Data Protected - People's Republic of China

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

There is currently no comprehensive legislation that focuses exclusively on the regulation of personal data protection at the national level in China, although there were moves towards national regulation with the release in December 2012 of the Resolution of the Standing Committee of the National People’s Congress relating to Strengthening the Protection of Information (the “Digital Data Protection Rule”) which contains high-level national rules relating to the protection of personal data in the digital form.

Instead, there are principles and rules relating to data protection that can be found in various laws, regulations and local provisions, including: (i) general principles relating to privacy in the Chinese Constitution, the General Rules of Civil Law and the Tort Liability Law; (ii) sector-specific provisions, such as laws and regulations relating to the credit reference, Internet, financial, telecommunications, and consumer protection sectors; (iii) legislation in connection with personal data protection at the local level, such as the Shanghai Consumer Protection Rules and the Jiangsu Information Ordinance; (iv) the Chinese Criminal Law; and (v) the Cybersecurity Law which sets out data protection requirements for network operators (the “Cybersecurity Law”) (together, the “Personal Data Protection Regulations”).

There are also national guidelines on personal data (the “Personal Data Protection Guidelines”) issued in 2013 by the General Administration of Quality Supervision, Inspection and Quarantine. The Personal Data Protection Guidelines are not mandatory regulations or rules but rather are non-binding technical guidelines relating to the collection, use and disclosure of personal data by organisations (other than governmental authorities) through information systems.

Additional restrictions on publishing personal information on the internet are contained in the Provisions on Several Issues concerning the Application of the Law to Trial of Civil Dispute Cases of Infringement of Personal Rights via Information Networks issued by the Supreme People’s Court in June 2014 (the “Information Networks Provisions”).

Finally there is guidance on when infringement of personal data may constitute a crime under the Chinese Criminal Law in the Interpretation on Several Issues concerning the Application of the Law to Handling of Criminal Cases regarding Infringement of Citizen’s Personal Information issued by the Supreme People’s Court and the Supreme People’s Procuratorate in May 2017 (the “Personal Data Infringement Interpretation”).

References to China in this summary are references to the People’s Republic of China excluding Taiwan and the Hong Kong and Macau Special Administrative Regions.

Entry into force

The Personal Data Protection Regulations have varying dates on which they entered into force.

The Personal Data Protection Guidelines became effective on 1 February 2013.

New regulations relating to the Internet and telecommunications industries came into effect on 1 September 2013.

The updated Consumer Protection Law which includes new provisions on the collection and use of personal data (including by online retail platforms) came into effect on 15 March 2014.

The Cybersecurity Law and the Personal Data Infringement Interpretation became effective on 1 June 2017.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

There is no specific national regulatory authority. Instead, competent authorities in some industries monitor the enforcement of the Personal Data Protection Regulations in their respective areas. For example, the Ministry of Industry and Information Technology (the “MIIT”) and the Cyberspace Administration of China take charge of implementing the Personal Data Protection Regulations in the telecommunications and Internet sectors respectively while the People’s Bank of China takes charge of implementing the Personal Data Protection Regulations relating to the credit reference and financial sectors.

Notification or registration scheme and timing

There are no rules requiring the notification or registration of the collection of personal data.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The territorial application of each individual Personal Data Protection Regulation that is applicable to a particular instance of collection and use of data varies. The Personal Data Protection Regulations generally do not contain express provisions on their territorial effect. However, Personal Data Protection Regulations promulgated by a provincial authority would generally only apply to entities which collect and use personal data in that province.

Further, the Cybersecurity Law provides for legal remedies against persons outside China who cause serious damage by attacking critical information infrastructure (“CII”). CII refers to infrastructure in certain important industries and sectors such as public communication and information services, energy, transport, water conservancy, finance, public service and e-government, the failure of which could severely threaten the national security, national economy, people’s livelihood or public interests. These rules are supplemented by draft implementing guidance regulating the conduct of security assessments on cross-border data transfers (the “Draft Cross-Border Data Transfer Guidance”).

Is there a concept of a controller and a processor?

Any individual or institution collecting and using personal data in a province or sector to which a Personal Data Protection Regulation applies is required to comply with that Personal Data Protection Regulation.

The Personal Data Protection Guidelines distinguish between “administrators of personal data” and “receivers of personal data”. The former refers to the organization or institution which determines the purpose and means of the processing of personal data and which controls and processes the personal data. The latter refers to the individual, organization or institution which receives the personal data from an information system and processes such information in accordance with the will of the data subject. The concept of the “administrator of personal data” is similar to controller.

Are both manual and electronic records subject to data protection legislation?

