Jurisdiction
snapshot
Trends and
climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
China does not have a comprehensive national law that specifically addresses the collection, storage, transmission and use of personal information. Rather, a piecemeal approach to data protection is taken, with provisions found in the Constitution, telecommunications regulations, criminal law, tort law, consumer rights law and elsewhere. China has not signed any treaties with the European Union or any other sovereignty on data protection, and is not a member of the Cross-border Privacy Enforcement Arrangement or the Asia-Pacific Privacy Authorities.
Would you consider your national data protection laws to be ahead or behind of the international curve?
China does not have a comprehensive national law that specifically addresses the collection, storage, transmission and use of personal information. Rather, a piecemeal approach to data protection is taken, with provisions found in the Constitution, telecommunications regulations, criminal law, tort law, consumer rights law and elsewhere. China has not signed any treaties with the European Union or any other sovereignty on data protection, and is not a member of the Cross-border Privacy Enforcement Arrangement or the Asia-Pacific Privacy Authorities.
Are any changes
to existing data protection legislation proposed or expected in the near
future?
A draft Privacy Law was prepared and circulated in 2003. The draft law was added to the five-year legislative plan in 2009. However, there are no indications that the draft law will be enacted in the immediate future.
A draft Privacy Law was prepared and circulated in 2003. The draft law was added to the five-year legislative plan in 2009. However, there are no indications that the draft law will be enacted in the immediate future.
China has
recently taken significant steps to develop its data protection law. For
example, the draft Cybersecurity Law was released last year for public comment
and is expected to be passed in the near future.
Legal framework
Legislation
What legislation governs the collection, storage and use of personal data?
The various laws, regulations and guidelines that address the protection of personal information include:
What legislation governs the collection, storage and use of personal data?
The various laws, regulations and guidelines that address the protection of personal information include:
- the draft Cybersecurity Law;
- the
Decision on Strengthening Protection of Network Information;
- the Law
on the Protection of Consumer Rights and Interests;
- the
Measures for the Administration of Online Transactions;
- the
Information Security Technology Guidelines in Personal Information
Protection within Public and Commercial Services Information Systems –
these are voluntary, non-binding standards jointly issued by the General
Administration of Quality Supervision, Inspection and Quarantine and the
Standardisation Administration in 2012 to provide guidance on enforcement
actions and litigation for the protection of personal information;
- the
Provisions on Protecting the Personal Information of Telecommunications
and Internet Users;
- Several
Provisions on Regulating the Market Order of Internet Information;
- the
Medical Records Administration Measures of Medical Institutions;
- the
Measures for Administration of Population Health Information;
- the
Measures for the Administration of Internet Email Services;
- the
Standards for the Assessment of Internet Enterprises' Protection of
Personal Information, which are not binding; and
- the
Administrative Provisions on Short Message Services.
Scope and
jurisdiction
Who falls within the scope of the legislation?
Any entity (other than a government authority) that collects, stores, uses and processes personal information within the territory of China is subject to the legislation.
Who falls within the scope of the legislation?
Any entity (other than a government authority) that collects, stores, uses and processes personal information within the territory of China is subject to the legislation.
What kind of
data falls within the scope of the legislation?
There is no consistent definition of ‘personal information’ under the legislation.
There is no consistent definition of ‘personal information’ under the legislation.
The Provisions
on Protecting the Personal Information of Telecommunications and Internet Users
stipulate that ‘personal information’ is data collected by telecommunication
business operators and internet information service providers in the course of
their activities that can be used – either individually or in combination with
other data – to identify a user. Examples include a user’s name, date of birth,
identification number, address, telephone number, service identification and
password, and tracking information on when and where the user uses the
services.
The Notice of
the Supreme People’s Court, the Supreme People’s Procuratorate and the Ministry
of Public Security on Legally Punishing Criminal Activities Infringing upon the
Personal Information of Citizens provides that ‘personal information’ includes
the name, age, identification number, marital status, location of work,
educational background,curriculum vitae, home address, phone number and other
information or data that can be used to identify an individual.
Key definitions
under the non-binding Information Security Technology Guidelines in Personal
Information Protection within Public and Commercial Services Information
Systems include the following:
- ‘Personal
information’ is computer data that:
- can be
processed using information systems;
- relates
to a specific natural person; and
- can be
used – either independently or in combination with other data – to
identify a specific natural person.
- Personal
information can be classified as sensitive personal information or general
personal information.
