Data Protected - People's Republic of China

Last updated March 2020

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

There is currently no comprehensive legislation that focuses exclusively on the regulation of personal data protection at the national level in China, although there were moves towards national regulation with the release in December 2012 of the Resolution of the Standing Committee of the National People’s Congress relating to Strengthening the Protection of Information (the “Digital Data Protection Rule”) which contains high-level national rules relating to the protection of personal data in the digital form.

Instead, there are principles and rules relating to data protection that can be found in various laws, regulations and local provisions, including: (i) general principles relating to privacy in the Chinese Constitution, the General Rules of Civil Law and the Tort Liability Law; (ii) sector-specific provisions, such as laws and regulations relating to the credit reference, internet, financial, telecommunications, e-commerce and consumer protection sectors; (iii) legislation in connection with personal data protection at the local level, such as the Shanghai Consumer Protection Rules and the Jiangsu Information Ordinance; (iv) the Chinese Criminal Law; and (v) the Cybersecurity Law which sets out data protection requirements for network operators (the “Cybersecurity Law”) and its implementing legislations (together, the “Personal Data Protection Regulations”).

There are also national and local guidelines on protection of personal data, such as the guidelines on protection of personal data which were issued in 2017 jointly by the General Administration of Quality Supervision, Inspection and Quarantine and the State Standardisation Administration and came into effect in May 2018 (the “Personal Data Protection Guidelines”). Although the Personal Data Protection Guidelines do not have force of law, they are considered by market participants to set out the best practice that is likely to be expected by Chinese regulators.

Additional restrictions on publishing personal information on the internet are contained in the Provisions on Several Issues concerning the Application of the Law to Trial of Civil Dispute Cases of Infringement of Personal Rights via Information Networks issued by the Supreme People’s Court in June 2014 (the “Information Networks Provisions”). Furthermore, there is guidance on when infringement of personal data may constitute a crime under the Chinese Criminal Law in the Interpretation on Several Issues concerning the Application of the Law to Handling of Criminal Cases regarding Infringement of Citizen’s Personal Information issued by the Supreme People’s Court and the Supreme People’s Procuratorate in May 2017 (the “Personal Data Infringement Interpretation”).

Finally, in January 2019, the Ministry of Industry and Information Technology (the “MIIT”), the Cyberspace Administration of China (the “CAC”), the Ministry of Public Security and the State Administration of Market Supervision jointly announced a rectification programme targeting the misuse of personal data by operators of mobile internet applications in China (the “App Rectification Announcement”). Following release of the App Rectification Announcement, various implementing rules have been issued.

References to China in this summary are references to the People’s Republic of China excluding Taiwan and the Hong Kong and Macau Special Administrative Regions.

Entry into force

The Personal Data Protection Regulations have varying dates on which they entered into force.

New regulations relating to the internet and telecommunications industries came into effect on 1 September 2013.

The updated Consumer Protection Law which includes new provisions on the collection and use of personal data (including by online retail platforms) came into effect on 15 March 2014.

The Cybersecurity Law and the Personal Data Infringement Interpretation became effective on 1 June 2017.

The Personal Data Protection Guidelines came into effect on 1 May 2018.

The E-commerce Law came into force on 1 January 2019.

The App Rectification Announcement came into force on 23 January 2019.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

There is no specific national regulatory authority. Instead, competent authorities in some industries monitor the enforcement of the Personal Data Protection Regulations in their respective areas. For instance, the MIIT and the CAC take charge of implementing the Personal Data Protection Regulations in the telecommunications and internet sectors respectively. While the People’s Bank of China takes charge of implementing the Personal Data Protection Regulations relating to the credit reference and financial sectors, the China Banking Insurance Regulatory Commission supervises banking financial institutions and insurance agencies on operational practices including data security.

If the Cybersecurity Law is taken as a specific example, the introductory articles of this legislation state that it is regulated by the CAC, together with MIIT, the Ministry of Public Security and the relevant industry regulators for their specific industries.

Notification or registration scheme and timing

There are currently no rules in force requiring the notification or registration of the collection of personal data.