Both manual and electronic records are subject to the Personal Data Protection Regulations.

The Personal Data Protection Guidelines only apply to the processing of the personal data through information systems.

Are there any national derogations?

In general, disclosure obligations under Chinese law override personal data protection laws. Disclosure of data may be required by government authorities and courts under different circumstances.

Some key disclosure situations include: (i) entities and individuals are under an obligation to disclose information to regulators in regulatory investigations; (ii) the courts, public security organs and procuratorates may request entities and individuals involved in legal proceedings to give access to documents and information relating to such proceedings; (iii) the disclosure of government-held information if non-disclosure of which would have a material adverse impact on the public interest; and (iv) the disclosure of the identity of dishonest debtors in court enforcement proceedings.

_____________________________________________________________________ Top

Personal Data

What is personal data?

There is no uniform definition of personal data in the Personal Data Protection Regulations. The scope of personal data is defined differently amongst the various Personal Data Protection Regulations.

However, generally any information which is recorded in electronic or other form, which relates to an individual and which by itself or in combination with other information could disclose the identity of that individual or reflect the activities of that individual can be regarded as personal data (including name, identity document number, correspondence and contact information, address, account number and password, property status and whereabouts, etc.), as provided in the Personal Data Infringement Interpretation.

The Personal Data Protection Guidelines include a similar definition of personal data. In addition, the Personal Data Protection Guidelines classify personal data into two categories: general personal data and sensitive personal data (see below).

The Information Networks Provisions contains a list of common types of personal data to which it applies, including genes, medical and health check information, criminal record, family address and private activities.

Is information about legal entities personal data?

No.

What are the rules for processing personal data?

There are no uniform rules for processing personal data though there are similarities between the various laws set out below.

Under the Digital Data Protection Rule, before collecting and processing the digital personal data in its course of business, an entity must notify a data subject of, and obtain the consent from that data subject for: (i) the purpose for which the data will be used; (ii) the manner in which the data will be collected and used; and (iii) the scope of the data to be collected and used for the stated purpose and manner. The method of collection and use of digital personal data must also be disclosed and the collected digital personal data must be kept confidential and must not be divulged, modified, damaged, sold or illegally provided to others.

Similar obligations arise under the various sectorial Personal Data Protection Regulations. For example, in the banking sector, informed written consent must be obtained from a data subject before his or her personal data is provided to a processor and such provision must be necessary for the purpose of providing service to the data subject. In the Internet and telecoms sector, companies must: (i) obtain the prior consent of the data subject before collecting and using their personal information; (ii) maintain collected data confidentiality; and (iii) not divulge, misuse, alter or sell such information or provide such information to other parties illegally. The Consumer Protection Law includes similar requirements around the processing of personal data. In the credit reference sector, the written consent of a data subject is required if a third party asks for personal data of that data subject from a credit reference agency.

The Personal Data Protection Guidelines include guidance on how organisations should process personal data. For example, the Personal Data Protection Guidelines state that the expressed or tacit consent of a data subject must be obtained before processing personal data. When collecting general personal data, a data subject’s tacit consent can be deemed to be given. However, an organisation must cease collecting general personal data, or delete personal data already collected, if the data subject has explicitly rejected such collection. Before collecting personal data, an organisation must clearly inform the data subject about the purpose and method of collection, as well as the measures that the organisation will take to protect the personal data and the complaints channels open to the data subject to deal with issues relating to the organisation’s use of the personal data. In addition, an organisation may not generally disclose personal data to any individual, organisation or institution if that disclosure is not relevant to the purpose of collection or without the data subject’s consent.

Are there any formalities to obtain consent to process personal data?

There are no uniform formalities in the Personal Data Protection Regulations. However, the Personal Data Protection Regulations relating to the credit reference sector stipulate that consent of a data subject must be in writing. The Personal Data Protection Regulations relating to the banking sector provide that the consent of a data subject must be obtained in writing if a financial institution provides the personal data of that data subject to a third party.

There are no explicit formalities for obtaining consent in the Personal Data Protection Guidelines.

Are there any special rules when processing personal data about children?

There are no specific rules regulating the processing of personal data about children. There are, however, special rules protecting the criminal records of juveniles under the age of 18 (see below).

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The Personal Data Protection Regulations generally do not explicitly distinguish between personal data and the sensitive personal data.

The Personal Data Protection Guidelines define sensitive personal data as information, the disclosure or modification of which may have a negative effect on the data subject. Sensitive personal data may include ID numbers, cell phone numbers, racial or ethnic origin, political opinions, religious beliefs, genes and fingerprints. This is broader than the standard types of sensitive personal data.