- ‘Sensitive
personal information’ is personal information that could have an adverse
effect on the data subject if it were leaked or modified. What constitutes
sensitive personal information in different industries shall be determined
according to the consent of the data subjects who receive the services and
the nature of the various industries. For example, sensitive personal
information may include identification numbers, mobile phone numbers,
racial/ethnic origin, political opinions, religious beliefs, genes,
fingerprints and so on.
-
- ‘General
personal information’ refers to any personal information other than
sensitive personal information.
Are data owners
required to register with the relevant authority before processing data?
No.
No.
Is information
regarding registered data owners publicly available?
Not applicable.
Not applicable.
Is there a
requirement to appoint a data protection officer?
No. However, under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, internet companies must appoint a data protection officer.
No. However, under the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, internet companies must appoint a data protection officer.
Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?
China has no single authority responsible for enforcing provisions relating to the protection of personal information.
Which body is responsible for enforcing data protection legislation and what are its powers?
China has no single authority responsible for enforcing provisions relating to the protection of personal information.
The Ministry of
Industry and Information Technology and the telecommunication administrations
at the provincial level are responsible for the supervision and administration
of personal information of telecommunication and internet users, pursuant to
the Internet Information Service Provisions.
The State
Administration for Industry and Commerce and its local counterparts are
responsible for the supervision and administration of personal information of
consumers, pursuant to the Provisions on Regulating the Market Order of
Internet Information Services.
Pursuant to the
draft Cybersecurity Law, the national cyberspace administrations are
responsible for the planning and coordination of cybersecurity and relevant
supervisory and administrative work; while the Ministry of Industry and
Information Technology, the public security department and other relevant
departments are responsible for the supervision and administration of
cybersecurity protection.
Collection and
storage of data
Collection and
management
In what circumstances can personal data be collected, stored and processed?
Personal information can be collected only for a lawful purpose that directly relates to a function or activity of the data user. The personal information collected must be no more than is necessary for that purpose (or a directly related purpose) – that is, it must not be excessive.
In what circumstances can personal data be collected, stored and processed?
Personal information can be collected only for a lawful purpose that directly relates to a function or activity of the data user. The personal information collected must be no more than is necessary for that purpose (or a directly related purpose) – that is, it must not be excessive.
Are there any
limitations or restrictions on the period for which an organisation may (or
must) retain records?
Data users should not retain personal information for longer than is necessary to fulfil the original purpose (or a directly related purpose) of collection, unless deletion of the personal information is prohibited by law.
Data users should not retain personal information for longer than is necessary to fulfil the original purpose (or a directly related purpose) of collection, unless deletion of the personal information is prohibited by law.
No specific
retention period is specified under Chinese law. To determine the appropriate
maximum retention period, a data controller will need to assess each type of
personal information that it collects and the purposes of the collection on a
case-by-case basis. However, personal information must be deleted upon the
expiry of the retention period of which the data subjects were notified when
their personal information was collected.
Do individuals
have a right to access personal information about them that is held by an
organisation?
Telecommunications business operators and internet service providers must provide ways for users to inquire about or correct their personal information. Individuals have the right to request access to personal information held by an organisation, pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.
Telecommunications business operators and internet service providers must provide ways for users to inquire about or correct their personal information. Individuals have the right to request access to personal information held by an organisation, pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems.
Do individuals
have a right to request deletion of their data?
Not under the existing legislation; although the Provisions on Protecting the Personal Information of Telecommunications and Internet Users do require that telecommunications operators and internet service providers stop the collection and use of users’ personal information. However, individuals have the right to request deletion of their personal information pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems and the draft Cybersecurity Law.
Not under the existing legislation; although the Provisions on Protecting the Personal Information of Telecommunications and Internet Users do require that telecommunications operators and internet service providers stop the collection and use of users’ personal information. However, individuals have the right to request deletion of their personal information pursuant to the non-binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems and the draft Cybersecurity Law.
Consent
obligations
Is consent required before processing personal data?
Consent is required for the collection and use of an individual’s personal information pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users. However, there are no detailed requirements under current law on the specific form or content of the consent (ie, whether it can be implied or inferred).
Is consent required before processing personal data?
Consent is required for the collection and use of an individual’s personal information pursuant to the Decision on Strengthening Protection of Network Information, the Law on the Protection of Consumer Rights and Interests and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users. However, there are no detailed requirements under current law on the specific form or content of the consent (ie, whether it can be implied or inferred).
Prior express
consent is required if the personal information will be used or transferred for
direct marketing purposes pursuant to the Decision on Strengthening Protection
of Network Information, the Law on the Protection of Consumer Rights and
Interests and the Measures for the Administration of Online Transactions.