However, the draft of the Management Measures on Data Security (the “Draft Data Management Measures”) issued by CAC in May 2019 provides that network operators which collect important data and sensitive personal data for business operation purposes must file their personal data collection rules and other information such as the purpose, scale, method, scope, type and term of the collection of such data with the local CAC. Under the Draft Data Management Measures, important data is defined to include any kind of data that, if divulged, may directly affect national security, economic security, social stability and public health and security (such as large-scale population, genetic health, geography and mineral resources, etc.), but it usually does not include information relating to the production and operation and internal management of enterprises or personal data. More details on the filing procedure and other implementing details for the Draft Data Management Measures are awaited.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The territorial application of each individual Personal Data Protection Regulation that is applicable to a particular instance of collection and use of data varies. The Personal Data Protection Regulations generally do not contain express provisions on their territorial effect. However, Personal Data Protection Regulations promulgated by a provincial authority would generally only apply to entities which collect and use personal data in that province.

Further, the Cybersecurity Law provides for legal remedies against persons outside China who cause serious damage by attacking critical information infrastructure (“CII”). CII refers to infrastructure in certain important industries and sectors such as public communication and information services, energy, transport, water conservancy, finance, public service and e-government, the failure of which could severely threaten the national security, national economy, people’s livelihood or public interests. These rules are supplemented by draft implementing guidance issued by CAC in August 2017, which proposes to regulate the conduct of security assessments on cross-border data transfers (the “2017 Draft Cross-Border Data Transfer Guidance”), but the guidance remains unenacted.

Is there a concept of a controller and a processor?

Any individual or institution collecting and using personal data in a province or sector to which a Personal Data Protection Regulation applies is required to comply with that Personal Data Protection Regulation.

Although the concept of controller does not have a statutory footing in China, controller is defined in the Personal Data Protection Guidelines to include any organisation or individual which has the power to determine the purpose, methods, etc. of processing personal data. In addition, the concept of a “delegate” under the Personal Data Protection Guidelines is similar to processor in that a delegate can be described as an individual and organisation processing personal data strictly in accordance with a controller’s requirement.

Are both manual and electronic records subject to data protection legislation?

Both manual and electronic records are subject to the Personal Data Protection Regulations.

Are there any national derogations?

In general, disclosure obligations under Chinese law override personal data protection laws. Disclosure of data may be required by government authorities and courts under different circumstances.

Some key disclosure situations include: (i) entities and individuals are under an obligation to disclose information to regulators in regulatory investigations; (ii) the courts, public security organs and procuratorates may request entities and individuals involved in legal proceedings to give access to documents and information relating to such proceedings; (iii) the disclosure of government-held information if non-disclosure of which would have a material adverse impact on the public interest; and (iv) the disclosure of the identity of dishonest debtors in court enforcement proceedings.

_____________________________________________________________________ Top

Personal Data

What is personal data?

There is no uniform definition of personal data in the Personal Data Protection Regulations. The scope of personal data is defined differently amongst the various Personal Data Protection Regulations.

However, generally any information which is recorded in electronic or other form, which relates to an individual and which by itself or in combination with other information could disclose the identity of that individual or reflect the activities of that individual can be regarded as personal data (including name, identity document number, correspondence and contact information, address, account number and password, property status and whereabouts, etc.), as provided in the Personal Data Infringement Interpretation.

The Personal Data Protection Guidelines include a similar definition of personal data. In addition, this set of guidelines refers to two categories of personal data: personal data and sensitive personal data (see below).

The Information Networks Provisions contain a list of common types of personal data to which it applies, including genes, medical and health check information, criminal record, family address and private activities.

Is information about legal entities personal data?

No.

What are the rules for processing personal data?

There are no uniform rules for processing personal data though there are similarities between the various laws set out below.

Under the Digital Data Protection Rule, before collecting and processing the digital personal data in its course of business, an entity must notify a data subject of, and obtain the consent from that data subject for: (i) the purpose for which the data will be used; (ii) the manner in which the data will be collected and used; and (iii) the scope of the data to be collected and used for the stated purpose and manner. The method of collection and use of digital personal data must also be disclosed and the collected digital personal data must be kept confidential and must not be divulged, modified, damaged, sold or illegally provided to others.

