China does not have an omnibus data protection law as such. In 2005, some legal scholars published a discussion draft for a PRC data protection law, which was reportedly the basis for the State Council draft. However, to date, the State Council has not published the draft data protection law. In fact, data protection law is not included in the 12th National People's Congress (NPC) legislative plan, which applies to the period 2013–2018.2
Despite the lack of a unified law, China currently has a system of legal rules in place in relation to the protection of personal information, albeit a complicated system. In 2012, the Standing Committee of the NPC issued the Decision on Strengthening Internet Information Protection3 (the NPC Decision), which requires enterprises and, in particular, internet service providers, to protect the personal electronic information of Chinese citizens with several general principles. Following the NPC Decision, a sector-specific legal regime in respect of personal information has gradually formed in China, with various departments of the State Council such as the Ministry of Industry and Information Technology (MIIT), the State Administration for Industry and Commerce (SAIC), the National Health and Family Planning Commission (NHFPC) and the People's Bank of China (PBOC) respectively issuing personal protection rules under their own administrative authority over the past few years, and in some circumstances these have overlapped. In the absence of a unified legal definition, 'personal information' is defined under many industry-specific rules and generally refers to the information relating to an individual that, alone or in combination with other information, can be used to identify an individual. All these regulations and rules have identified a number of general principles for processing personal information (e.g., personal information collection should follow the principles of legitimacy, appropriateness and necessity, and should be subject to the relevant individual's consent).
The issuance, on 7 November 2016, of the Cybersecurity Law of the PRC (CSL) is also considered a milestone. The CSL, which became effective from 1 June 2017, includes provisions relating to both cybersecurity protection obligations and data privacy obligations.
If an individual's right to privacy is infringed, the individual may bring a civil lawsuit against the injuring party to seek redress under the Tort Liability Law. Further, sale of personal information or illegal acquisition of personal information may constitute a criminal offence.
In brief, although from an overall perspective the abuse of personal information is still a very serious reality, and people living in China still suffer unsolicited calls, emails and text messages, the attitude and rules of the governmental authorities, the practice of companies, the understanding of courts and, more importantly, public awareness are changing in a fast and sometimes dramatic fashion in this information era, which is unlike anything that any other nation, or even the world, has previously experienced.
II THE YEAR IN REVIEW
More national standards relating to cybersecurity protection in various industrial and niche areas are being released for public comment, while many of the drafts that were previously issued for public comment by regulators are still pending in 2018. Such drafts include the Measures on Security Assessment of the Cross-Border Transfer of Personal Information and Important Data, and the Regulations on Security Protection of Critical Information Infrastructures, which have attracted wide attention from the market. Yet government agencies have become more active in enforcing the CSL and relevant regulations already effective, especially in the area of cybersecurity protection and crimes relating to the illegal sale and acquisition of personal information. Companies have become more alert to compliance in this area, and have gradually started programmes to evaluate, prepare and strengthen internal control over cybersecurity and personal information protection. The skeleton of the new legal regime in China is gradually being built, though many specific requirements, procedures and details are to be inserted and are expected in the market.
III REGULATORY FRAMEWORK
China's regulatory framework for personal information protection includes laws and regulations in the criminal, civil and administrative areas.
i Privacy and data protection legislation and standards
The CSL provides various security protection obligations for network operators, including, inter alia:
- compliance with a series of requirements of tiered cyber protection systems (Article 21);
- verification of users' real identity (an obligation for certain network operators) (Article 24);
- formulation of cybersecurity emergency response plans (Article 25); and
- assistance and support to investigative authorities where necessary for the protection of national security and investigation of crimes (Article 28).
The CSL, for the first time under PRC law, clearly imposes a series of heightened security obligations for critical information infrastructure operators (CIIOs), including:
- internal organisation, training, data backup and emergency response requirements (Article 34);
- storage of personal information and other important data must be secured within the PRC territory, in principle (Article 37);
- procurement of network products and services that may affect national security must pass the security inspection of the relevant authorities (Article 35); and
- annual assessments of cybersecurity risks and reports on the results of those assessments and improvement measures to be submitted to the relevant authorities (Article 38).
As regards personal information, the CSL reiterates the obligations of network operators regarding the protection of personal information that appear across existing laws and regulations, including the mandate to observe the principle of lawfulness, necessity and appropriateness in the collection and use of personal information and to observe the 'inform-and-consent' requirements (Article 41), to use personal information only for the purpose agreed upon by the relevant individual (Article 41), to adopt security protection measures for personal information (Article 42), and to protect the individual's right to access and correct personal information (Article 43). In addition, the CSL also incorporates some new rules on personal information protection, including data breach notification requirements (Article 42), and data anonymisation as an exception for inform-and-consent requirements (Article 42), and the individual's right to request that network operators make corrections to or delete their personal information if the information is wrong or used beyond the agreed purpose (Article 43).