If the personal
information will be used for any other purpose, express consent is also
required where the personal information will be used or transferred in a manner
that is not covered by the original purpose and scope of collection, unless one
of the exemptions apply, pursuant to the non-binding binding Information
Security Technology Guidelines in Personal Information Protection within Public
and Commercial Services Information Systems.
If consent is
not provided, are there other circumstances in which data processing is
permitted?
Under the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, even if consent is not provided, personal data can still be processed and used for:
Under the non-binding binding Information Security Technology Guidelines in Personal Information Protection within Public and Commercial Services Information Systems, even if consent is not provided, personal data can still be processed and used for:
- purposes
specified under certain laws and regulations, such as maintenance of
public security;
- the
purposes of academic research or social public interest;
- the
enforcement of administrative authorities according to law; and
- the enforcement
of judicial authorities according to decisions and judgments.
What information
must be provided to individuals when personal data is collected?
Under the
Provisions on Protecting the Personal Information of Telecommunications and
Internet Users, telecommunications operators and internet service providers
must provide the following information when they collect personal information:
- the
purpose, method and scope of the information to be collected or used;
- the
ways in which users can inquire about and correct information; and
- the
consequences of failure to provide the information.
Under the
non-binding Information Security Technology Guidelines in Personal Information
Protection within Public and Commercial Services Information Systems, a data
subject must be explicitly informed, prior to the collection of his or her
personal information, of:
- the
purposes for which the personal information is being collected, used and
processed;
- the
method and the scope of collection, use and processing;
- the
period for which the personal information will be retained;
- the
personal information protection measures in place;
- relevant
information regarding the data controller, such as its name, address and
contact information;
- any
risks relating to the disclosure of personal information;
- the
consequences of failure to provide personal information;
- the
channels for checking and correcting personal information and filing a
complaint; and
- information
relating to the transfer of personal information (eg, purpose, method and
scope of transfer, the scope of use by data recipients, contact
information of data recipients).
Data security
and breach notification
Security
obligations
Are there specific security obligations that must be complied with?
Data controllers must take all practicable steps to ensure that the personal information they hold is protected against disclosure, tampering, damage or loss. Should any of these occur, or should there be a risk of them occurring, remedial measures must be taken immediately.
Are there specific security obligations that must be complied with?
Data controllers must take all practicable steps to ensure that the personal information they hold is protected against disclosure, tampering, damage or loss. Should any of these occur, or should there be a risk of them occurring, remedial measures must be taken immediately.
Article 13 of
the Provisions on Protecting the Personal Information of Telecommunications and
Internet Users imposes the following security requirements on
telecommunications operators and internet service providers:
- Specify
the responsibilities of each department, post and branch in terms of
managing the security of personal information;
- Establish
the authority of different staff members and agents, review the export,
duplication and destruction of information, and take measure to prevent
the leak of confidential information;
- Properly
retain the carriers that record users’ personal information, such as
hard-copy media, optical media and magnetic media, and take appropriate
secure storage measures;
- Conduct
access inspections of the information systems that store users’ personal
information, and put in place intrusion prevention, anti-virus and other
measures;
- Record
operations performed with users’ personal information, including the staff
members who perform such operations, the time and place of such operations
and the matters involved;
- Undertake
communications network security protection work as required by the
relevant telecommunications authority; and
- Take
other necessary measures as prescribed by the relevant telecommunications
authority.
The Provisions
on Protecting the Personal Information of Telecommunications and Internet Users
also require that telecommunications operators and internet service providers
provide staff members with training in the relevant skills and responsibilities
relating to the protection of personal information. They must also conduct at
least one self-audit of their data protection measures, record the results and
promptly eliminate any security risks discovered during the audit.
Breach
notification
Are data owners/processors required to notify individuals in the event of a breach?
There are no national-level requirements regarding notification of breaches. However, under certain local consumer protection regulations, such as those in Shanghai, security breaches must be reported to the data subjects.
Are data owners/processors required to notify individuals in the event of a breach?
There are no national-level requirements regarding notification of breaches. However, under certain local consumer protection regulations, such as those in Shanghai, security breaches must be reported to the data subjects.
The draft
Cybersecurity Law provides that in case of disclosure or loss of, or damage to,
information, remedial measures must be taken immediately, users who might be
affected must be informed and reports must be submitted to the competent
departments in accordance with the regulations.
Are data
owners/processors required to notify the regulator in the event of a breach?
In the telecommunications and internet sector, if personal information is disclosed or may potentially be disclosed, service providers must take remedial measures immediately. If the incident has or may have serious consequences, the service provider must report it immediately to the relevant telecommunications administrations and cooperate in the investigation carried out by the telecommunications administrations pursuant to the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.