Similar obligations arise under the various sectorial Personal Data Protection Regulations. For example, in the banking sector, informed written consent must be obtained from a data subject before his or her personal data is provided to a processor and such provision must be necessary for the purpose of providing service to the data subject. In the internet and telecoms sector, companies must: (i) obtain the prior consent of the data subject before collecting and using their personal information; (ii) maintain collected data confidentiality; and (iii) not divulge, misuse, alter or sell such information or provide such information to other parties illegally. The Consumer Protection Law includes similar requirements around the processing of personal data. In the credit reference sector, the written consent of a data subject is required if a third party asks for personal data of that data subject from a credit reference agency.

Under the Personal Data Protection Guidelines, consent of a data subject is required in order to collect, use or disclose his or her personal data, except where information has been processed such that the identity of the data subject cannot be distinguished and the information cannot be restored. That said, some exemptions are provided under the Personal Data Protection Guidelines, which allow a controller to collect, use and disclose an individual’s personal data without obtaining his or her consent; for instance, where the collection, use and disclosure of personal data is directly related to national security, national defence security, public safety, public health or major public interests or, in circumstances where to protect legal rights such as the lives or property of a data subject or other individuals, it is difficult to obtain the data subject’s consent.

Are there any formalities to obtain consent to process personal data?

There are no uniform formalities in the Personal Data Protection Regulations. However, the Personal Data Protection Regulations relating to the credit reference sector stipulate that consent of a data subject must be in writing. The Personal Data Protection Regulations relating to the banking sector provide that the consent of a data subject must be obtained in writing if a financial institution provides the personal data of that data subject to a third party.

There are no explicit formalities for obtaining consent under the Personal Data Protection Guidelines.

Are there any special rules when processing personal data about children?

A child is someone of 14 years old or less. Consent from a child in relation to processing of his or her personal data will only be valid if authorised by a parent.

Under the Personal Data Protection Guidelines, the personal data of children is treated as sensitive personal data so the additional obligations under those guidelines applicable to sensitive personal data would apply to the processing of information relating to a data subject aged 14 years old or less. There are also special rules protecting the criminal records of juveniles under the age of 18 (see below).

Are there any special rules when processing personal data about employees?

There are no specific rules regulating the processing of personal data about employees. There are, however, restrictions relating to collection of personal data of employees. Under the Employment Contract Law, an employer is entitled to assess the basic situation of an employee related to his or her employment contract, and the employee must provide information as requested accordingly. While there is no guidance on the meaning of “the basic situation of an employee related to an employee’s employment contract”, in practice an employer may not collect an employee’s personal data which bears no relationship to his or her employment, such as his or her religious belief, details of personal property, etc.

In addition, in February 2019 nine central governmental authorities issued a circular promoting the employment of females and putting an express ban on gender discrimination during recruitment. Under this circular, during job interview, an employer is not permitted to ask a female candidate about her marital status or the circumstances relating to childbirth or children; Similarly, pregnancy tests are now prohibited as part of any pre-employment medical check.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The Personal Data Protection Regulations generally do not explicitly distinguish between personal data and the sensitive personal data.

The Personal Data Protection Guidelines define sensitive personal data as personal information of which the leakage, illegal provision or abuse may endanger the safety of life and property or could easily damage personal reputation or physical and mental health, or discriminatory treatment could easily be caused. Sensitive personal data includes identity card numbers, personal biometric information, bank account numbers, communication records and content, property information, credit information, location records, accommodation information, health and physiological information, and transaction information. This is broader than the standard types of sensitive personal data.

Are there additional rules for processing sensitive personal data?

Generally, there are no additional rules in the Personal Data Protection Regulations. However, the regulations relating to the credit reference sector prohibit credit reference agencies from collecting certain information, such as information about religious beliefs, genes, fingerprints, blood types or medical histories of any individuals. Similarly, in the banking sector, financial institutions in China are recommended to assess the level of sensitivity of their personal financial data and observe different practices in respect of the collection and processing of each level of data to ensure adequate protection where needed.

