides certain filing requirements with the supervisory authority:

• A personal information processor is required to designate a person in charge of personal information protection if it processes personal information up to the amount prescribed by the national cyberspace department, and the name, contact information and other information of the person in charge of personal information protection shall be submitted to the departments with personal information protection duties.
• Personal information processors outside the territory of the People’s Republic of China subject to extraterritorial effect of the PIPL shall submit the names, contact information, and other information of the specialized agencies and representatives set up within the People’s Republic of China to be responsible for handling personal information protection related matters to the departments with personal information protection duties.

Apart from the above filing requirement, some specific service or activities also need to be filed with the relevant authorities, for example, an algorithm recommendation service provider with public opinion attribute or social mobilization ability shall submit relevant information on the Internet Information Service Algorithm Filling System to go through the filing formalities.

 

Is there a requirement to notify the supervisory authority / regulator?

The PIPL requires the personal information processor to notify the supervisory authority in the event of a suspected or actual data breach. According to Article 57(1) of the PIPL, a personal information processor must immediately undertake remedial measures and notify affected individuals and departments with personal information protection duties when leakage, tampering or loss of personal information occurs or may occur. The PIPL requires following specific content to be included in the notification:

• the types of personal information affected;
• the cause of, and possible harm that may result from, the breach;
• any remedial measures taken by the personal information processor and measures individuals can adopt to mitigate harm; and
• the contact information of the personal information processor.

In addition, according to Article 57(2) of the PIPL, if the measures taken by a personal information processor can effectively mitigate the harm caused by the data breach, a personal information processor would not be required to notify affected individuals, unless a regulator determines otherwise.

Similar requirements are stipulated in the CSL, the DSL and other regulations of competent authorities, which provide notification requirements to the authority / regulator for data security incidents or cybersecurity incidents. In addition, there are also specific notification requirements in special industries.

 

Is it possible to register with / notify the supervisory authority / regulator online?

There is not yet an uniform online system for personal information processors to register with/notify the supervisory authorities in China under the PIPL.

However, for special matters or special entities, there are online platforms for filling or notification, such as the Internet Information Service Algorithm Filing System which is used for filing of the algorithm recommendation service providers.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Chapter IV of the PIPL is the main source of data subject rights. Key data subject rights include:

• Right to know and decide on the processing of their personal information.
• Right to restrict or refuse the processing of their personal information by others.
• Right to access and duplicate their personal information from personal information processors.
• Right to request the transfer of personal information to their designated personal information processors, if the conditions specified by the national cyberspace authority are met.
• Right to request personal information processors to rectify or supplement relevant information
• Right to request personal information processors to delete their personal information under any of the following circumstances: (1) the purpose of processing has been achieved, is impossible to achieve, or the personal information is no longer necessary to achieve the purpose of processing; (2) personal information processors cease the provision of products or services, or the retention period has expired; (3) the individuals withdraw consent; (4) where personal information processors have processed personal information in violation of laws, administrative regulations, or agreements; or (5) other circumstances provided by laws or administrative regulations.
• Right to request personal information processors to explain their personal information processing rules.
• Right to withdraw consent.
• Right of refusing automated-decision making for data subjects. Information push and commercial marketing to individuals based on automated decision-making shall be simultaneously accompanied by options not specific to their personal characteristics or with convenient means for individuals to refuse; where a decision that has a major impact on an individual’s rights and interests is made by means of automated decision-making, the individual shall have the right to request the personal information processor to make explanations and to refuse to accept that the personal information processor makes decisions solely by means of automated decision-making.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Article 52 of the PIPL requires that a personal information processor that processes the personal information reaching the threshold amount specified by the national cyberspace department shall appoint a person in charge of personal information protection. The person appointed shall be responsible for overseeing personal information processing activities as well as the protection measures taken, among others.