In the telecommunications and internet sector, if personal information is disclosed or may potentially be disclosed, service providers must take remedial measures immediately. If the incident has or may have serious consequences, the service provider must report it immediately to the relevant telecommunications administrations and cooperate in the investigation carried out by the telecommunications administrations pursuant to the Provisions on Protecting the Personal Information of Telecommunications and Internet Users.
Electronic
marketing and internet use
Electronic
marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?
Under the Decision on Strengthening Protection of Network Information and the Law on the Protection of Consumer Rights and Interests, commercial information cannot be sent to consumers:
Are there rules specifically governing unsolicited electronic marketing (spam)?
Under the Decision on Strengthening Protection of Network Information and the Law on the Protection of Consumer Rights and Interests, commercial information cannot be sent to consumers:
- unless
the consumer has requested the information;
- unless
the consumer has consented to receive the information; or
- if the
consumer has expressly refused to receive the information.
Under the
Measures for the Administration of Internet Email Services, where an email
recipient has clearly consented to receive emails containing commercial
advertisements, but later withdraws this consent, the sender must stop sending
such emails unless otherwise agreed by both parties. When sending emails
containing commercial advertisements, the sender must provide its contact
information, including its email address, and a guarantee that this contact
information will remain valid for 30 days.
Under the
Administrative Provisions on Short Message Services, SMS providers and short
message content providers must not send commercial messages to users without
their consent or request, and must explain the type and frequency of the
commercial messages that will be sent. A user’s failure to respond will be
regarded as a refusal of consent.
Cookies
Are there rules governing the use of cookies?
To the extent that cookies amount to personal information, they will be governed by Chinese law. Otherwise there is no legislation that specifically governs cookies.
Are there rules governing the use of cookies?
To the extent that cookies amount to personal information, they will be governed by Chinese law. Otherwise there is no legislation that specifically governs cookies.
Data transfer
and third parties
Cross-border
data transfer
What rules govern the transfer of data outside your jurisdiction?
No overarching regulation governs cross-border transfers of personal information, except in specific sectors such as finance, healthcare and telecommunications.
What rules govern the transfer of data outside your jurisdiction?
No overarching regulation governs cross-border transfers of personal information, except in specific sectors such as finance, healthcare and telecommunications.
Article 35 of
the second draft Cybersecurity Law provides that “operators of critical
information infrastructure must store personal information and important
transaction data collected and generated exclusively within the territory of
mainland China. If, for legitimate business reasons, the data must be provided
to a foreign organization or person outside China, the entity must complete a
security evaluation jointly formulated by the National Cyberspace
Administration and State Council”. ‘Critical information infrastructure’
includes public communications, broadcasting and television transmission
services, energy, transportation, water conservancy, finance, electricity,
water and gas supply, medical treatment and healthcare, social security, and
computer networks and systems with a large number of users. The details of the
security evaluation are not specified.
The non-binding
Provisions on Protecting the Personal Information of Telecommunications and
Internet Users allow for the cross-border transfer of personal information if
the data subjects have expressly consented or if the transfer has been approved
by the administration authorities or by national laws and regulations.
Are there
restrictions on the geographic transfer of data?
Not other than in the cross-border context.
Not other than in the cross-border context.
Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Consent must be obtained from the data subjects where their personal information will be processed by a third party.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Consent must be obtained from the data subjects where their personal information will be processed by a third party.
The non-binding
Information Security Technology Guidelines in Personal Information Protection
within Public and Commercial Services Information Systems set out the following
requirements where personal information will be transferred to a third party:
- The
personal data must be transferred for and to the extent of the purposes
notified to the data subjects when their personal information was
collected.
- Before
personal information is transferred to third parties, the data controller
must evaluate whether such third parties are capable of processing the
information in accordance with the guidelines, and the liability of such
third parties in relation to the protection of the personal information
must be determined and specified by contract.
- The
data controller must ensure that the personal information will not be
accessed by any entity other than the recipient in the course of the
transfer.
- The
data controller must ensure that the personal information remains
complete, available and up to date in the course of transfer.
Personal
information may not be transferred to overseas recipients, including any
individual overseas or any organisation or institution registered overseas,
unless the data subject has expressly consented, the transfer is explicitly
required by law or the competent department has issued its approval.
Penalties and
compensation
Penalties
What are the potential penalties for non-compliance with data protection provisions?
What are the potential penalties for non-compliance with data protection provisions?