The Personal Data Protection Guidelines state that the explicit consent of the data subject should be obtained when processing sensitive personal data. In addition under the Personal Data Protection Guidelines, a controller’s obligations when processing sensitive personal data will vary dependent on whether processing relates to a core or supplemental business function of the product or service it provides. For a core business function, the controller must explain to a data subject about the core business function and what sensitive personal data will be collected, while permitting the data subject to withhold his or her sensitive personal data or his or her consent to it automatically being collected, after being explicitly informed by the controller of the consequences of his or her decision. Where, on the other hand, a supplemental business function is to be provided, the controller must explain what sensitive personal data will be collected and must allow the data subject to withhold his or her sensitive personal data or his or her consent to it being automatically collected. The controller may cease providing the supplemental business function if the data subject withholds his or her data or consent to collection, but this cannot be the reason for which the controller stops providing its core business functions or guaranteeing the same service quality.

Are there additional rules for processing information about criminal offences?

 

There are no specific rules regulating the processing of information about criminal offences.

However, there are special rules requiring that the criminal records of juveniles under 18 years old who commit a criminal offence and are sentenced to imprisonment for 5 years or less or receive lighter penalties. These records must be kept strictly confidential and may not be provided to any entity or individual unless such provision is required according to applicable law.

In addition, any individual who has received a criminal penalty must actively report such information when enlisted or employed. Juveniles under 18 years old who commit a criminal offence, and are sentenced to imprisonment for 5 years or less or receive lighter penalties, are exempted from such reporting obligations.

 

Are there any formalities to obtain consent to process sensitive personal data?

There are no uniform formalities in the Personal Data Protection Regulations. However, the Personal Data Protection Regulations relating to the credit reference sector stipulate that consent of a data subject must be in writing. The Personal Data Protection Regulations relating to the banking sector provide that the consent of a data subject must be obtained in writing if a financial institution provides the personal data of that data subject to a third party.

The Personal Data Protection Guidelines specify that the explicit consent of the data subject should be obtained before processing sensitive personal data. This requires that the data subject must make an authorisation through a written statement or an affirmative action on his or her own initiative in respect of the specific processing of his or her personal information. Affirmative actions include the data subject actively ticking a box or clicking on "I consent", “send”, “dial” or similar.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

The Personal Data Protection Regulations do not mandatorily require the appointment of an officer in charge of data protection specifically. That said, the Cybersecurity Law requires network operators to appoint a cybersecurity officer whose duties would include protecting the security of personal data.

Although it is only best practice guidance, the Personal Data Protection Guidelines suggest that a data protection officer should be appointed to supervise personal data protection processes where a controller either: (i) has a principal business that involves processing of personal data and an aggregate number of employees in excess of 200; or (ii) processes personal data of more than 500,000 individuals or expects to process personal data of more than 500,000 individuals within 12 months.

In addition, although only in draft form at this time, the Draft Data Management Measures propose that network operators which collect important data or sensitive personal data for the purpose of business operation must, as a matter of law, appoint a data protection officer.

What are the duties of a data protection officer?

Although the Cybersecurity Law does not provide for specific duties of the cybersecurity officer, it is expected that the duties of a cybersecurity officer would include protecting the security of personal data.

Under the Draft Data Management Measures, if enacted in their current form, the data protection officer should have management work experience and professional knowledge of data security to allow him or her to work with senior management, formulate data protection plans, organise risk assessments, handle and report security incidents, and deal with complaints from data subjects.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The Cybersecurity Law provides a general obligation on network operators to formulate internal security management systems and operating procedures.

In addition, CII operators are required to provide regular cybersecurity education sessions, technical training and carry out regular skills assessments on relevant staff. There is, however, no specific accountability obligation in respect of data protection only.

Are privacy impact assessments mandatory?

As mentioned above, under the Cybersecurity Law, a CII operator must conduct a security assessment prior to transferring personal data and important data collected and generated during its operation in China.

In addition, a CII operator must conduct an examination and assessment of its cybersecurity systems and related risks (not just in respect of data protection) at least once each year. The results of this assessment must be submitted to the relevant regulators.

See also below in respect of the restrictions on transfers to third countries.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

There are no uniform rules about providing privacy notices to data subjects in the Personal Data Protection Regulations. However, in the banking sector, informed consent must be obtained from a data subject before his or her personal data is provided to a processor. More generally under the Cybersecurity Law, when network operators collect personal data, they must clearly state the purpose, means and scope of their data collection to data subjects at the time of collection and cannot collect unnecessary personal data or use the personal data for a purpose other than the stated purpose. The Consumer Protection Law imposes similar requirements that businesses must provide consumers with information about the purpose, means and scope of their data collection.