Article 253 of the Criminal Law (as provided in Amendment VII to the Criminal Law)4 applies where any individual (including staff of governmental authorities and companies engaged in industrial sectors, including finance, telecommunications, transportation, education and healthcare) sells or illegally provides personal information obtained in his or her employment and where the circumstances are 'serious'. It is also applicable if an individual illegally acquires such information by stealing or by any other means and where the circumstances are serious. Legal consequences of such acts include fixed-term imprisonment of up to three years, criminal detention or fines. In the event that an entity commits either of these crimes, the entity is subject to a fine, and the individual in charge and other individuals directly responsible for the criminal activity are subject to the punishments listed above.
Amendment IX to the Criminal Law,5 which became effective from 1 November 2015, has amended Article 253, and has broadened the scope of personal information-related offences and increased legal liability.
The Supreme People's Court and the Supreme People's Procuratorate also promulgated the Interpretation by the Supreme People's Court and the Supreme People's Procuratorate on Issues Concerning the Application of Law in Handling Criminal Cases of Infringing on Citizens' Personal Information and relevant typical cases, effective from 1 June 2017, providing more details as to how Article 253 should be interpreted and implemented.
The Tort Liability Law,6 effective as of 1 July 2010, includes many provisions that specifically or generally relate to the protection of personal data, and in particular, in Article 2, defines the 'civil rights and interests' protected under the Law, specifically listing 18 types of right and including the right of privacy. This is the first time under PRC law that the right of privacy has been treated as an independent type of civil right, and no longer attached to the right of reputation. Under the Tort Liability Law, the violation of the right of privacy and other personal and property rights and interests is clearly provided as constituting a tort. An injured party can seek redress against the injuring party.
Industry-specific regulations and rules
The NPC Decision, as mentioned above, has set forth a number of important principles for handling personal electronic information. It is also important to note that the Consumer Rights Protection Law,7 effective as of 15 March 2014, includes and echoes the requirements of the Decision.
Accordingly, various governmental authorities have issued their respective administrative regulations and rules to set out more specific requirements in their area – including, for example, MIIT, SAIC, NHFPC – and to provide rules for a number of different types of personal information. For example:
- users' personal information collected by telecom and internet operators in their business operations;
- operators' and users' personal information collected in the course of e-commerce platforms' business; and
- population health information collected by healthcare organisations and entities.
ii General obligations for data handlers
In brief, data handlers generally have to obey the following principles:
- complying with the principles of lawfulness, fairness and necessity when collecting and using personal information;
- informing data subjects, explicitly, of the purpose, methods, scope of the collection and use of personal information, and obtaining their consent;
- publishing statements describing the collection and use of data subjects' personal information;
- keeping personal information strictly confidential, and refraining from disclosing, selling or illegally providing such information to others;
- taking necessary measures to ensure the security of personal information and, in the event of the disclosure or loss of such information, immediately take remedial measures; and
- refraining from sending any commercial messages to an individual without his or her consent or request, or if the individual has expressly refused to receive such information.
iii Technological innovation and privacy law
Chinese law does not generally prohibit the use of online tracking and behavioural advertising, cloud computing and big data, and as mentioned in Section II, the government is actively promoting such technological innovation in China to facilitate growth in the industry. Nevertheless, many issues still lack clarity under the law, and this legal ambiguity has, in practice, brought about uncertainty for business operators, particularly where the adoption of new types of technology or business model are concerned.
In the first civil case regarding internet advertising and the online collection and use of personal information, involving Chinese search engine giant Baidu, a Ms Zhu claimed that Baidu's targeted advertising on its partners' websites, using cookies set when she used the search engine, infringed her right to privacy. Interestingly, the appellate court's judgment contrasted with the opinions of the court of first instance in many aspects. The appellate court decided three important points at variance with the judgment of the court of first instance: that the information collected by Baidu cookies does not contain personal information under PRC law; that the network user does not suffer cognisable injury by receiving targeted adverts on websites within Baidu's advertising alliance; and that the notification and consent mechanism provided on Baidu's search engine website is legal and sufficient. Although the Chinese court judgment does not have a binding effect, it provides important guidelines and may affect other similar cases in the future.