Under the Law on
the Protection of Consumer Rights and Interests, a company shall incur civil
liabilities if it:
- collects
or uses consumers’ personal information without consent;
- discloses,
sells or illegally provides others with consumers’ personal information;
or
- sends
commercial information to consumers without their consent or request, or
after the consumer has expressly refused consent.
Additionally,
the administrations of industry and commerce and their local counterparts may
issue a corrective order or warning, confiscate illegal gains and/or impose a
fine of between one and 10 times the value of the illegal gains, or up to
Rmb500,000 where no illegal gains were made. If the circumstances are severe,
the company may be suspended from operations or have its licence revoked.
Violations of
the Provisions on Protecting the Personal Information of Telecommunications and
Internet Users and the Provisions on Regulating the Market Order of Internet
Information Services are subject to corrective orders, warnings, fines of
between Rmb10,000 and Rmb30,000 and criminal liabilities.
Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Under civil law and tort law, individuals are expressly entitled to seek compensation for any damage arising from privacy infringements.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Under civil law and tort law, individuals are expressly entitled to seek compensation for any damage arising from privacy infringements.
Cybersecurity
Cybersecurity
legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
The Criminal Law covers cybercrime, while the draft Cybersecurity Law covers cybersecurity.
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
The Criminal Law covers cybercrime, while the draft Cybersecurity Law covers cybersecurity.
What are the
other significant regulatory considerations regarding cybersecurity in your
jurisdiction (including any international standards that have been adopted)?
The other statutes that should be considered in this regard are:
The other statutes that should be considered in this regard are:
- the
National Security Law, issued on July 1 2015; and
- the
Counter-terrorism Law, issued on December 27 2015.
Which cyber
activities are criminalised in your jurisdiction?
Cybercrime is covered under the Criminal Law and includes the following offences:
Cybercrime is covered under the Criminal Law and includes the following offences:
- illegally
accessing computer systems (Article 285);
- illegally
accessing or controlling data held on computer systems (Article 285);
- providing
programs and tools to access or illegally control computer systems
(Article 285);
- destroying computer systems (Article 286); and
- committing
financial crimes using a computer (Article 287).
Which
authorities are responsible for enforcing cybersecurity rules?
Pursuant to the draft Cybersecurity Law, the national cyberspace administrations are responsible for the overall planning and coordination of cybersecurity work and relevant supervisory and administrative work; while the Ministry of Industry and Information Technology, the Public Security Department and other relevant departments are responsible for the supervision and administration of cybersecurity protection.
Pursuant to the draft Cybersecurity Law, the national cyberspace administrations are responsible for the overall planning and coordination of cybersecurity work and relevant supervisory and administrative work; while the Ministry of Industry and Information Technology, the Public Security Department and other relevant departments are responsible for the supervision and administration of cybersecurity protection.
Cybersecurity
best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Yes, although this is not yet as common as in the United States and the European Union.
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Yes, although this is not yet as common as in the United States and the European Union.
Are companies
required to keep records of cybercrime threats, attacks and breaches?
No overarching statute requires that such records be kept.
No overarching statute requires that such records be kept.
Are companies
required to report cybercrime threats, attacks and breaches to the relevant
authorities?
Pursuant to the draft Cybersecurity Law, upon the occurrence of a cybersecurity incident, network operators must immediately initiate contingency plans, take remedial measures and report to the relevant departments.
Pursuant to the draft Cybersecurity Law, upon the occurrence of a cybersecurity incident, network operators must immediately initiate contingency plans, take remedial measures and report to the relevant departments.
Are companies
required to report cybercrime threats, attacks and breaches publicly?
No overarching statute imposes any reporting requirements.
No overarching statute imposes any reporting requirements.
Criminal
sanctions and penalties
What are the potential criminal sanctions for cybercrime?
Depending on the cybercrime, the relevant offence may incur a penalty of life imprisonment and/or a maximum fine of Rmb500,000 (Articles 285, 286 and 287 of the Criminal Law).
What are the potential criminal sanctions for cybercrime?
Depending on the cybercrime, the relevant offence may incur a penalty of life imprisonment and/or a maximum fine of Rmb500,000 (Articles 285, 286 and 287 of the Criminal Law).
What penalties
may be imposed for failure to comply with cybersecurity regulations?
Pursuant to the draft Cybersecurity Law, non-compliance may incur penalties such as warnings, corrective orders, fines of up to Rmb1 million and (in worst-case scenarios) withdrawal of a licence.
Pursuant to the draft Cybersecurity Law, non-compliance may incur penalties such as warnings, corrective orders, fines of up to Rmb1 million and (in worst-case scenarios) withdrawal of a licence.
No comments:
Post a Comment