The Personal Data Protection Guidelines provide more detailed guidance on privacy notices, including recommendations as to the content to be included. Indeed, the Draft Data Management Measures take these recommendations a step further by proposing that all network operators that collect personal information via cyber tools, such as websites or mobile applications, must formulate and publish personal information collection rules (which would typically be a privacy policy) in a specific, reader-friendly and readily-accessible manner.

Finally, in March 2019, in connection with the App Rectification Announcement, a special working group commissioned by the CAC, MIIT, Ministry of Public Security and State Administration of Market Regulation published more detailed guidance on privacy notices as part of their guidelines for self-assessment of the illegal collection and use of personal data by mobile application operators (the “App Self-Assessment Guidelines”).

Rights to access information

There are no uniform rules about access to personal data in the Personal Data Protection Regulations. However, in the credit reference sector, a data subject is entitled to ask a credit reference agency to provide his or her own personal data, and has a right to acquire his or her own credit report from the credit reference agency for free twice a year.

Under the Personal Data Protection Guidelines, it is recommended that data subjects have a right, by making a written request to the controller, to access copies of their personal data. The initial request is free, though a charge can be made for subsequent requests. The response must be provided within 30 days or such other time limit prescribed by law, although the Personal Data Protection Guidelines do contain a range of exemptions to the obligation to respond to these access requests.

Rights to data portability

There is no specific data portability right under Chinese law. However, as a matter of best practice under the Personal Data Protection Guidelines, a data subject may make a request to have his or her personal data transferred to a third party where technically feasible to do so.

Right to be forgotten

Under the Digital Data Protection Rule and certain of the Personal Data Protection Regulations relating to internet service providers, a data subject may request the person or institution in charge of the processing to rectify, block or delete personal data.

Under the Cybersecurity Law, a data subject may request a network operator to delete his or her personal data where it is collected or used in violation of law, regulation or agreements with him or her. The Personal Data Protection Guidelines grant similar rights to data subjects.

In addition, in accordance with the Chinese Tort Liability Law, where an internet user engages in tortious conduct through internet services, the affected data subject has the right to notify the internet service provider to take necessary actions such as deleting or blocking content, breaking links, etc. Where the internet service provider fails to take necessary action in a timely manner after being informed, it will be jointly and severally liable with the internet user with regard to the extended damages suffered by the infringed data subject.

Objection to direct marketing

There are no uniform rules about direct marketing. However, under the Personal Data Protection Regulations applying to the telecoms and internet sectors, personal data may only be used for the purposes of direct marketing of goods or services with the consent of the data subject. Under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected. The Consumer Protection Law similarly prohibits businesses from sending commercial information to consumers without their consent.

Other rights

None.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

There are general obligations under the Digital Data Protection Rule to maintain digital personal data securely and to take remedial measures immediately in the event that the digital personal data has been or is likely to be divulged, damaged or lost. Likewise, under the Cybersecurity Law, network operators are required to establish a user information protection system and adopt measures to prevent the leak, destruction or loss of collected personal data.

Some sector-specific regulations (particularly in the credit reference, banking, telecoms and internet sectors) impose general obligations to maintain personal data securely.  

The Personal Data Protection Guidelines state that organisations should have in place necessary and sufficient administrative and technical measures to ensure the safety of personal data.

Specific rules governing processing by third party agents (processors)

There are no uniform rules about processing of personal data by processors. However, the Personal Data Protection Regulations relating to the banking sector require banks and financial institutions to properly evaluate their outsourced service providers and ensure that such providers adequately protect personal data that may be disclosed to them.

The Personal Data Protection Guidelines provide similar requirements, although they use the concept of “delegate” which is similar to processor (see above). A delegate should process personal data strictly in accordance with a controller’s requirements.

Notice of breach laws

While there are no uniform rules requiring entities to notify any particular agency or person if there has been a breach of privacy, generally, the Cybersecurity Law requires network operators to promptly notify users and report to the relevant authorities where a leak, destruction or loss of personal data in digital form occurs or may occur. The Personal Data Protection Guidelines provide recommendations on the steps to be taken in such circumstances.