Cloud computing has posed new challenges to the law, in particular because it is not completely transparent as to where and how the information is stored and processed in 'the cloud', or how prevention of hacker attacks and the security of information stored in the cloud may be assured. As mentioned in the Opinions for Promoting Creative Development of Cloud Computing and Fostering a New Sector of Information Industry issued by the State Council, China is faced with various issues with respect to cloud computing, along with development opportunities. These issues include lack of service capacity and core technology, insufficient sharing of information resources and high levels of information security risk. In the Opinions, the State Council's demands include:
- facilitating research into applications of personal and enterprise information in a cloud computing environment;
- promulgation of laws and systems relating to information protection;
- rules relating to collection, storage, transfer, deletion and international transfer of information; and
- information security law.
iv Specific regulatory areas
Many different specific types of personal information are governed under different sets of laws and administrative rules, and some of these provisions overlap. A few common types of personal information are listed below.
Users' personal information in telecom and internet services
'Users' personal information' in telecom and internet services is defined under the Provisions on the Protection of Personal Information of Telecommunications and Internet Users (the Protection Provisions) of July 2013.10 The Protection Provisions stipulate several measures that telecommunications and internet service providers should take internally for the prevention of leakage, damage or loss of personal information of users. The Protection Provisions also provide that telecommunications authorities should check how telecommunications and internet service providers protect personal information during the annual inspection in respect of their telecommunications licence.
Population health information
'Population health information' is stipulated under the Administrative Measures for Population Health Information (for Trial Implementation),11 effective on 5 May 2014, as information generated and collected in the course of service and administration by medical, healthcare and family planning services agencies. The collection and handling of population health information is subject to specific rules, and such information is particularly prohibited from being stored outside China.
Personal financial information
Financial institutions, including banks, insurance companies, securities companies and similar organisations, are required to preserve client information that they obtain in the course of business operations under the Administrative Measures Regarding the Retention by Financial Institutions of Customer Identification Documents and Materials and Transaction Records.12 Financial institutions in the banking industry are subject to more specific requirements under the Notice of Strengthening the Work Relating to the Protection of Personal Financial Information by Financial Institutions in the Banking Industry issued by the PBOC.13 'Personal financial information' is defined as information that is obtained, processed and retained by financial institutions during their business operations, or through their access to the credit information system of the PBOC, payment systems and other systems that include:
- personal identification information;
- information pertaining to personal property;
- information pertaining to personal accounts;
- personal credit information;
- information pertaining to personal financial transactions;
- derived information, such as personal consumption habits and investment intentions, which can reflect certain situations of the individual and are formed by handling and analysing the relevant raw information; and
- other information obtained and preserved during the course of establishing a business relationship with the relevant individual.
IV INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION
Although at present there are no specific legal requirements for the transfer of personal information within China itself, the cross-border transfer of personal information from China to other jurisdictions is subject to the general privacy requirements under civil law. Where the personal information to be transferred is of a specific nature, there are also explicit requirements under industry-specific regulations and rules.
For example, in the heavily regulated banking industry, the processing of personal information collected by commercial banks is administered by stringent rules. The PBOC especially requires that personal financial information collected in China must be stored, handled and analysed within the territory of China and, unless otherwise stipulated, banks are not allowed to provide domestic personal financial information overseas. Another example is the transfer of employee information, which is very sensitive in practice and requires delicate handling despite the provisions regarding employee information being comparatively simple at present.
In addition to stipulations under civil law and industry-specific regulations, disclosing information to an offshore entity is strictly prohibited if the information involves PRC state secrets. This issue has become highly sensitive where Chinese subsidiaries of US companies and companies listed in the United States are requested to provide information to the US authorities or US affiliates in relation to internal Securities and Exchange Commission investigations, or where foreign companies are conducting internal investigations (e.g., for Foreign Corrupt Practices Act purposes) and their Chinese subsidiaries need to transfer documents overseas. Under the State Secrets Protection Law (2010)14 and the Measures for Implementing the State Secrets Protection Law (2014),15 no documents or materials containing state secrets are allowed to be carried, transmitted, posted or transported outside China without approval from the competent governmental authorities. However, the term 'state secrets' is broadly defined, covering extensive matters such as major decisions on state affairs, national defence and activities of the armed forces, diplomatic activities and foreign affairs, national economic and social development, science and technology, activities safeguarding national security, and the investigation of criminal offences. The lack of an explicit list or guidelines specifying what information constitutes state secrets, or procedures to recognise state secrets, have contributed, in practice, to extreme difficulty in dealing with information that might be considered as containing state secrets.