By reference to the Information Security Technology - Personal Information Security Specification, a national standard issued before the PIPL, an organization that meets any of the following conditions shall set up a full-time post and a department dedicated to personal information security work: (1) main business involves the processing of personal information, and the number of employees exceeds 200; (2) processes the personal information of more than 1,000,000 individuals, or is estimated to process the personal information of more than 1,000,000 individuals; or (c) processes the sensitive personal information of more than 100,000 individuals.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Article 55 of the PIPL provides the specific applicable circumstances of personal information protection impact assessments. The personal information processors shall conduct the personal information protection impact assessment in advance, and record the processing under the following circumstances:

• Processing sensitive personal information.
• Using personal information to conduct automated decision-making.
• Entrusting personal information processing to another party, providing personal information for another party, or publicizing personal information.
• Providing personal information for any party outside the territory of the People’s Republic of China.
• Other personal information processing activities which have major impacts on individuals’ rights and interests.

The personal information protection impact assessment shall include the following contents:

• whether the purposes and means of personal information processing, are legitimate, justified and necessary;
• the impact on individuals’ rights and interests, and security risks; and
• whether the protection measures taken are legitimate, effective, and compatible with the degree of risks.

The report of the personal information protection impact assessment and the processing record shall be retained for at least three years.

 

Does this jurisdiction have any specific data breach notification requirements?

As mentioned above in the reply to question 5, Article 57(1) of the PIPL provides that a personal information processor shall immediately take remedial measures, and notify departments with personal information protection duties and the relevant individuals when leakage, tampering or loss of personal information occurs or may occur. The notice shall include the following matters:

• the categories of personal information that is or may be leaked, tampered with or lost, and the causes and possible harm of the leakage, tampering or loss of the personal information;
• remedial measures taken by the personal information processor and measures the individuals can take to mitigate the harm; and
• the contact information of the personal information processor.

Furthermore, Article 57(2) of the PIPL also states that the departments with personal information protection duties shall have the right to require the personal information processor to notify individuals when it considers that harm may be caused.

 

What restrictions apply to the international transfer of personal data / information?

The PIPL provides three mechanisms for personal information processors to transfer personal information out of China, in other words, personal information processors may transfer personal information out of China by satisfying one of three main routes under the PIPL, including:

• passing a security assessment administered by the national cyberspace department in accordance with Article 40 of the PIPL

According to the Measures for Security Assessment of Data Export effective since September 1, 2022, if a data processor triggers any of the following thresholds, it needs to apply for a security assessment of its cross-border transfer of personal information: (1) it is an operator of critical information infrastructure or it processes the personal information of more than one million individuals in total; (2) it has exported the personal information of more than 100,000 persons in aggregate or the sensitive personal information of more than 10,000 persons in aggregate since January 1 of the previous year; or (3) other circumstances subject to a security assessment as required by the national cyberspace department.

• obtaining a personal information protection certification from the relevant specialized institutions according to the provisions issued by the national cyberspace department

On December 16, 2022, TC260 released the Practical Guidelines for Cybersecurity Standards - Security Certification Specification for Cross-border Processing Activities of Personal Information (V2.0) (“Security Certification Specification”), which sets out basic requirements for certification agencies to carry out personal information protection certification for cross-border processing activities of personal information.

• concluding a contract stipulating both parties’ rights and obligations with the overseas recipient in accordance with the standard contract formulated by the national cyberspace department

On June 30, the CAC released the draft Regulations on Standard Contract for Personal Information Export (“Draft Regulations”). It incorporates a template for the Standard Contract for Personal Information Export (“Standard Contract”) and was available for public consultation until July 29, 2022. The personal information processor is required to file the executed Standard Contract along with a personal information protection assessment report with the local provincial-level cyberspace authority within 10 working days of the Standard Contract taking effect.

For transfers of personal information to third parties outside the territory of China, the PIPL also requires that personal information processors shall inform individuals of the following matters:

• the name and contact information of the overseas data recipients;
• the purposes and methods of data processing;
• the types of personal information to be transferred; and
• the methods and procedures for individuals’ exercise of the rights provided in the PIPL against the overseas recipient, and other matters.

Personal information processors must also obtain separate consent from individuals for the cross-border transfer of their personal information provided that there is no non-consent basis for processing.

According to Article 55 of the PIPL, the personal information processor should conduct a personal information protection impact assessment on the provision of personal information to an overseas recipient in advance, and keep a record of the processing.