In the banking sector, where divulgence of any personal financial data occurs in breach of the banking regulations, the banking financial institution must promptly inform the People’s Bank of China.

Telecoms companies and internet service providers must notify the MIIT of any actual or potential divulgence or loss of or damage to personal data.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

There are no uniform rules about cross-border transfers of personal data in the Personal Data Protection Regulations. However, the Personal Data Protection Regulations that relate to the banking sector stipulate that personal financial information collected within China must be processed inside China. Offshore entities may not be provided with such information unless explicitly permitted by another law or regulation. The Personal Data Protection Regulations relating to the credit reference sector impose similar restrictions.

In addition, the Cybersecurity Law requires that personal data and important data collected or generated by a CII operator during its operation within China must be stored in China. Any such data that a CII operator needs to provide overseas must undergo a prior security assessment. The 2017 Draft Cross-Border Data Transfer Guidance and the draft Measures for the Cross-Border Transfer Security Assessment of Personal Data and Important Data issued by CAC in 2017 (the “2017 Draft Cross-Border Data Transfer Measures”) also provide further guidance on how the security assessment is to be carried out. Whether the relevant data may be transferred overseas would depend on the results of such security assessment.

Cross-border transfers of personal data by a network operator will be prohibited in certain circumstances under the draft Measures on Security Assessment of Cross-border Transfer of Personal Data issued by CAC in June 2019 (the “2019 Draft Assessment Measures”), including situations where the results of the security assessment indicate that the proposed cross-border transfer may impact China’s national security, endanger public interest or the relevant network operator could not effectively protect personal information. It, however, remains to be seen whether the above measures and guidance will be implemented in the current draft forms. Although the 2017 Draft Cross-Border Data Transfer Measures have not been explicitly withdrawn in the text of the 2019 Draft Assessment Measures, it is at least presumed – given the cross-over of content – that the 2017 Draft Cross-Border Data Transfer Measures are superseded by the 2019 Draft Assessment Measures.

Notification and approval of national regulator (including notification of use of Model Contracts)

There are no uniform rules requiring that cross-border transfers of personal data are notified to or approved by any regulator.

However, the 2017 Draft Cross-Border Data Transfer Measures and the 2017 Draft Cross-Border Data Transfer Guidance provide that, under certain circumstances, the required security assessments may need to be approved by the relevant industry regulator. The 2019 Draft Assessment Measures further propose that all cross-border personal data transfers (whether by network operators or CII operators) will require approval by the CAC. It, however, remains to be seen whether the above measures and guidance will be implemented in the current draft forms.

Use of binding corporate rules

There are no rules relating to the use of binding corporate rules.

_____________________________________________________________________ Top

Enforcement

Fines

Sanctions for contravention of the Personal Data Protection Regulations will depend on the Personal Data Protection Regulation that has been contravened and the nature of that contravention. Sanctions may include fines which are generally up to RMB 30,000, although certain regulations apply higher penalties. For instance, sanctions for non-compliance with the personal data protection requirements under the Cybersecurity Law include fines up to RMB 100,000 for directly responsible personnel and ten times of profits arising from the violation or RMB 1,000,000 (if there is no profit arising from the violation) for the relevant entity.

Imprisonment

Under the Chinese Criminal Law, any individual may be imprisoned for up to seven years for: (i) illegally selling or providing to others personal data; or (ii) stealing or otherwise illegally accessing personal data, if in either case the relevant circumstances are severe.

Compensation

Under the Information Networks Provisions, it is an infringement for internet users or internet service providers to publish personal information on the internet, unless the publishing falls within an exception under these provisions (e.g. the information is made public after the written consent of the data subject and within the agreed scope).

Data subjects have a right to claim compensation for damages if a data collector infringes their civil rights, which under the laws of China includes a right of privacy. Under the Information Networks Provisions, if the property losses incurred by the data subject or the benefits obtained by the infringing person cannot be determined, the people's court may determine a compensation amount below RMB 500,000 according to details of the case. However, in practice, we are only aware of rare cases in which a data subject has received any such compensation.

Other powers

Sanctions for contravention of the Personal Data Protection Regulations will depend on the Personal Data Protection Regulation that has been contravened and the nature of that contravention.  Sanctions may include administrative sanctions, such as a warning, fines, confiscation of profit arising from the violation, suspension or revocation of operating licences and website shutdown.