Are there additional rules for processing sensitive personal data?

Generally, there are no additional rules in the Personal Data Protection Regulations. However, the regulations relating to the credit reference sector prohibit credit reference agencies from collecting certain information, such as information about religious beliefs, genes, fingerprints, blood types or medical histories of any individuals.

The Personal Data Protection Guidelines state that the express consent of the data subject should be obtained when processing sensitive personal data. In addition, organisations should refrain from directly collecting sensitive personal data from persons with limited or no capacity for civil conduct. When collecting sensitive personal data of such a person, the express consent of the legal guardian of such person should be obtained

The Personal Data Protection Guidelines state that when the purpose of processing sensitive personal data has been achieved, the express consent of the data subject is required to be obtained if such sensitive personal data will be further processed.

Are there additional rules for processing information about criminal offences?

 

There are no specific rules regulating the processing of information about criminal offences.

However, there are special rules requiring that the criminal records of juveniles under 18 years old who commit a criminal offence and are sentenced to imprisonment for 5 years or less or receive lighter penalties. These records must be kept strictly confidential and may not be provided to any entity or individual unless such provision is required according to applicable law.

In addition, any individual who has received a criminal penalty must actively report such information when enlisted or employed. Juveniles under 18 years old who commit a criminal offence, and are sentenced to imprisonment for 5 years or less or receive lighter penalties, are exempted from such reporting obligations.

 

Are there any formalities to obtain consent to process sensitive personal data?

There are no uniform formalities in the Personal Data Protection Regulations. However, the Personal Data Protection Regulations relating to the credit reference sector stipulate that consent of a data subject must be in writing. The Personal Data Protection Regulations relating to the banking sector provide that the consent of a data subject must be obtained in writing if a financial institution provides the personal data of that data subject to a third party.

There are no explicit formalities for obtaining consent in the Personal Data Protection Guidelines. However, it is advisable to obtain consent in writing and preferably in hard copy.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

The Personal Data Protection Regulations do not require the appointment of an officer in charge of data protection specifically. That said, the Cybersecurity Law requires network operators to appoint a cybersecurity officer whose duties would include protecting the security of personal data.

What are the duties of a data protection officer?

Although the Cybersecurity Law does not provide for specific duties of the cybersecurity officer, it is expected that the duties of a cybersecurity officer would include protecting the security of personal data.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

The Cybersecurity Law provides a general obligation on network operators to formulate internal security management systems and operating procedures. In addition, CII operators are required to provide regular cybersecurity education sessions, technical training and carry out regular skills assessments on relevant staff. There is, however, no specific accountability obligation in respect of data protection only.

Are privacy impact assessments mandatory?

As mentioned above, under the Cybersecurity Law, a CII operator must conduct a security assessment prior to transferring personal data and important data collected and generated during its operation in China. In addition, a CII operator must conduct an examination and assessment of its cybersecurity systems and related risks (not just in respect of data protection) at least once each year. The results of this assessment must be submitted to the relevant regulators.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

There are no uniform rules about providing privacy notices to data subjects in the Personal Data Protection Regulations. However, in the banking sector, informed consent must be obtained from a data subject before his or her personal data is provided to a processor. Telecommunications and Internet service providers, when collecting personal data, must clearly state the purpose, means and scope of their data collection to data subjects at the time of collection and cannot collect unnecessary personal data or use the personal data for a purpose other than the stated purpose. The Consumer Protection Law imposes similar requirements that businesses must provide consumers with information about the purpose, means and scope of their data collection.

The Personal Data Protection Guidelines provide more detailed guidance on privacy notices.

Rights to access information

There are no uniform rules about access to personal data in the Personal Data Protection Regulations. However, in the credit reference sector, a data subject is entitled to ask a credit reference agency to provide his or her own personal data, and has a right to acquire his or her own credit report from the credit reference agency for free twice a year.

Under the Personal Data Protection Guidelines, a data subject should be able to access their personal data. Generally, the administrator of personal data must inform the data subject regarding whether it possesses his or her personal data, the contents of the personal data and the status of its processing.

Rights to data portability

There is no specific data portability right under Chinese law.

Right to be forgotten

Under the Digital Data Protection Rule and certain of the Personal Data Protection Regulations relating to internet service providers, a data subject may request the person or institution in charge of the processing to rectify, block or delete personal data.

Under the Cybersecurity Law, a data subject may request a network operator to delete his or her personal data where it is collected or used in violation of law, regulation or agreements with him or her.