Furthermore, the Information Security Technology Guide for Personal Information Protection within Information Systems for Public and Commercial Services16 (the Guidelines) was issued on 15 November 2012, and became effective from 1 February 2013. The Guidelines, however, do not serve as a statutory law but as a non-mandatory national standard. Nevertheless, as many important internet service providers have been participating in the process of their drafting, the Guidelines are expected to be observed, or at least used as reference in establishing internal rules, by many industry participants, and some believe the Guidelines may serve as a basis for future legislation on personal information protection. The Guidelines set out both general principles and specific requirements with respect to the collection, processing, transmission, utilisation and management of personal information in various information systems. In particular, in respect of cross-border transfers of data, the Guidelines provide that in the absence of explicit law or regulation, and without the approval of the industry administrative authority, a Chinese data controller should not transfer any personal information to a data controller registered overseas. Although this recommendation is not mandatory, it reflects the attitude of the governmental authorities that have participated in the issuance of the Guidelines, and we would expect there may be increasingly strict legal requirements in this regard in the future.
Notably, CAC released a draft of the Measures on Security Assessment on the Cross-Border Transfer of Personal Information and Important Data for public comment and it has yet to be finalised. The Draft requires, in addition to the data localisation and security assessment on CIIOs, that all 'network operators' should also carry out security assessments for cross-border transfers of personal information and important data collected and produced by them in the course of their operations within China. The Draft regulates cross-border data transfers by way of both 'self-assessment' and assessment by authorities. In brief, network operators are required to carry out self-assessment for all cross-border transfers of data, while cross-border transfers of data satisfying certain tests must be submitted to the applicable industrial regulatory authority or the national cyberspace authority for assessment.
The National Information Security Standardisation Technical Committee (TC 260) released a draft of the Information Security Technology Guidelines for Cross-Border Data Transfer Security Assessment for public comment (and a second draft has already been released). As an important ancillary document to the CSL, the Guidelines put forward detailed recommendations on the assessment process, assessment methods and points regarding the data export security assessment. Although the Guidelines do not have mandatory legal force, they may be adopted and referred to in data export activities by network operators in various industries, since existing laws and regulations fail to provide detailed guidance. In data export assessments, enterprises need to comprehensively take into account factors such as the consent of the individuals whose personal data is being exported, the necessity for the data export, the security protection measures of the data exporters and data recipient, and the political and legal environment of the receiving country or region.
V COMPANY POLICIES AND PRACTICES
Following the entry into force of the CSL in China, companies have started to consider and adopt rules for the collection and processing of information obtained both in the course of their business and from their employees' personal information, and also rules regarding their cybersecurity protection practices.
Under the CSL, it is provided that a CIIO must designate a person with specific responsibility for security management organisation and security administration, and carry out a security background check on that responsible person and on relevant personnel holding key positions. Network operators are required to appoint personnel responsible for cybersecurity protection. Although not specifically mentioned, telecom and internet service providers are required to set up a security officer post, and they are also required by the MIIT to specify the responsibilities of each department, post and branch in terms of managing the security of users' personal information, and to establish work processes and security management systems for the collection and use of users' personal information and related activities.
VI DISCOVERY AND DISCLOSURE
In practice, discovery and disclosure issues mainly arise out of cases involving cross-border investigations or litigation. For example, a subsidiary of a US company in China may be required to produce documents when the US company is ordered to produce information on the basis of a subpoena, or a Chinese company may also be subject to such a requirement if the company is sued in the United States. There will be complex state secret and personal information issues involved in the discovery and disclosure process, and a Chinese lawyer's legal opinion is normally sought to ensure that the process is carried out in compliance with PRC law. Again, because of the lack of explicit rules, such a process can be challenging and tricky, and may involve communication with different Chinese governmental authorities. Cross-border transfer requirements pursuant to the CSL will also need to be taken into consideration.
VII PUBLIC AND PRIVATE ENFORCEMENT
China does not have a central privacy regulator, and many governmental authorities regulate privacy issues within their own delegated area of authority (normally a specific industry sector), and these areas may overlap. For example, the MIIT is in charge of telecom and internet service providers, the SAIC administers market order, consumer rights protection and advertising issues, and the PBOC is in charge of the administration of personal financial information. Although there have been sanctions imposed by the SAIC and the PBOC in certain localities for the leaking or abuse of personal information, there have been no milestone cases yet. CAC is the designated enforcement authority for the CSL and following the entry into effect of the CSL it has already been active, starting investigations into practices in this area.