 

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

The PIPL does provide for certain extraterritorial applications. According to the Article 3(2) of the PIPL, the PIPL applies to processing activities outside of China relating to personal information of individuals in China if the purpose of the processing is to:

• offer goods or services to individuals in China; or
• monitor and evaluate the activities of individuals in China.

Furthermore, the PIPL also requires that the above-mentioned personal information processors outside the territory of China to establish special institutions or designate representatives within the territory of China to handle affairs relating to personal information protection, and submit the names of relevant institutions or the names and contact information of representatives to the relevant supervisory authorities.

 

What rules specifically deal with marketing?

According to Article 43 of Advertising Law of the People’s Republic of China (“Advertising Law”) revised in 2021, organizations or individuals shall distribute advertisements via electronic means only when they obtain consent of the recipients. Advertisements distributed via electronic means shall state the true identity and contact details of the senders, and the method for the recipients to refuse acceptance of future advertisements. Furthermore, Article 44 requires that advertisements posted through the Internet shall not affect normal usage of network by users. Advertisements published in the form of pop-up window on the Internet shall show the close sign prominently and ensure one-click closing of the window.

Article 24(2) of the PIPL requires that information push and commercial marketing to individuals based on automated decision-making shall be simultaneously accompanied by options not specific to their personal characteristics or with convenient means for individuals to refuse.

 

Do different rules apply to business-to-business and business-to-consumer marketing?

No different rules found in business-to-business and business-to-consumer marketing.

 

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

There are several laws and regulations dealing with electronic marketing (by email, text message, online ads etc.), for example:

• The Measures for the Administration of Internet E-mail Services effective from March 30, 2006
• The Administrative Provisions on Short Message Services effective from June 30, 2015
• The Administrative Provisions on Internet Pop-up Window Information Push Services effective from September 30, 2022.
• As mentioned in the reply to Question 13, Article 24(2) of the PIPL requires that information push and commercial marketing to individuals based on automated decision making shall be simultaneously accompanied by options not specific to their personal characteristics or with convenient means for individuals to refuse.

 

What rules specifically deal with cookies?

China has no specific rules on cookies. By reference to App related guidelines, including the Guide to Self-evaluation of Collection and Use of Personal Information by Mobile Internet Applications (Apps) issued in July, 2020, the Practical Guide to Cybersecurity Standards:

Frequently Asked Questions and Handling Guidelines for Personal Information Protection of Mobile Internet Applications (Apps) issued in September, 2020, etc., when using cookies and similar technologies (including scripts, clickstreams, web beacons, Flash cookies, embedded web links, etc.) to collect personal information, the App operator should briefly explain the relevant mechanisms, as well as the purpose and type of personal information collected. In addition, such guidelines also prohibit the collection of personal information by using cookies and similar technologies or enabling permissions, interface, etc. without the individual’s prior consent.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Personal information processors who violate the PIPL with respect to their processing of personal information may be subject to penalties including:

• warnings;
• an order to correct the alleged violations;
• the disgorgement of profits;
• the provisional suspension or termination of the electronic applications or relevant business found to be in violation of the PIPL;
• fines
• Entities that refuse to fail to correct the alleged violations may be subject to a fine of not more than RMB 1 million and responsible personnel may be subject to fines between RMB 10,000 to 100,000.
• In the event of serious violations of the PIPL, entities may be subject to fines of up to RMB 50 million, or 5% of annual revenue. Further, individuals directly responsible for serious violations of the PIPL may be fined between RMB 100,000 and RMB 1 million.
• Prohibition of persons in charge

In the event of serious violations of the PIPL, individuals directly responsible may be prohibited from holding certain positions, including director, supervisor, high-level manager or data protection officer, for a certain period of time. In addition, the violations of the PIPL may be recorded in the credit archives and be published in accordance with the provisions of the relevant laws and regulations.