In addition, in accordance with the Chinese Tort Liability Law, where an internet user engages in tortious conduct through internet services, the affected data subject shall have the right to notify the internet service provider to take necessary actions such as deleting content, block, breaking links, etc. Where the internet service provider fails to take necessary action in a timely manner after being informed, it shall be jointly and severally liable with the internet user with regard to the extended damages suffered by the infringed data subject.

The Personal Data Protection Guidelines grant similar rights to data subjects.

Objection to direct marketing and profiling

There are no uniform rules about direct marketing. However, under the Personal Data Protection Regulations applying to the telecoms and Internet sectors, personal data may only be used for the purposes of direct marketing of goods or services with the consent of the data subject. Under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected. The Consumer Protection Law similarly prohibits businesses from sending commercial information to consumers without their consent.

Other rights

None.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

There are general obligations under the Digital Data Protection Rule to maintain digital personal data securely and to take remedial measures immediately in the event that the digital personal data has been or is likely to be divulged, damaged or lost. Likewise, under the Cybersecurity Law, network operators are required to establish a user information protection system and adopt measures to prevent the leak, destruction or loss of collected personal data.

Some sector-specific regulations (particularly in the credit reference, banking, telecoms and Internet sectors) impose general obligations to maintain personal data securely.  

The Personal Data Protection Guidelines state that organisations should have in place necessary and sufficient administrative and technical measures to ensure the safety of personal data.

Specific rules governing processing by third party agents (processors)

There are no uniform rules about processing of personal data by processors. However, the Personal Data Protection Regulations relating to the banking sector require banks and financial institutions to properly evaluate their outsourced service providers and ensure that such providers adequately protect personal data that may be disclosed to them.

Notice of breach laws

While there are no uniform rules requiring entities to notify any particular agency or person if there has been a breach of privacy, generally, the Cybersecurity Law requires network operators to promptly notify users and report to the relevant authorities where a leak, destruction or loss of personal data in digital form occurs or may occur.

In the banking sector, where divulgence of any personal financial data occurs in breach of the banking regulations, the banking financial institution must promptly inform the People’s Bank of China.

Telecoms companies and Internet service providers must notify the MIIT of any actual or potential divulgence or loss of or damage to personal data.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

There are no uniform rules about cross-border transfers of personal data in the Personal Data Protection Regulations. However, the Personal Data Protection Regulations that relate to the banking sector stipulate that personal financial information collected within China must be processed inside China. Offshore entities may not be provided with such information unless explicitly permitted by another law or regulation. The Personal Data Protection Regulations relating to the credit reference sector impose similar restrictions.

In addition, the Cybersecurity Law requires that personal data and important data collected or generated by a CII operator during its operation within China must be stored in China. Any such data that a CII operator needs to provide overseas must undergo a prior security assessment. The Draft Cross-Border Data Transfer Guidance and the draft Measures for the Cross-Border Transfer Security Assessment of Personal Data and Important Data (the “Draft Cross-Border Data Transfer Measures”) also provide further guidance on how the security assessment is to be carried out. Whether the relevant data may be transferred overseas would depend on the results of such security assessment. It, however, remains to be seen whether such measures and guidance will be implemented in the current draft forms.

Under the Personal Data Protection Guidelines, the administrator of personal data can transfer personal data to individuals, organisations or institutions outside of China only if: (i) it obtains the express consent from the data subject or competent authority; or (ii) any law or regulation allows it to do so.

Notification and approval of national regulator (including notification of use of Model Contracts)

There are no uniform rules requiring that cross-border transfers of personal data are notified to or approved by any regulator.

However, the Draft Cross-Border Data Transfer Measures and the Draft Cross-Border Data Transfer Guidance provide that, under certain circumstances, the required security assessments may need to be organised by the relevant industry regulator. As mentioned above, whether the relevant data may be transferred overseas would depend on the results of the security assessment, which means that to the extent the security assessment is required to be organised by the relevant industry regulator, such security assessment may in fact involve a review and approval process. It, however, remains to be seen whether such measures and guidance will be implemented in the current draft forms.

Use of binding corporate rules

There are no rules relating to the use of binding corporate rules.

_____________________________________________________________________ Top

Enforcement

Fines

Sanctions for contravention of the Personal Data Protection Regulations will depend on the Personal Data Protection Regulation that has been contravened and the nature of that contravention. Sanctions may include fines which are generally up to RMB 30,000, although certain regulations apply higher penalties. For instance, sanctions for non-compliance with the personal data protection requirements under the Cybersecurity Law include fines up to RMB 100,000 for directly responsible personnel and ten times of profits arising from the violation or RMB 1,000,000 (if there is no profit arising from the violation) for the relevant entity.