Practice

Fines: Based on publicly disclosed sanctions since the Cybersecurity Law took effect, generally companies in violation of the Personal Data Protected Regulations tend to be subject to fines of up to RMB 100,000. Foreign-invested enterprises are not exempt from such fines although most enforcement has focussed on domestic enterprises. In addition, directly responsible personnel such as the legal representatives of the companies have tended to be subject to fines of up to RMB 20,000.

Other enforcement action: The number of administrative and criminal cases relating to the violation of the Personal Data Protection Regulations has increased in recent years. There have been some cases of individuals being imprisoned for selling personal data in violation of the Chinese Criminal Law provision outlined above.

There have been several reports of increased enforcement activity since 2013 and the Supreme People’s Court and the Supreme People’s Procuratorate have published several exemplar criminal cases in respect of infringement of personal data. Most of these reports and cases relate to alleged criminal misuse and unauthorised disclosure of large amounts of personal data by individual employees of companies or government authorities and e-commerce operators for the purpose of financial gain, rather than action taken against companies for data protection or security breaches.

Public censure by national and local authorities in China has become more common since the Cybersecurity Law took effect, the MIIT, in particular, publishing quarterly lists of enterprises in violation of the Personal Data Protection Regulations.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The principal regulation on ePrivacy is the Resolution of the Standing Committee of the National People’s Congress relating to Strengthening the Protection of Information on the internet which was issued at the end of 2012. This is the first general law relating to ePrivacy. Some of the other Personal Data Protection Regulations issued by China’s other competent regulatory authorities (such as the MIIT) also include provisions that relate to electronic privacy, for example, the Measures for the Administration of Internet E-mail Services (promulgated in early 2006) include rules relating to marketing by e-mail as does the Consumer Protection Law (collectively, the “Electronic Privacy Regulations”).

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific requirements or conditions relating to the use of cookies under the Electronic Privacy Regulations.

Regulatory guidance on the use of cookies

The App Self-Assessment Guidelines provide that, where cookies (and other similar techniques) are used for collecting personal data, app users should be explicitly informed about the purpose and method of collection and the scope of personal data to be collected.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Electronic Privacy Regulations stipulate that no individual or institution may send commercial electronic information by e-mail: (i) prior to obtaining the consent of the receiver or upon the receiver’s request; (ii) if the receiver explicitly refuses to receive such information; or (iii) unless the sender includes in the subject heading of the e-mail the words “advertisement” or “AD” (or the equivalent in Chinese as prescribed by the regulations). Furthermore, when sending commercial advertisements by e-mail, a sender must provide recipients with its contact information to allow recipients the ability to ‘opt out’ or ‘unsubscribe’. The Electronic Privacy Regulations do not provide for any formalities that senders must follow when soliciting consent.

Other Personal Data Protection Regulations include provisions relating to direct marketing irrespective of the means of communication used. For example, under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected.

Conditions for direct marketing by e-mail to corporate subscribers

The Electronic Privacy Regulations, in respect of direct marketing, only apply to individuals and not corporate subscribers.

Exemptions and other issues

It is illegal to send advertising text messages to mobile phones prior to obtaining a licence from the MIIT. Otherwise the Electronic Privacy Regulations do not include any more detailed rules except for the general requirements set out above.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The Electronic Privacy Regulations stipulate that no individual or institution may send commercial electronic information through fixed line telephones or mobile phones: (i) prior to obtaining the consent of the receiver or upon the receiver’s request; or (ii) if the receiver explicitly refuses to receive such information. However, the Electronic Privacy Regulations do not provide for any formalities that senders must follow when soliciting consent or for receivers to ”opt out” or ”unsubscribe”. In addition, it is illegal to send advertising text messages to mobile phones prior to obtaining a licence from the MIIT.

Other Personal Data Protection Regulations include provisions relating to direct marketing irrespective of the means of communication used. For example, under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The Electronic Privacy Regulations, in respect of direct marketing, only apply to individuals and not corporate subscribers.

Exemptions and other issues

The Electronic Privacy Regulations do not include any more detailed rules except for the general requirements set out above.

_____________________________________________________________________ Top