In addition, civil and criminal liabilities are also included under the PIPL:

• the personal information processor shall assume liability for damage and other tort liability if it cannot prove that it is not at fault.
• if the violation constitutes a crime, the violator shall be held criminally liable in accordance with the law.
• If the personal information processor violates the provisions of the PIPL, infringing the rights and interests of many individuals, the People’s Procuratorate, the consumer organization as provided by law or the organization determined by the national cyberspace department may file a lawsuit with the People’s court in accordance with the law.

Legal liabilities under other laws and regulations such as consumer rights protection law, advertisement law, may also be applicable depending on the specific circumstance of violation.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Multinational organizations located outside China are advised to be aware of the following aspects when processing personal information of individuals in China:

• Assess whether it is subject to extraterritorial jurisdiction of PIPL. It is advisable for the multinational organization to assess whether it processes personal information of natural persons located within China for the purpose of providing products or services to individuals within the PRC, or to analyze or assess the conduct of individuals within the PRC, in order to determine the entities that are subject to compliance requirements under the PIPL.
• If extraterritorial applicability of the PIPL is triggered, the multinational organization should pay attention to its specific obligations under the PIPL, including but not limited to setting up specialized agencies or designate representatives within the territory of the PRC to be responsible for handling personal information protection related matters, and submitting the names, contact information, and other information of the agencies and representatives to the departments with personal information protection duties, and pass cross-border data transfer assessment if the threshold is triggered.
• Keep monitoring the legislation’s developments on requirements regarding data localization and cross-border data transfer. Currently, how the requirements of data localization would apply to entities located outside China is subject to further interpretation, hence multinational organizations are advised to keep following any further regulatory interpretation, especially when the multinational organization meets the criteria for security assessment for data export.
• Consider localized adjustments to group policies. Though the scope of personal information protection laws in China may be similar as data protection laws in other jurisdictions (especially the GDPR), China also has certain special rules and requirements. Therefore, internal policies of multinational organizations may need to be reviewed and updated to adapt to local law requirements.

 

What upcoming data protection developments should multinational organisations be aware of?

Compliance assessment of cross-border data transfer

Multinational information organizations need to be aware of the new requirements of assessment in the context of cross-border data transfer. It is advisable to inform individuals of relevant matters, obtain separate consent of individuals, and conduct a prior personal information protection impact assessment and a prior self-assessment of the risk of data export. Furthermore, entities also need to take effective measures such as agreements to supervise overseas recipients to use data in accordance with the requirements of Chinese relevant laws and fulfill data security protection obligations.

Personal Information Protection Impact Assessment

The personal information protection impact assessment will be an important system for the protection of personal information in the future. The personal information processors need to conduct personal information protection impact assessment in the following scenarios at least: processing sensitive personal information, using personal information for automated decision-making, entrusting the processing activities of personal information, providing personal data to other data processors, cross-border data transfer to offshore recipients.

Adequate models of internal governance and legitimate channels for the exercise of individual rights

Currently, companies in the Chinese market are constantly optimizing the way for data subjects to exercise their rights in respect of personal information, especially in the field of Apps and improving their internal governance rules. Hence, more attention will need to be paid to this area.

Detailed standards and guidelines in personal information protection

In order to improve the experience of end users on the Internet, the CAC, MIIT and other relevant supervisory regulators have been increasingly emphasizing on the regulation of Apps, SDKs and other services provided by third parties. Multinational information organizations need to pay close attention to the regulatory activities and take compliance measures timely.

Regulation of artificial intelligence, algorithms, new technologies and new applications

The CAC is making overall planning and coordinating relevant competent authorities to promote the work of personal information protection, including but not limited to formulating specialized rules and standards for personal information protection for new technologies and applications such as face recognition and artificial intelligence. The supervision on artificial intelligence, algorithms, new technologies and new applications is a new trend in China and the PRC authorities put more attention on how to protect personal information and data security in new technologies and new applications. Multinationals providing the products or services in respect of above-mentioned new technologies or new application should closely monitor the progress of new regulations in China.

 

Search by:

Need more information?
Contact a member firm:

DONG, Xiao (Marissa)

JunHe LLP

China

Disclaimer:

© 2023, JunHe LLP. All rights reserved by JunHe LLP as author and the owner of the copyright.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2023