There have already been various privacy lawsuits, even before the Tort Liability Law became effective, and at that time claims were brought for infringement of the right to reputation. However, there is still no unified interpretation of what constitutes privacy of individuals and what circumstances would be treated as infringements of privacy rights. Although many judgments rendered by local courts have provided their views and guidance on this matter, these cases are not legally binding. There are still controversial views held by different local courts on this matter.
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
Strictly from a legal point of view, the rules for handling personal information only apply to businesses operating within Chinese territory. However, in this high-tech era, the boundaries of business blur, and sometimes it is unclear and uncertain how these rules would apply, in particular when, as is the case on many occasions, cross-border business such as e-commerce is involved. Foreign organisations operating on the internet in a Chinese market and with Chinese customers as their main target would still have to consider whether they are required to set up a presence in China as a first step for the business and, subsequently, whether they would need to follow Chinese data protection rules. The CSL and its ancillary rules, in particular the draft measures and guidelines for cross-border data transfer, will also pose new challenges for foreign organisations with operations in China.
IX CYBERSECURITY AND DATA BREACHES
In April 2014, to respond to the various challenges in the new era, President Xi Jinping for the first time raised the 'overall concept of national security'. Thereafter, a series of pieces of legislation relating to national security was put on an accelerated track, including the National Security Law (NSL), the Counter-Terrorism Law (CTL) and the CSL. The CTL, NSL and CSL all include, or are likely to include, provisions relating to information and technology security, and have drawn wide attention from foreign companies, especially high-tech and internet companies that have operations in China.
On 1 July 2015, China's legislature, the NPC Standing Committee, passed the NSL, and it came into effect on the same date. The NSL, for the first time, provides for 'safeguarding the national cyberspace sovereignty', and adds cybersecurity and information security as important parts of national security, in contrast with the former NSL, which focused primarily on counter-espionage. The NSL further requires the state to establish a national security review system to review matters and activities that influence or may influence national security, including those relating to network information technology products and services.
The CTL was enacted at the end of 2015. The CTL is the first counter-terrorism law in China that includes wide-ranging stipulations and is intended to cover to all aspects of counter-terrorism activities. The CTL provides, inter alia, obligations for telecom and internet enterprises to cooperate with government authorities in investigating terrorism activities, which may have a significant impact on the operation of internet and tech firms in China. For example, according to the CTL, telecom and internet service providers are required to provide technical interfaces and technical assistance in decryption and other efforts to public and national security authorities engaged in the lawful conduct of terrorism prevention and investigation. However, the provisions of the CTL still lack details as to how these requirements will be implemented, which remains to be seen in practice.
As mentioned above, the CSL entered into effect on 1 June 2017 and has become the fundamental law in China for the protection of cybersecurity and personal information.
As with the rest of the world, in China, threats to cybersecurity have been the subject of more intense focus by governmental authorities and public and private companies. Over the past few years, there has been an increase in China in the amount of legislation regarding personal information protection and cybersecurity law, and how these new laws and regulations will be implemented remains to be seen.
The CSL is considered a legislative milestone in China in this field. The CSL is the first law in the PRC specially focused on cybersecurity matters. With the entry into effect on 1 June 2017 of the CSL, internet companies and other industries in China are now subject to a wide array of stricter, more comprehensive obligations, and face more severe punishments for violations. As an omnibus law on cybersecurity issues, the CSL has many provisions that are still very general and abstract, and the detailed requirements for implementation and enforcement depend on subsequent and more specific implementation regulations, and on opinions from relevant authorities. We can expect the relevant regulatory authorities to continue to promulgate series of implementation regulations to clarify certain requirements under the CSL, such as regulations on tiered cybersecurity protection systems, the specific scope and protection measures regarding CII, the protection of minors on networks, the mandatory security certification and the test requirements for key network devices and special cybersecurity products, and national security reviews of the network products and services procured by CIIOs.
In view of these legislative changes, companies will have to consider whether they need to adjust their business operations and practices accordingly and enhance their cybersecurity protections to ensure full compliance with the CSL. Given that the specific details of implementation of the CSL requirements are not yet entirely clear, companies will also have to follow closely any subsequent releases of regulations and opinions by the relevant governmental authorities. In the year ahead, companies are also looking forward to seeing new regulations, standards and movement by the Chinese regulators, and how the draft regulations and standards are to be issued and implemented in practice.
1 Marissa (Xiao) Dong is a partner at Jun He LLP. Passages of this chapter were originally published in 'Data Protection Considerations for Commercial Arrangements between the EU and China', August 2013, and 'Data Privacy and Security Law Develops Quickly in China', August 2015