Imprisonment

Under the Chinese Criminal Law, any individual may be imprisoned for up to seven years for: (i) illegally selling or providing to others personal data; or (ii) stealing or otherwise illegally accessing personal data, if in either case the relevant circumstances are severe.

Compensation

Under the Information Networks Provisions, it is an infringement for internet users or internet service providers to publish personal information on the internet, unless the publishing falls within an exception in the Provisions (e.g. the information is made public upon the written consent of the data subject and within the agreed scope).

Data subjects have a right to claim compensation for damages if a data collector infringes their civil rights, which under the laws of China includes a right of privacy. Under the Information Networks Provisions, if the property losses incurred by the data subject or the benefits obtained by the infringing person cannot be determined, the people's court may determine a compensation amount below RMB 500,000 according to details of the case. However, in practice, we are only aware of rare cases in which a data subject has received any such compensation.

Other powers

Sanctions for contravention of the Personal Data Protection Regulations will depend on the Personal Data Protection Regulation that has been contravened and the nature of that contravention.  Sanctions may include administrative sanctions, such as a warning, fines, confiscation of profit arising from the violation, suspension or revocation of operating licences and website shutdown.

Practice

The number of administrative and criminal cases relating to the violation of the Personal Data Protection Regulations has increased in recent years. There have been some cases of individuals being imprisoned for selling personal data in violation of the Chinese Criminal Law provision outlined above.

There were several reports of increased enforcement activity since 2013 and the Supreme People’s Court and the Supreme People’s Procuratorate have published several typical criminal cases in respect of infringement of personal data. Most of these reports and cases relate to alleged criminal misuse and unauthorised disclosure of large amounts of personal data by individual employees of companies or government authorities and e-commerce operators for the purpose of financial gain, rather than action taken against companies for data protection or security breaches.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The principal regulation on ePrivacy is the Resolution of the Standing Committee of the National People’s Congress relating to Strengthening the Protection of Information on the Internet which was issued at the end of 2012. This is the first general law relating to ePrivacy. Some of the other Personal Data Protection Regulations issued by China’s other competent regulatory authorities (such as the MIIT) also include provisions that relate to electronic privacy, for example, the Measures for the Administration of Internet E-mail Services (promulgated in early 2006) include rules relating to marketing by e-mail as does the Consumer Protection Law (collectively, the “Electronic Privacy Regulations”).

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no specific requirements or conditions relating to the use of cookies under the Electronic Privacy Regulations.

Regulatory guidance on the use of cookies

None.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Electronic Privacy Regulations stipulate that no individual or institution may send commercial electronic information by e-mail: (i) prior to obtaining the consent of the receiver or upon the receiver’s request; (ii) if the receiver explicitly refuses to receive such information; or (iii) unless the sender includes in the subject heading of the e-mail the words “advertisement” or “AD” (or the equivalent in Chinese as prescribed by the regulations). Furthermore, when sending commercial advertisements by e-mail, a sender must provide recipients with its contact information to allow recipients the ability to ‘opt out’ or ‘unsubscribe’. The Electronic Privacy Regulations do not provide for any formalities that senders must follow when soliciting consent.

Other Personal Data Protection Regulations include provisions relating to direct marketing irrespective of the means of communication used. For example, under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected.

Conditions for direct marketing by e-mail to corporate subscribers

The Electronic Privacy Regulations, in respect of direct marketing, only apply to individuals and not corporate subscribers.

Exemptions and other issues

It is illegal to send advertising text messages to mobile phones prior to obtaining a licence from the MIIT. Otherwise the Electronic Privacy Regulations do not include any more detailed rules except for the general requirements set out above.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The Electronic Privacy Regulations stipulate that no individual or institution may send commercial electronic information through fixed line telephones or mobile phones: (i) prior to obtaining the consent of the receiver or upon the receiver’s request; or (ii) if the receiver explicitly refuses to receive such information. However, the Electronic Privacy Regulations do not provide for any formalities that senders must follow when soliciting consent or for receivers to ‘opt out’ or ‘unsubscribe’. In addition, it is illegal to send advertising text messages to mobile phones prior to obtaining a licence from the MIIT.

Other Personal Data Protection Regulations include provisions relating to direct marketing irrespective of the means of communication used. For example, under the Personal Data Protection Regulations relating to the banking sector, a banking financial institution may not use personal data for marketing purposes other than for those marketing purposes for which the data was collected.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

The Electronic Privacy Regulations, in respect of direct marketing, only apply to individuals and not corporate subscribers.

Exemptions and other issues

The Electronic Privacy Regulations do not include any more detailed rules except for the general requirements set out above.

_____________________________________________________________________ Top